An RSA conference speaker offered ways for ransomware victims to leverage negotiations and transactions with threat actors and acquire more than just a data decryption key.
Jibran Ilyas, managing director of incident response at Mandiant, part of Google Cloud, spoke during a session titled "Ransomware 101: Get Smart Understanding Real Attacks" at the RSA Conference 2023. During the session, Ilyas outlined the ransomware lifecycle, based on real attacks that Mandiant responded to, and offered advice and tips for companies that find themselves with encrypted systems.
Part of that advice was making counterdemands to the ransomware actors and -- potentially -- making the best of a bad situation by receiving more for your money than just partially decrypted data.
Threat actors lay out what they see as a clear bargain for victims, but Ilyas referred to ransomware operations as businesses that will "mostly" fulfill their end of the bargain. As such, it's worth negotiating with the ransomware gang to see if they will meet counterdemands in exchange for getting paid quickly.
"The more organized they are, the more they comply, because they don't want a reputation that they don't live up to their part of the deal," Ilyas said.
The demonstration included a real ransomware note that included polite language regarding support -- but also direct threats. "They're very nice, they're trying to hold your hand, and they're trying to say, 'Hey, we're kind of like your pen testers, but if you don't pay up, this is what we'll do,'" Ilyas explained.
Ilyas outlined some of the factors that organizations might weigh when deciding to meet hackers' ransom demands, assuming that data will be returned upon agreement. Those factors include the possibility of solitary data recovery, the sensitivity of the stolen data, the threat actor's reliability or reputation, whether the threat actor is currently sanctioned by the U.S. government, the threat actor's current access to the system, and the organization's ability to cover the claim with cybersecurity insurance.
Counterdemands in action
With the decision to make a ransomware payment, Ilyas presented counterdemands that victims should employ to make the most of the attack by improving their security posture, increasing their understanding of cybercriminal behaviors and sweeping the affected systems.
"If you happen to be in an unfortunate situation that you have to pay up, you can get all of these demands fulfilled," Ilyas said.
Those counterdemands include providing an "intrusion report" that shows how the attackers gained access to the environment and a timeline of the attack; providing all exfiltrated data including links to exfiltrated data upload sites; and erasing the victim's data from all locations, with proof of deletion.
Ilyas described a multimillion-dollar negotiation he facilitated with a threat actor during which he told the adversary that they must provide an intrusion report. Ilyas received a 24-page report, detailing information such as the passwords stolen and how the system was infiltrated.
With intrusion reports, companies could gain insight into where defenses need to be strengthened as well as the tactics the cybercriminals exercised to target systems, which could save valuable time for incident response teams.
Ilyas noted that victims can also demand that attackers have exited the environment as well as provide proof of deleted backdoors and other persistence. They can ask for specification of the data exfiltrated and proof that the stolen information was deleted.
Moreover, ransomware victims can request the removal of any records of the negotiation and demand that the threat actors delete all their communications, including emails and chat transcripts.
Ilyas concluded the session by recommending that organizations create a core team that will pick the companies that will respond to a ransomware attack, from cybersecurity vendors and incident response providers to communications firms and cyber insurance carriers. He also encouraged the audience to run tabletop exercises for ransomware attack scenarios with both the executive and technical teams.
Alexis Zacharakos is a student studying journalism and criminal justice at Northeastern University in Boston.