top of page

Ransomware Series (Part 4) : Interaction with the Threat Actor

Ransomware attacks have become a common threat for organisation's of all sizes where threat actors will demand payment in exchange for the safe return of the organisation's encrypted data. When negotiating with threat actors in the aftermath of a ransomware incident, there are several key considerations to keep in mind.

Firstly, it is important to understand that paying a ransom doesn't guarantee the safe return of your data. In some cases, threat actors may take the payment and then fail to provide the necessary decryption keys. Additionally, paying a ransom may also encourage threat actors to target your organisation again in the future.

However, it is also important to consider the potential financial impact of not paying a ransom. If the encrypted data is critical to the operations of your organisation, the costs of losing access to that data may far outweigh the cost of paying a ransom.

Another important consideration is the role of insurance. It is worth checking with your insurance provider to see if your policy covers the cost of a ransom payment and/or the potential loss of data. If insurance will not cover payment, then you are still able to go down this path as an organisation, just ensure you seek legal advice before doing so.

Other considerations for payment of a ransom can be impact to business operations as well as impacts to client privacy and individuals outside your business.

Before negotiating with threat actors, it is essential to have a clear understanding of the value of the data that has been encrypted and the ability of your organisation to recover it without paying the ransom. Additionally, it is important to have a plan in place for both paying and not paying the ransom.   In either case, it is essential to work with a reputable forensic IT company that has experience in dealing with ransomware incidents and can assist in assessing the situation and determining the best course of action.

If you decide to communicate / negotiate with the threat actor, work with your forensic IT partner to ensure the communications are secure and use a standalone machine/device as you are corresponding with a cybercriminal and shouldn't blindly trust what you are sent.

Do not let emotion get in the way of your communications, be professional / respectful. Remember this is work for them, not some personal attack on you.

Don’t be afraid to negotiate, they are interested in being paid so treat the initial request as a starting point and try and work down to something more palatable.

A recent example of why being respectful is important:

Negotiations were underway with a threat actor as the client had no backups or ability to recover without payment. Facilitating the negotiation on behalf of the client we advised the TA of the financial situation of our client and offered 30% of the requested amount to be paid by midday the following day. The offer was accepted, payment made, and the data returned. The threat actor sent us an email after the payment stating they had enjoyed our discussions and had thought about password protecting the returned data for double extortion, however changed their mind.

The key takeaways from this blog post?

1. Payment of the ransom may be the quickest solution to recover from an attack and get back to 'normal'.

2. Know where you stand with insurance and what is included in the cover. (Your insurance brokers contact details should be in easy reach).

3. Don't be afraid to start a conversation with the threat actor.

Forensic IT provides a range of services to help businesses protect against and respond to ransomware attacks. These services include security reviews to identify potential vulnerabilities and incident response planning to ensure that businesses are prepared to handle a crisis. We have the expertise and experience to help businesses understand their risk and take the necessary steps to protect against them.

If you would like to learn more about our services or discuss your specific needs, please contact us.


bottom of page