Organisations that fall victim to a ransomware attack shouldn't let the cyber criminals know they have cyber insurance – because if the attackers know that their victim holds an insurance policy, they're more likely to outright demand the ransom payment in full.
Cybersecurity researchers at Fox-IT, part of NCC Group, examined over 700 negotiations between ransomware attackers and ransomware victims in order to analyse the economics behind the digital extortion attacks that demand a ransom payment – often millions of dollar in Bitcoin – in exchange for the decryption key.
They found that if the victim has cyber insurance and that the attacker knows about it, then there's little manoeuvre for negotiating for a smaller ransom payment, because the attackers will exploit the existence of the cyber insurance to cover the payment they're demanding.
SEE: A winning strategy for cybersecurity (ZDNet special report)
"Look, we know about your cyber insurance. Let's save a lot of time together? You will now offer 3M, and we will agree. I want you to understand, we will not give you a discount below the amount of your insurance. Never. If you want to resolve this situation now, this is a real chance," said a chat message from an unspecified ransomware gang, according to the research.
In this case, the attacker set the fee in the knowledge of the cyber-insurance plan, leaving the victim without any real platform for attempting to negotiate a lower ransom payment.
Another note from an unspecified ransomware operator appears to show that the cyber criminals have set a significant ransom demand because they know about the victim's cyber-insurance policy – seemingly after the victim claimed they couldn't afford to pay.
"Yes, we can prove you can pay 3M. Contact your insurance company, you paid them money at the beginning of the year and this is their problem. You have protection against cyber extortion. I know that you are now in trouble with profit. We would never ask for such an amount if you did not have insurance," said the attacker.
A company could still claim that the insurance company wouldn't pay for the ransom demand, but it's unlikely to be accepted as the truth by the attacker.
While researchers suggest telling the ransomware attacker about a cyber-insurance policy isn't a good move for negotiations, there's also the possibility that the attacker could find out about any cyber insurance the company has themselves once they're inside the network ahead of the ransomware attack.
"Preferably also do not save any documents related to it on any reachable servers," warn researchers.
Cyber insurance has become a way for victims to deal with the damage of a ransomware attack, but as Fox-IT's research shows, knowledge of it can put criminals in an even more powerful position for demanding payment – especially if the insurance holder doesn't have good cybersecurity in the first place.
One answer could be that organisations that want to take out a cyber-insurance policy are required to meet certain requirements around cybersecurity before the provider can agree to issue it.
"It's a really difficult debate in which I think there are definitely some advantages to having cyber insurance, but only if there are certain thresholds for a company to get it," Pepijn Hack, cybersecurity analyst at Fox-IT, told ZDNet.
"Those thresholds can be an incentive to get a better grip on your cybersecurity awareness and your what your entire organisation's cybersecurity is right now," he said.
However, this path could also be problematic because if businesses do fall victim to a cyberattack, and they don't have cyber insurance, then it could be extremely damaging.
"Some cyber-insurance service companies have found out that people get hacked a lot, so it's become became really expensive and now they're just stopping to give any cyber insurance at all, which I also don't think is the right solution," said Hack.
"It has to be some some kind of middle ground – and I think we'll get there eventually," he said.
While paying a ransom to cyber criminals is generally not recommended because it encourages further attacks, after analysing hundreds of negotiations, Fox-IT researchers offered some suggestions around what to do if your business is hit with ransomware.
That approach starts with preparing employees on how to react to a ransomware attack and crucially not clicking links in any ransom notes, so as to not prematurely start negotiations by setting the hackers countdown running.
"The first thing any company should teach their employees is not to open the ransom note and click on the link inside it... the timer starts to count when you click on the link. You can give yourself some valuable time by not doing this. Use this time to assess the impact of the ransomware infection," the researchers said.
This time provides the response team with a chance to examine what infrastructure has been hit and what impact it has had on operations, allowing the victim to retake some degree of control over the situation.
Before starting negotiations, it's also useful to know what your end goal is – can the organisation restore from backups, or will a ransom have to be paid? If the victim is willing to pay a ransom, they should have an idea about what the maximum they'd pay would be.
Research into the attacker can also help prepare victims for negotiations. It's possible that a free decryption tool for that particular strain of ransomware is available, preventing the need to pay a ransom at all.
Examining research papers and media reports about the ransomware group can also provide information on how reliable they are at actually providing a decryption key and if they'll engage in other tactics to try and force a payment, such as DDoS attacks, calling your customers or stealing and leaking data.
When it comes to actually engaging in negotiations, researchers state that it's important to be respectful and professional – it's understandable that victims will be angry, but antagonising the attacker is unlikely to help the negotiation strategy. Meanwhile, being polite can help – in one example detailed in the blog post, a victim negotiated a ransom down from $4m to $1.5m.
Many ransomware attacks try to pressure victims into paying within a set period, often with the threat of leaking data if they don't. However, researchers suggest that attackers are almost always willing to negotiate an extended window – after all, they want the money, they've taken the time to infect the systems, so they're likely to be willing to wait a little longer.
There's also the option of trying to convince the attacker that you can't pay the ransom, but if the attacker has access to the network, they may be able to see financial documents or cyber-insurance policies – and likely have a figure in mind based off that document that will be the basis for negotiations.
MORE ON CYBERSECURITY
- Ransomware attackers targeted this company. Then defenders discovered something curious
- Ransomware gangs are now rich enough to buy zero-day flaws, say researchers
- Ransomware is now a giant black hole that is sucking in all other forms of cybercrime
- The ransomware threat is getting worse. But businesses still aren't taking it seriously
- Ransomware: It's a 'golden era' for cyber criminals - and it could get worse before it gets better