Commentary: ‘We won’t pay’ - ransom negotiations in cyberattacks aren’t so straightforward
A ransomware task force in Singapore has recommended that it be made mandatory for companies to report ransom payments. Sygnia’s vice president of cyber security service in APAC weighs up the considerations behind ransom payments.
SINGAPORE: Today's threat landscape is constantly evolving, with ransomware attacks becoming more pervasive and the motive of threat actors becoming increasingly complex and manipulative.
Attacks are also becoming very common and frequent - with requests for ransom payment being inevitable in most cases. Just recently, attackers demanded ransom from a gaming developer company that refused to pay the cost. At the same time, a giant media publication and international F&B chain suffered operational disruptions due to ransomware attacks.
Historically, ransomware has been a way for threat actors to make straightforward and efficient financial gains. Nowadays, threat actors are also focusing on maintaining their own "business reputation".
In addition, countries are also getting involved in the ransomware game with the goal of espionage and wreaking havoc - they're less concerned with the money-making and business aspect of it all and more focused on intelligence gathering and generating chaos.
TO PAY OR NOT TO PAY
As ransomware attacks become increasingly complex and sophisticated, deciding whether to pay or not to pay a ransom consequently becomes more complicated. However, it is crucial to be prepared to negotiate with threat actors regardless of whether you decide to pay, as negotiation involves securing the best possible terms and achieving a favourable outcome despite the inherent untrustworthiness of the attackers involved.
Ransom crisis management is an asymmetric battle involving a threat actor fighting a battle it is familiar with, versus a victim who is probably dealing with it for the first time. In this context, negotiation is a dangerous engagement and can get even more complex when the threat actor is looking for revenge on top of being paid.
It is difficult to definitively say what proportion of ransomware victims globally eventually decide to pay, although some reports in 2021 estimate it as high as two-thirds.
THE DECISION TO PAY IS COMPLEX
Paying a ransom may seem like the most sensible course of action to solve the problem. However, it is paramount to consider the potential repercussions and long-term consequences to businesses.
There is no guarantee that paying the ransom will undo the damage, and it may even incentivise attackers further by demonstrating a willingness to meet their demands. Hence, security teams need to work closely with the management team to ensure that essential business decisions consider these potential risks.
Companies must consider not only the ransom amount itself but also what it costs to repair the damage caused by the attack.
In many cases, the cost of the ransom is only a fraction of the costs incurred to the company, with one study estimating the total cost of mitigating an attack to be, on average, seven times the extortion amount, which includes the potential damage to the company's reputation and legal liabilities.
If the threat actor intends to create an atmosphere of terror or fear, or to disrupt an economy, paying the ransom isn't probably the best decision. That may be true, especially where there is plenty of geopolitical unrest. Additionally, governmental entities (and in many cases, government-owned entities) generally have a policy of not paying a ransom, whatever the threats.
The overall damage depends on several aspects - the cost of service outage, reputation, and regulator's fines, among others. When it comes to data loss, the risk largely depends on the data's sensitivity. For example, email addresses and names are way less valuable for the attackers (and less risky for the victim) than identification cards, passport copies or medical records.
In such cases, assuming the threat actors understand the importance of the data they hold, they will probably demand a higher ransom. For instance, an IBM report indicates that a breach in the healthcare industry can provoke a demand for more than twice the amount of a breach in other sectors.
Ransomware gangs often take great care to determine the value of their demands. An analysis of the chat logs of one such gang showed that they would meticulously estimate a target company's revenue by using publicly available sources. They would then ask for a percentage of their revenue (for example, between less than 1 per cent to 5 per cent, with higher rates assigned to companies with lower sales). Their goal is to make it as easy as possible for companies to decide to pay the ransom.
NEGOTIATE - EVEN IF YOU DON'T INTEND TO PAY
Irrespective of whether a company decides to pay or not pay the ransom, it's usually a good idea to negotiate with the attackers. But most CEOs and chief financial officers have never dealt with a threat actor. For this reason, they should engage a professional negotiator who knows what to say and what not to say and better understands which potential tactics to deploy.
If executed well, the negotiation can gain time and help victims build a profile of the attacker to piece together who attacked them, what information they have, and what their end goal may be.
Deciding not to pay the ransom may be the right course at a given time, but that may change as victims learn more about the circumstances of the attack. If handled poorly, the threat actor might end the negotiations, thinking they are wasting their time, and humiliate or embarrass the victim.
However, some argue that companies who are willing to pay ransoms are creating an attractive proposition that encourages even more cybercriminals to join the fray.
Over the years, several governments have considered banning ransom payments. In the wake of the recent Medibank and Optus cyberattacks, Australia's Home Affairs Minister, Clare O'Neil, has said that the Australian government would consider making it illegal to pay a ransom to cyberattackers.
LISTEN: 5 things you need to know about fighting ransomware
Hypothetically, reducing the number of ransom payments to dampen an attacker's demands may seem like basic economics. Still, if the cost of paying the ransom is less than the damage it causes and payment makes sense in a specific ransom case, such legislation might instead hinder efforts to mitigate the impact of attacks and minimise the cost of that particular breach.
Another issue is that for some multinational companies, enforcing not to pay in one country won't make sense if they are permitted to pay in another country they operate in.
In Singapore - which saw a 54 per cent rise in the number of ransomware cases between 2020 and 2021 - the Counter Ransomware Task Force published its first report in November 2022 suggesting that it be made mandatory for companies to report ransomware payments.
Despite the ever-evolving nature of ransomware attacks and the varied motivations of threat actors, the human element of being able to negotiate effectively remains an essential factor. Successfully negotiating with attackers is crucial to the outcome of an attack.
To navigate the risks of negotiating with threat actors, companies must evaluate the risks and benefits of paying a ransom or exploring alternative options. The decision is ultimately a financial and risk management one, requiring a careful assessment of the ransom amount vis-a-vis the potential business costs associated with the damage should the company decide not to pay.
Guy Segal is Vice President of Cybersecurity Service, APAC, at Sygnia.