Negotiation in bad faith.
By Rachel Gelfand, CyberWire staff writer
Jun 8, 2023

Promises in the dark (web)....

Negotiation in bad faith.

Ransomware gangs act on a moral compass that’s ambiguous at best. So can they ever be taken at their word?

Cl0p’s recent promises to Nova Scotia.

Experts say probably not. CBC Canada reported yesterday that the Cl0p gang, said to have the personal data of as many as 100,000 Nova Scotians after an exploitation of the MOVEit file-sharing system, claimed they’ve deleted all government data from their site. Private company data remained, however, fair game and Cl0p wants to be paid before June 14th.

Emsisoft threat analyst Brett Callow wrote in an email that "Clop's claim to have deleted data belonging to public sector bodies should be assumed to be false .. There is no reason for a criminal enterprise to simply delete information that may have value.” And even if it were deleted, he reminds us, they still conducted the breach in the first place.

A growing disposition on the part of SMBs to pay ransom.

Businesses today aren’t exactly making it difficult for ransomware attackers, either. TechRadar writes that the amount of small and medium-sized businesses (SMBs) in the United Kingdom deciding to cough up the cash when victimized in a ransomware attack has increased significantly over the past year. A Censornet report shared that the shift to giving in seems to stem from the general incapability of companies to manage their cyber threats. Email attacks were the primary vector against companies in the past year, and the research shows that firms would benefit from better, more widespread threat solutions.

How negotiations with ransomware gangs proceed.

And a story from the Hacker News details just the way to manage these threats, and the team and procedures you should have in place. The outlet compares the management of a ransomware crisis to that of a hostage situation, with recommendations of creating an implementable crisis management plan.

A recommended crisis management plan includes a crisis manager, who covers and coordinates “the technological, business and legal tracks.” This covers everything from forensic and investigative remediation on the technological side, to the company’s PR, and finally, to the legal and regulatory considerations that will follow. Next, there should be a decision making group or individual who makes the decisions based on the information received from the crisis manager. A professional negotiator, capable of identifying the scope of the attack, profiling the threat actor, and letting the decision makers know their options, is a significant role. This negotiator can help define the negotiation terms, whether it be for time, information, or a lower required payout.

And above all, call the cops.

Ensuring a relationship early on between law enforcement is imperative. Getting cyber insurance coverage specifically for ransomware as early as possible (ideally, prior to any attacks) can be helpful as well.