Opening lines of communication with ransomware actors is the best way to deliver a positive outcome from an event that will be “the worst day of the IT team’s lives,” a leading negotiator has claimed.
Dan Saunders, director of incident response EMEA at Kivu Consulting, revealed that just 30% of the firm’s negotiations with threat actors over the past year have actually led to the victim paying.
“There’s a common misconception around engaging threat actors and that is if ‘we’re going to engage them, we’re going to reach a financial settlement.’ But that is not the case,” he said.
“By engaging the threat actor you can take control of the situation, implement some mitigations and prevent any further escalation.”
This escalation could include aggressive behavior such as “swatting” – threatening to send SWAT teams to employees’ homes, Saunders said.
Engagement can help the breached organization collect actionable intelligence from their extortionists to better understand root cause, as well as to buy time for further forensic investigation and establishing a crisis comms team.
“If our name was to be published, do we have reactive/proactive communications at the ready to deal with the flurry of inbound queries that are going to occur?” said Saunders.
“It’s highly likely that security researchers and journalists will be assessing those leak sites.”
However, victim organizations must ensure their operational security is up to par, in case threat actors are inside the network and monitoring their response to the incident, Saunders warned.
“If you’re not 100% sure, you need to establish an out-of-band communication method that enables you to maintain control, visibility, and not show your hand early on to the threat actors, because they do not like dealing with third-party negotiators,” he said.
Time to Get Proactive
Ultimately, better preparation for a ransomware event will help to reduce the business impact, and this requires collaboration across the organization, Saunders argued.
“We all have playbooks for how to respond to ransomware attacks, trusted service providers and our IT teams, but can we bring other stakeholders in place? It’s not an IT issue,” he continued.
“We need to consult our incident response plans. We need to exercise these events. Can we bring the boardroom around a table and take them through a cyber extortion event and say ‘in the event that this occurs, how would we approach this? What is our policy?’”
Read more from #Infosec2025: #Infosec2025: Ransomware Drill to Spotlight Water Utility Cyber Risks in ‘Operation 999’
This proactive approach should begin by understanding exactly what assets the organization manages, where data is stored and how well it is protected and backed up. This will help investigators understand the risk exposure of the organization post-attack, and which parties may need to be notified of a data breach.
“One of the biggest hurdles we run into is legacy data. Systems that potentially shouldn’t have resided in the IT network and data on them that should no longer be there,” Saunders concluded.
“So, we need to explore these things more as an organization to understand our network architecture; what are our key assets, where our data is stored, what is the classification of that data, and what the impact would be if that data was to get out there.”
The need to deploy best practices pre- and post-incident has even greater urgency given the string of major ransomware attacks that have come to light in recent weeks.
Victims included big-name retailers and fashion brands such as Marks& Spencer, Co-op, Harrods, Dior, Adidas and – just this week – Cartier and The North Face.
No tags.
