When Your Business is Taken Hostage

Getting the Call 

The suspect I’ve been surveilling has just posted a video on YouTube; he’s referring to himself as “God’s Lion” and threatening to wage a “holy war” on a K-12 boarding school as he loads a handgun in his camper. It’s late at night and, even though it’s my husband’s birthday, I’m on the phone with a judge coordinating the arrest warrant.

That’s when the call comes in. I answer and hear: 

"We have a KFR" - a kidnap for ransom.

It’s never a good time to receive the call that you’ve been thrown into a ransom negotiation.

For over fifteen years, I worked as a hostage negotiator for the FBI and led a team of negotiators, who were deployed to kidnap for ransom scenarios around the world - a US citizen taken hostage by the Taliban, or a group of missionaries taken hostage by gang members in Haiti. I’ve sat in the living rooms of the hostages’ families for hours - sometimes months on end, working to reach a peaceful solution.  

 

The Structure of Ransom(ware) Negotiations 

This dynamic of a bad actor communicating that they will kill an individual unless their family pays a ransom bears a striking resemblance to a bad actor threatening an organization's business continuity (by encrypting their files, publishing their private data, or both) unless its leadership pays a ransom.

The similarity of these dynamics creates a similar emotional atmosphere - the disbelief of becoming targeted and the anxiety of negotiating with existential stakes. People may think that ransomware negotiations are less serious because they do not directly threaten a person’s life. However, they do threaten livelihoods and fund the lethal activities of state actors.  

One of the first things we need to do in any type of ransom negotiation is to seek proof that the bad actors have what they claim to have. In a kidnapping, we ask for proof of life - that hostage takers do in fact have your loved one and that they are still alive. In ransomware negotiations, before even considering paying the ransom (which is less than ideal, complex, and requires public-private solutions), we need proof that the threat actors have:

  • Infiltrated our systems sending a file-tree of the files they removed and a security report detailing how they accessed the organization’s systems. 

  • The ability to return access with a decryption key, which we verify by sending the threat actor two files to decrypt.  

And just like we want to get a kidnapper’s assurance that the hostage(s) will be returned alive if the ransom is paid, we are also asking for a series of assurances from the threat actor:

  • That control of the system will be returned to their rightful owners.

  • That the victim organization’s data won’t be leaked. 

  • That the threat actor will not remain behind the victim’s firewall and exploit their data again. 

 

What is the likelihood a threat actor will actually return your data if you pay them?

It is important to question whether or not a victim organization should trust that their data will be returned; the premise of our interaction with the threat actor hasn’t exactly inspired trust.

However, it would appear that larger, more established organizations understand that they will be less likely to get paid off if they develop a reputation of failing to follow-through, whereas smaller, lesser-known groups might be more likely not to return access to a victim organization after the ransom is paid and to ask for another.

 

Who You Gonna Call?

The best ransomware negotiation is the one you’ve avoided with robust cyber security measures. If you are confronted with a ransom demand, just like a hostage’s family, you shouldn’t go at it alone.

In addition to law enforcement, consider an incident response (IR) team to analyze the profile of the threat actor and the ransom demand, to navigate the cryptocurrency field, and to monitor the dark web post-incident to ensure your information is not released in the future.

An experienced IR team can help to manage the internal and external negotiation tables at play (C-Suite, Board Members, IT, Legal, FBI etc.), all of which shape your negotiation plan and final outcome.   

A well-rounded IR team should help you: 

  • Decide if you are going to engage with the threat actors at all. There are numerous factors to consider when making this decision. What information do the threat actors have? How would the release of data affect business?  What is the state of your backups?   

  • Deploy strategic silence. Stalling for time will allow you to see if you can restore your systems on your own and provide the space to shift from reacting to responding strategically. 

  • Fortify your business. GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks. Get ransomware ready with their Ransomware Response Readiness Solution (R3S). 

  • Prepare your internal communication structure. The outcomes of any negotiation table have a great deal to do with the ability for organizations to communicate internally. Learn more at Mindful Negotiating.

Whatever your choice, weigh your options carefully and choose deliberately.  

Previous
Previous

Q&A: The Ins-And-Outs of Ransomware Negotiations with Max Bevilacqua interviewed by César Cantú