The recent cyber-attack on JBS, the world’s largest meat supplier, raises the age-old question of paying ransoms, particularly when it is data and reputations at stake rather than someone’s life, such as in a kidnapping situation. We’ve also seen recently another high-profile ransom payment made by Colonial Pipeline, which has confirmed it paid a $4.4m (£3.1m) ransom to the cyber-criminal gang responsible for taking the US fuel pipeline offline.
It also highlights the simple yet critical importance of leaders developing a resilient mindset amongst their teams, as these events usually take weeks or months to resolve and can take their toll on individual well-being and effectiveness. Also of importance is being able to communicate effectively not only with the cyber Threat Actor (TA), but also with the rest of the Crisis Management Team, colleagues, customers, and other stakeholders in order to overcome the crises and find a resolution.
This article captures some of my observations from coaching and advising leaders through dozens of cyber extortion attacks ranging from ransomware on small, family-run businesses to significant data thefts from some of the biggest organisations on the planet. The principles in how to resolve these are the same.
Getting A Grip
The initial response to any crisis should be decisive, with an intent to bring clarity and perspective to what is usually a chaotic and unclear situation. The most pressing issue for the CMT is to take 100 per cent responsibility for the situation and to accept the reality of what’s being faced. It’s also essential for leaders to remember that ‘calm is contagious’ and to provide clear direction before empowering their teams to deliver.
Intent and Capability
In any extortion, the two defining factors are the TA’s intent and capability. Firstly, has the TA demonstrated intent by demanding a specified ransom and deadline? Secondly, has the TA demonstrated capability by encrypting data as well as having the means to decrypt them? If we’re going to pay a ransom then we need to be sure we’re talking to the right person! Also, is this a targeted attack or merely a ‘low hanging fruit’ approach by the TA to see which organisation out of hundreds, ‘bites’.
Understanding the TAs intent and capability also helps in the next phase of conducting a Business Impact Analysis.
Business Impact Analysis
Is this a mere bump in the road or does it threaten the viability of the organisation itself? To make an accurate assessment, it’s crucial for leaders to consider a series of scenarios and determine the impact (‘pain’) to the organisation. By doing so, it will articulate the severity and assist with options. Only by understanding what disclosure, deletion or an inability to access all the data will ultimately mean for the company, financially as well as reputationally, will the CMT be able to set and maintain an effective strategy.
Suggested Negotiation Strategy
In all cases of extortion, a negotiating strategy is developed in partnership with the CMT. Negotiation is based on the building of trust between the two parties so that at the end of the negotiation, the TA feels adequately compensated and will not either ‘double’ the victim or carry out the threat through spite or for purposes of revenge. This is achieved rather counter-intuitively by demonstrating, where necessary, resistance to the extortionist’s demand and reduce expectations early.
The aim of instigating and continuing negotiation with the TA is to delay and buy more time in order to enable the client to close the entry point, eradicate all malicious components, secure the system, and make all necessary notifications to relevant stakeholders, as well as collating all funds required to pay any ransom.
However, in terms of cyber extortion, two things alter the bargaining framework:
a. The extortionist has already got the data and can either publish, refuse to provide decryption or be paid
b. The extortionist usually sets a time limit. These conditions restrict the ability of the victim to negotiate because the extortionist attempts to make the situation binary – pay everything, or I carry out the threat
Likelihood of data recovery if payment made
In any cyber extortion, there can be no guarantees that decryption will be provided or any data obtained illegally will be destroyed or deleted once payment has been made. Indeed, the options available to the TA upon payment are to:
- Provide decryption
- Fade and not provide decryption
- Publish the data in the public domain
- ‘Double’ the client and continue the threat unless even more money is paid
However, in my experience and that of the broader business world according to open source intelligence, if a negotiation has been pursued diligently and with resolve, once a payment is made the chances of revenge/spite / being doubled is greatly reduced and although there may be cases where this has happened, it will probably be found that extenuating circumstances prevailed.
Alternatives to paying a financial ransom
There are three main alternatives to paying immediately:
1. Ignore and call the TA’s bluff yet running the risk of not decrypting the infected files in a timely manner or being able to restore or rebuild a viable network
2. Communicate with the intent of giving any law enforcement investigation enough time, leads and evidence to apprehend and prosecute
3. Negotiate with the intent to pay but:
i. Negotiate to reduce the amount
ii. Build trust with the TA so that once the deal is done he is satisfied and does not ‘double’, publish or simply fade without providing decryption
iii. Negotiate to extend the deadline. Negotiate payments over the lifetime of the data so as to somewhat reduce the chance of a ‘double’ or later publication
Summary – To pay or not to pay?
“There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III. Former FBI Director
Whenever I am asked to come into an organisation to help develop resilience amongst their teams, it still surprises me just how unprepared some leaders are, through no fault of their own, to step up and navigate through significant crises, conflict or period of uncertainty like we’ve seen over the last year.
Effective leadership in challenging times requires a quick response with the setting of clear, unambiguous strategies to achieve the desired outcome. The effective leader can then influence what should be a united, purpose-driven CMT to achieve this outcome, with the focus being on empowering others to become effective leaders too.
What I’ve found in my experience is that there is no better time than the present for organisations to get ahead of the game and ensure their leaders and teams are equipped for when the next crisis comes knocking. Because you can guarantee the moment it does, that the timing, personnel, finances, resources will never be ideal.
Scott Walker is a former kidnap for ransom and extortion negotiator, who now coaches both emerging and senior leaders in how to develop a RESILIENT MINDSET, enhance their EMOTIONAL INTELLIGENCE and upgrade their COMMUNICATION skills to succeed.
This is done through:
- Compelling KEYNOTE TALKS
- One-to-one EXECUTIVE & TEAM COACHING
- CORPORATE TRAINING
- All of which reduce conflict, increase empathy and enable more meaningful and productive conversations.
To find out more please email firstname.lastname@example.org or call +44 (0)7783 943 676