Cyber Incident: From Dialogue with Hackers to a Participatory Stakeholder Strategy

Cyber criminals operate according to supposedly "established market principles": Hackers steal or encrypt company data and have it traded back for cryptocurrency. From the attackers' point of view, this is a classic, entirely negotiable business model. The principle of avoiding dialog with criminals has lost its validity in practice. A paradigm shift is underway.

InfoGuard's Computer Security Incident Response Team (CSIRT) actively engages in dialog with the aim of assessing the attacker and gaining valuable time and information on the extent of the cyber attack. And ultimately, it is also about securing strategic advantages:

• Time advantage: gaining leeway to make informed decisions.
• Data clarity: Attackers often reveal details of stolen information.
• Control: Whoever communicates retains control.

Negotiating with cyber criminals: A balancing act

The primary goal of CSIRT: getting systems back into operation and minimizing damage. If restoration through backups is not possible, the next option is negotiation. Specially created chat platforms are used to communicate with cyber criminals. The dialog is based on professional, respectful and tactical principles.

A successful tactic can drastically reduce the amount of ransom demanded.

Negotiation tactics in the shadow of the ransomware industry

• Technical questions: Targeted, technical queries allow the CSIRT to gain valuable time. This is because in order to answer these questions properly, the negotiating partner often has to consult with the operative perpetrators - the group that actually carried out the attack.
• Phrases as a key to origin: Although English is usually spoken in negotiations, language-specific phrases, such as Russian proverbs, can serve as an indicator of origin. If the negotiating partner doesn't catch these, this indicates a different origin.
• Profiling through details: The way someone names their files can reveal a lot about their origin and way of working. A minimalist approach such as "1.txt" or a cryptic name such as "sdkfnv.txt" allows conclusions to be drawn about the person.
• Bureaucracy as a tactic: Due to the fact that the Computer Security Incident Response Team (CSIRT) is not the decision-maker, it can pretend to have to obtain management approval first. This can prolong the conversation.

Figure 1: Bureaucracy as a tactical edge – slow down smartly to go faster.

Ransomware groups: Organization and reality behind the attacks

These groups operate with the professionalism of a company: with clear management structures, specialized teams and their own HR department. We know from leaked chats from Russian ransomware groups that the working environment is rather unattractive: countless hours of overtime, high staff turnover and a modest salary of around CHF 2,000 per month are no exception. The real profits presumably end up in the hands of top executives or organized crime.

What rules apply in the world of ransomware groups?

Despite their often anarchic appearance, many of the larger groups have internal rules that their members abide by - even if there are players and so-called "affiliates" who ignore these rules. Affiliates are hackers who use the infrastructure provided by ransomware groups for their own cyberattacks. A common rule: targets such as hospitals, schools or critical infrastructures are taboo.

Figure 2: Critical and public organizations usually get stolen data back.

Should an unintentional attack on such facilities nevertheless occur, the data is released free of charge.

Figure 3: A professional approach and objective tone can have a positive effect.

It is not clear whether these rules are followed out of ethical considerations or in an effort to attract as little attention as possible from law enforcement agencies. Presumably both motives work together.

There are also fixed guidelines for ransoms: One established ransomware group among cybercriminals imposes specific demand guidelines on its partners: for example, a minimum amount of three percent of the company's turnover and an upper limit for discounts of 50 percent.

Double extortion on the darknet: how the media increase the pressure on companies

Stolen company data is regularly found on the Darknet. Even the threat of publication can exert enormous pressure on affected companies. Anyone who has ever dealt with the darknet knows that media professionals also monitor relevant darknet platforms, for example when researching leaked data. Their media coverage can further increase the pressure on compromised companies. The situation escalates if they have not yet made the security incident public. A perfect breeding ground for further escalation: the attackers intensify their threats and increase the pressure to negotiate. In the course of the double blackmail, there is not only the threat of public disclosure of confidential data, but the criminal relevance of the compromise also gains weight.

From shock to successful crisis communication

Crisis communicators know: Clear, factual communication controls the narrative and minimizes reputational damage.

Figure 4: Successful negotiation can drastically reduce the ransom demand.

After a cyber incident, affected companies often fall into a state of shock, despite all crisis prevention measures. In recent years, however, there has been a noticeable change in reactions, reports a CSIRT negotiator. Where there used to be abysmal dismay, there is now an increasing sense of sarcasm.

An often-heard mantra from breached companies: "We're in good company!". Such a relaxed approach can certainly have a positive influence on negotiations. However, 360°-oriented crisis communication is and remains essential for successful crisis management. It coordinates the dialog with all relevant stakeholder groups: the crisis team, employees, customers, partners, the media and the authorities - and yes, also with the attackers.

New ransomware tactics: Management increasingly targeted

There is a clear trend: ransomware attackers are increasingly targeting not only the company as an organization, but also exposed individuals within the company. Through targeted personal intimidation, they are attempting to exert direct influence on decision-making processes. With the aim of accelerating ransom payments. To increase the pressure, they resort to means such as publishing private information, such as passport photos of management members, or contacting managers directly via their private telephone numbers.

From an incident response perspective, it is advisable for management not to get involved in communication with the perpetrators themselves. Professional negotiation minimizes risks - not least because even minor tactical carelessness can make it considerably more difficult to restore business operations (return to normal).

Key takeaway: Objectivity instead of emotion

When communicating with cyber criminals, one thing counts above all: clarity. A factual, professional dialog and well thought-out tactics are crucial to maintaining control and overcoming the crisis. Emotional reactions or hasty commitments are out of place. An experienced incident response partner helps to make the right decisions, control the narrative and minimize reputational damage. Those who manage communication professionally can act confidently even in a crisis.

Confident in a cyber crisis thanks to professional incident response

Avoid panic in the event of a cyber attack and prepare your communication strategy for a possible security incident. We support you in this.

In a customized workshop, we work with you to develop a detailed emergency plan that covers all the important steps from immediate crisis management to crisis management and the recovery of your IT infrastructure.

With the help of tried-and-tested templates and based on many years of experience from hundreds of cyber incidents, we ensure that your company remains capable of acting in an emergency and continuously optimizes its security strategy. Our incident response team at the ISO 27001-certified Cyber Defense Center (CDC) is there for you - quickly, discreetly and with the necessary experience. Get in touch today.

Image caption: Image generated with AI