Cyber criminals operate according to supposedly "established market principles": Hackers steal or encrypt company data and have it traded back for cryptocurrency. From the attackers' point of view, this is a classic, entirely negotiable business model. The principle of avoiding dialog with criminals has lost its validity in practice. A paradigm shift is underway.
InfoGuard's Computer Security Incident Response Team (CSIRT) actively engages in dialog with the aim of assessing the attacker and gaining valuable time and information on the extent of the cyber attack. And ultimately, it is also about securing strategic advantages:
The primary goal of CSIRT: getting systems back into operation and minimizing damage. If restoration through backups is not possible, the next option is negotiation. Specially created chat platforms are used to communicate with cyber criminals. The dialog is based on professional, respectful and tactical principles.
A successful tactic can drastically reduce the amount of ransom demanded.
These groups operate with the professionalism of a company: with clear management structures, specialized teams and their own HR department. We know from leaked chats from Russian ransomware groups that the working environment is rather unattractive: countless hours of overtime, high staff turnover and a modest salary of around CHF 2,000 per month are no exception. The real profits presumably end up in the hands of top executives or organized crime.
Despite their often anarchic appearance, many of the larger groups have internal rules that their members abide by - even if there are players and so-called "affiliates" who ignore these rules. Affiliates are hackers who use the infrastructure provided by ransomware groups for their own cyberattacks. A common rule: targets such as hospitals, schools or critical infrastructures are taboo.
Should an unintentional attack on such facilities nevertheless occur, the data is released free of charge.
It is not clear whether these rules are followed out of ethical considerations or in an effort to attract as little attention as possible from law enforcement agencies. Presumably both motives work together.
There are also fixed guidelines for ransoms: One established ransomware group among cybercriminals imposes specific demand guidelines on its partners: for example, a minimum amount of three percent of the company's turnover and an upper limit for discounts of 50 percent.
Stolen company data is regularly found on the Darknet. Even the threat of publication can exert enormous pressure on affected companies. Anyone who has ever dealt with the darknet knows that media professionals also monitor relevant darknet platforms, for example when researching leaked data. Their media coverage can further increase the pressure on compromised companies. The situation escalates if they have not yet made the security incident public. A perfect breeding ground for further escalation: the attackers intensify their threats and increase the pressure to negotiate. In the course of the double blackmail, there is not only the threat of public disclosure of confidential data, but the criminal relevance of the compromise also gains weight.
Crisis communicators know: Clear, factual communication controls the narrative and minimizes reputational damage.
Figure 4: Successful negotiation can drastically reduce the ransom demand.
After a cyber incident, affected companies often fall into a state of shock, despite all crisis prevention measures. In recent years, however, there has been a noticeable change in reactions, reports a CSIRT negotiator. Where there used to be abysmal dismay, there is now an increasing sense of sarcasm.
An often-heard mantra from breached companies: "We're in good company!". Such a relaxed approach can certainly have a positive influence on negotiations. However, 360°-oriented crisis communication is and remains essential for successful crisis management. It coordinates the dialog with all relevant stakeholder groups: the crisis team, employees, customers, partners, the media and the authorities - and yes, also with the attackers.
There is a clear trend: ransomware attackers are increasingly targeting not only the company as an organization, but also exposed individuals within the company. Through targeted personal intimidation, they are attempting to exert direct influence on decision-making processes. With the aim of accelerating ransom payments. To increase the pressure, they resort to means such as publishing private information, such as passport photos of management members, or contacting managers directly via their private telephone numbers.
From an incident response perspective, it is advisable for management not to get involved in communication with the perpetrators themselves. Professional negotiation minimizes risks - not least because even minor tactical carelessness can make it considerably more difficult to restore business operations (return to normal).
When communicating with cyber criminals, one thing counts above all: clarity. A factual, professional dialog and well thought-out tactics are crucial to maintaining control and overcoming the crisis. Emotional reactions or hasty commitments are out of place. An experienced incident response partner helps to make the right decisions, control the narrative and minimize reputational damage. Those who manage communication professionally can act confidently even in a crisis.
Avoid panic in the event of a cyber attack and prepare your communication strategy for a possible security incident. We support you in this.
In a customized workshop, we work with you to develop a detailed emergency plan that covers all the important steps from immediate crisis management to crisis management and the recovery of your IT infrastructure.
With the help of tried-and-tested templates and based on many years of experience from hundreds of cyber incidents, we ensure that your company remains capable of acting in an emergency and continuously optimizes its security strategy. Our incident response team at the ISO 27001-certified Cyber Defense Center (CDC) is there for you - quickly, discreetly and with the necessary experience. Get in touch today.
Image caption: Image generated with AI