Podcast: Play in new window | Download
Ransomware attacks are hitting financial institutions big and small, and show no signs of abating. When companies suffer ransomware attacks, they typically turn to their legal counsel or insurer for advice about how to choose a good ransomware negotiator. When small business, in particular, is hit, they often turn to their primary financial institution for ransomware-response guidance. That’s because they’re unsure of which negotiation service is the right fit. Ransomware negotiation is a niche industry, as it involves direct interaction with the criminals who wage ransomware attacks.
In recent months, Javelin Strategy & Research’s Tracy Kitten, Director of Fraud and Security, and Alexander Franks, Fraud and Security analyst, conducted research into the industry around ransomware negotiation. They found that many financial institutions didn’t know much—or, in some cases, anything—about the ransomware negotiation companies they refer to their clients. Oftentimes, FIs just know negotiators by word of mouth from outside lawyers and insurance providers.
In a recent podcast, PaymentsJournal sat down with Kitten and Franks to discuss the main findings of their report. They provided an overview of what companies should look for when choosing a ransomware negotiation company and how companies in that specialty differ in the resources they offer.
What to Do When Ransomware Hits
Kitten explained that Javelin’s research is really focused on the basics: Who are the players and what should customers ask of them? “So, it’s a very niche part of the ransomware mitigation landscape,” Kitten said. “But a very important one and one that we found really is kind of at the crux of ransomware mitigation.”
Financial institutions are indirectly impacted when ransomware attacks strike their commercial customers. Franks noted that when a company looks for a ransomware mitigation specialist, it needs to ask about three main things: capacity, culture, and collaboration. Ransomware negotiation providers differ in those aspects, so asking about them can mean the difference between paying a ransom and avoiding a loss.
Ransomware negotiators also differ in what they are capable of doing—or willing to do—for clients. Franks suggested that prospective clients ask negotiators about helping with payments, helping with the handling of cryptocurrency, explaining how payments will work, providing legal support, and outlining the languages negotiators on staff are fluent in.
The language factor is essential. To get the best settlement, a negotiator needs to speak the language of the criminal. “Not only does it help the negotiators quickly determine the sophistication of the attackers, but it also helps the negotiators build a rapport with the attackers,” Kitten said. “They develop mutual respect. If you have negotiators that have native language speakers on staff, the likelihood that you’re going to lower your ransom is greater, and the likelihood that you’re going to be hit by the same ransomware gang in the future drops dramatically. And again, a lot of that is just because of the relationship building.”
It’s also important to inquire about how the ransomware negotiator collaborates with its clients. “This is essentially just the set of practices that describe how a victim organization is going to hear from their ransomware negotiator,” Franks said. “Are you bringing in the data protection officer or chief risk officer? Are you getting updates in real-time? Are you getting them daily? Who is providing public relations services? Who is handling all adherence to cyber insurance or legal requirements?”
If a company chooses a good ransomware negotiator, it may be able to avoid paying a ransom altogether.
“But we know that oftentimes, that’s not the case,” Kitten said. “You want to make sure the incentives are right for the negotiator. It is possible that, because it is such an opaque business, the negotiator could get a cut of the ransom. You at least want to make sure to get a ransomware negotiation provider that does not have an incentive to either get paid a high ransom or any ransom at all.”
Fool Me Once, Fool Me a Hundred Times
If you’re hit with a ransomware attack once and end up paying a ransom, “you’re more likely to be hit by a ransomware attack again,” Kitten said. “And so having a really good negotiator is going to help reduce the chances or the likelihood that you’re hit again.”
Many companies that have been hit with a ransomware attack were already targeted by multiple attacks in the previous year.
“In 2021, 50% of the ransomware victims were attacked between two to five times, and nearly 75% of the victims were hit two to 10-plus times,” Kitten said. “Oftentimes, they’re getting in because an employee falls for some kind of phishing attack. It’s a network vulnerability that they exploit. So even if you have backups of data, you still need to address the network intrusion.”
The Future of Ransomware Negotiation
The market for ransomware negotiation has long been a black box, with most parties seeking such services not knowing even the basics; so there’s lots of room for improvement. “There needs to be information sharing,” Kitten said. “All parties would benefit from sharing of techniques, standards, and the expectations of different ransomware gangs. It just doesn’t exist yet.”
Ethical standards will be increasingly important, too. “Sharing of ethical standards can really go a long way in handling this epidemic of ransomware and preventing the damage that it’s causing from spiraling out of control,” Kitten said. “Beyond that, I think that there are certain approaches, for example, pricing-model approaches, that would give us a lot of space to grow.”
Other innovations can involve the payment of negotiators. One classic model of compensation has been to give negotiators a cut of the difference between the ransom sought and what was ultimately paid. Kitten would like to see that revised. “There’s an incentive for both the ransomware negotiators and the ransomers to give absurdly high ransoms at the outset, with the expectation they will be negotiated far down. And that puts the ransomers in an advantageous position,” she said.
To learn more about the negotiations market and how to select a good ransomware negotiator, click here to view the full report.
