Ransomware Negotiations

Posted by Mark Greisiger

A Q&A with Bill Siegel of Coveware
Given the prevalence and sophistication of ransomware—not to mention the financial stakes involved in these exploits—it’s no longer wise to leave delicate negotiations to internal staff. We spoke to Coveware’s CEO and cofounder Bill Siegel about the nuances involved in handling threat actors and why having data at the ready can better inform a company’s decision-making.

How is Coveware typically brought into a ransomware situation?
We are usually contacted through one of three channels: 1) directly by the companies; 2) by insurance companies or law firms representing an end client; or 3) by service providers such as forensics firms, incident response firms or managed security service providers dealing with a case that involves an end client. We try to balance these channels and still leave a bit of capacity to help small businesses. We do our best to take on at least one or two pro-bono cases each month, where the end client is a charity or religious organization.

What are some of the issues that might arise in either negotiation or payment?
There are an infinite number of permutations that a case could take that can lead to complications. Clients should know basic statistics about their case. That includes the expected costs, case duration, likelihood of payment default, and decryption recovery rates. This data should be laid out and discussed for the client at the outset. You need to know this information in order to set the proper strategy for the overall recovery effort. Our approach is, first and foremost, data-driven. Because we handle a high volume of cases every month, we are able to show our client’s data from a sample set of prior cases involving the same type of ransomware and threat actor. This visualizes key aspects of the case, such as how much it will cost and how long it will take to resolve. Ransomware is very patterned, so once we see how a given type of ransomware is being used by a threat actor, we can generally provide a high conviction path forward for the end client. Without this data, it would be akin to flying blind.

What’s the largest payment you’ve ever facilitated?
We don’t favor aggrandizing large ransom payments. We are prouder of the negotiated discounts we are able to achieve for our clients, and make these statistics available on our website so the trend in each type of ransomware is pretty clear. We also don’t price our services off of the amount of the ransom payment, as we don’t want to align the financial success of our company with higher ransom amounts. We aim to deliver value by minimizing both financial cost and downtime costs. We can lower the aggregate risk of data loss in an incident by helping our clients make more informed, data-driven decisions and by negotiating firmly and efficiently on their behalf. The outcome of those efforts are the statistics we are proud of advertising. When it comes to large payments, we are able to leverage a diverse set of cryptocurrency sources. We also have lending facilities in place so that clients in need of help on nights, weekends and holidays are not bound by banking hours.

Do you see a trend with ransomware and associated demands for bitcoins?
While the average ransom amount is around $80,000, it is skewed by a few ransomware types (Ryuk in particular) that are significantly more expensive than the others.  The median ransom demand is closer to $10,000. It really depends on the ransomware type and threat actor group. With Ryuk, for example, the demands have gone vertical. With Dharma, some variants have increased, while others have remained flat. With less prevalent types like Nozelesn, or Globelmposter, the demands have been pretty stable.

Do the threat actors typically make good on their promise to provide the decryption key?
We see huge variations in default rates between ransomware types and threat actor groups. This puts a massive premium on leveraging our data. For example, there are certain threat actors within Dharma that have flawless track records of delivering working decryption tools, and others that always default. If you can’t differentiate one from the other, you are taking huge risks with your company’s data and capital.  

What prevention or mitigation suggestions do you offer your clients?
We publish advice almost weekly on best practices to deal with this everchanging threat. Every organization, no matter how small or large, has to be buttoned up with several layers of protection to avoid the worst case scenario. It’s also important to realize that 100 percent prevention is not a realistic goal. What matters is how quickly you can recover. The absolute musts from the outside in are:

  • regular security awareness training for employees
  • solid AV and endpoint hardware and software
  • least-privileges principals on administrative access; 2FA on administrative access to anything close to domain control and backup systems
  • properly partitioned backup systems that are off the primary network

How do your analytical services help clients?
We take all the lessons learned from our cases and try to give bespoke, pointed advice to help clients be proactive about avoiding emerging threats. Clients that wish to keep us on retainer are offered ongoing research, monitoring and service level agreements for incident response should an issue arise. Ransomware distributors use the same TTPs until those TTPs stop working. When we see a trend, we let everyone know. If you can stay just ahead of the common exploits, you can lower the odds of an attack.

In Summary…
We want to thank Mr. Siegel and Coveware for sharing their insights into ransomware. Ransomware is increasingly driving cyber insurance claim payouts from the cyber risk insurance carriers we support. To bolster what Bill mentioned, we’ve learned firsthand from these carriers and other data breach response experts, including Breach Coach® lawyers, that the extortion payouts have grown exponentially since 2018. They now cost several hundred thousand dollars and can be upwards of $1 million—and we expect the same trend for 2019 and beyond. Having an actionable data breach crisis plan—one that your management team can access at a moment’s notice—is now a must-have standard of care.