Ransomware negotiation: Don’t try this at home
culture
Inclusion and Diversity
Corporate Social Responsibility
Team BRIT
Environmental, Social & Governance
Insurance
accident and health
contingency
event cancellation
non appearance
film
prize indemnity
cyber
cpr
xdr
bcap industrial
xdr pro tech
first50
cyber claims
delegated authority
commercial property
flood
financial property
homeowners
small commercial general liability
directors & officers
energy
e-trading
financial institutions
fine art and specie
general liability
public and products liability
employers liability
environmental liability
healthcare liability
marine
cargo
hull and marine war
keel
marine and energy liability
political risk trade credit
political violence / terrorism
political violence/london
private client
home
motor
travel
professional liability
small north american liabilty
north american professional liability london
programs
property
north american open market property
international property
uk property
transportation
Reinsurance
casualty treaty
international casualty treaty/london
north america casualty treaty/london
property treaty
property treaty
property treaty bermuda
Claims
Claims Philosophy
Claims Innovation
Cyber Claims
industries
aerospace
aquaculture, equine and livestock
architects and engineers
commercial
construction
consumer goods
education
energy
events & entertainment
farming and agriculture
financial services
healthcare
municipalities
personal lines
professional services
real estate
religious and not-for-profit
retail
technology
transportation
utilities and industrial
careers
Why join Brit?
our business areas - speaking for ourselves
business area - actuarial
business area - claims
business area - finance
business area - internal audit
business area - operations
business area - risk
news
Brit Group
Brit Global specialty
Brit Global Specialty Bermuda
Brit Re
Camargue
Ki
financials and governance
Financials
Governance
executive & board
Risk
History of Brit
Working with FinTechs and InsurTechs
Fair Value Assessments
brokers and coverholders
leadership
innovation
contact
Complaints
Privacy Notice
Modern Slavery
Terms and Conditions
The latest from Brit

Financials

Results for the year ended 31 December 2023

find out more

news

find out more
Ransomware Header Image - A blue tinted image of a laptop and hands with digital graphics overlaid

news

Ransomware is on the rise in 2024

The global threat from ransomware is expected to increase over the next two years. In January, an assessment study published by the National Cyber Security Centre found that the adoption of AI will create more tools that previously unskilled threat actors can use to attempt ransomware attacks. Coupling this with better targeting methods, it’s understandable why ransomware is considered the UK’s most acute cyber security threat in 2024.

We can see the developing ransomware threat in recent headlines, like the attack on the British Library. What was initially reported in October 2023 as an IT outage later transpired to be the work of the Rhysida ransomware group. Rhysida stole reams of data and held the British Library to ransom. When the British Library refused to participate in ransom negotiations, the cyber attackers attempted to sell the stolen data to the highest bidder via the dark web.

After no one accepted Rhysida’s asking price of 20 bitcoin (worth just under £600k at the time), they published 573GB of the stolen data online. Amongst the leaked data were files from the British Library’s CRM database that held everything from visitors’ personal information such as names, email addresses, and home addresses to employee contracts and scans of passports. The British Library’s decision not to enter into negotiations ultimately led to 90% of the data stolen by Rhysida being leaked.

To understand more about these types of attacks, we spoke to a highly-skilled ransomware negotiator from the cyber security organisation, Kivu Consulting. Kivu are among some of the experts who could be called as part of the breach response with Brit’s cyber cover, helping to resolve dozens of negotiations on a weekly basis. Their insight is crucial in understanding how negotiation is managed and why it should always be left to the professionals.

Ransomware Article Image 2 - An image of a woman

View from the negotiator: What are the most common types
of vulnerability you see threat actors taking advantage of?

"We've seen organisations fall victim to what is called a zero-day vulnerability . These are typically exploited by a nation-state threat actor and then subsequently adopted by a ransomware group that will, in turn, attack multiple victims in a single hit. One recent example of this was the ransomware group "Cl0P", which exploited a zero-day vulnerability in a managed file transfer (MFT) application called MOVEit in June 2023. These attacks were used for data theft and subsequent extortion through a single environment being compromised.

Last year, we dealt with forty-five different strains of ransomware, but we were also involved in hundreds of specific incidents that involved the same strains of ransomware across different attacks. We have seen sanctioned entities based in Iran masquerading under previously 'legitimate' ransomware strains like LockBit. We constantly have to be careful in dealing with any incident as there could be sanctioned entities behind the attacks – this highlights the importance of the due diligence process in protecting victims from the severe repercussions that could occur from paying a ransom to a threat actor who has already been sanctioned."

 

What is ransomware negotiation?

When Rhysida stole data from the British Library, they hoped to extort the institution for money. A victim of a ransomware attack will typically become aware that cyber criminals have targeted them by receiving some form of a ransom note, like a computer wallpaper on a system that’s been compromised, telephone calls or emails to executives from the hacked organisation. Ransomware negotiators may be instructed at this stage. In the event that they are, negotiators might engage with the threat group in place of the organisation that suffered the attack, determine which group is responsible, and try to lower the ransom demand. Negotiators may also be able to buy time for the victim organisation by engaging in protracted negotiations.

When it comes to negotiation, ransomware negotiators can use different means of communication to facilitate conversations, depending on what has been set up by threat actors. Compromised organisations might be contacted through “.onion sites” or specialised chat portals on the dark web. Sometimes, they might even be approached through more conventional means like email or WhatsApp.

Ransomware attacks have the potential to cause serious disruption. An organisation with Cyber Insurance coverage from Brit will have dedicated support teams available to assist them with the negotiation process.

The events that typically follow from a ransomware attack can be found below. Vulnerabilities arising out of other forms of cyber incidents (such as business email compromises or accidental disclosures) may follow a different pattern.

 

  • A cyber incident occurs, and ransomware is deployed onto an organisation’s systems.
    The organisation may find a note stating that the threat group is holding the organisation’s
    data to ransom. A demand for payment may be made in exchange for the safe return of the data.
  • The affected organisation reports the incident to Brit’s 24-hour breach response hotline.
  • The organisation will receive a triage call and will be passed on to an assigned Breach Counsel to gather more details.
  • Instructed Breach Counsel will appoint suitable ransomware negotiators. These two parties will work together to form a negotiation strategy, scope the incident, determine attribution, and define next steps. The Breach Counsel, ransomware negotiators, and insured organisation form a tri-party agreement to maintain legal privilege beyond any appropriate authorities that might be involved when this type of cyber crime is initially reported.
  • Ransomware negotiators will proceed with negotiations while concurrently determining if the threat actors are a sanctioned entity and, therefore not legally authorised to receive any type of ransom payment.
Ransomware Article Image 3 - A landscape shot of earth from space with multiple lines of light shooting out into the distance.

Is it legal to pay a ransom request in the UK?

It is legal to pay a ransomware request unless the individual or group requesting the ransom is subject to sanctions from an applicable jurisdiction that prevents them from making funds through these types of payments. In the case of the UK, the government’s position on this is clear; “Breaches of financial sanctions are a serious criminal offence and can carry a custodial sentence and/or the imposition of a monetary penalty.”

The full list of sanctioned entities is available on the UK government’s website. The purpose of sanctioning entities involved in ransomware is to further the prevention of cyber activity, which:

  • Undermines, or is intended to undermine, the integrity, prosperity or security of the UK or a country other than the UK.
  • Directly or indirectly causes, or is intended to cause, economic loss to, or prejudice to the commercial interests of, those affected by the activity.
  • Undermines, or is intended to undermine, the independence or effective functioning of an international organisation, or a non-governmental organisation or forum whose mandate or purposes relate to the governance of international sport or the internet.
  • Otherwise affects a significant number of persons in an indiscriminate manner.

The role of ransom negotiators involves uncovering information about the individuals or group that has made the ransomware request and finding out if they are sanctioned. Part of the negotiators’ specialism is being able to undertake relevant due diligence checks and cross-reference their own threat actor databases to assess who might be responsible for the attack.

The key areas that will be examined include Indicators of Compromise (email addresses, IP addresses, etc) and the tactics employed by the threat actor. This will be compared with the negotiator’s intelligence and existing sanction lists to accurately assess if the threat actor or connected people and entities are sanctioned. Once the view on sanction status is clear, the negotiator can advise the insured on whether negotiations should proceed.

 

View from the negotiator: How do threat actors know how much to ask for when setting a ransom?

“We’ve observed that threat actors have become a lot more strategic in their approach to setting ransom expectations when carrying out a cyber-attack. They will base their research on open-source information. For example, they could go to ZoomInfo and look up the victim organisation to see what their perceived revenue is and set the ransom to be a percentage of that revenue.

In other cases, we’ve seen threat actors specifically search for cyber insurance policy documents or financial information during their hack. With this information, the threat actor can see that a business will be insured for “X” amount on ransom payments. This information will be co-opted as leverage during the negotiation process. They are very intelligent in how they do this. They are looking for payment and will go into negotiations with a clear picture of what their victim organisation can reasonably afford to pay.”

 

View from the negotiator: How do people get into ransomware negotiation?

“The majority of consultants in our team have worked in defensive or offensive cyber security. Those from defensive security would include digital forensics or incident response experts, meaning they have experience of operating in a live environment and securing networks against threat actors. Those from an offensive background will typically have worked on legitimate penetration testing, with experience in government and military backgrounds.

Personally, I started out in the industry through digital forensics before taking work from law enforcement agencies and then moved into the private sector, where I work today. During my time in law enforcement, I specialised in disrupting threat actors in the cyber crime space as well as responding to national cyber incidents in the UK. My specific role involved developing technical exploitation capabilities to interact and disrupt cyber criminals. This skillset lends itself well to the type of work I’m involved in today.”

 

View from the negotiator: Is there anything that has surprised you in your line of work?

“To be honest, working in a dynamic cyber crime environment means that you become a little numb to the unexpected after a while! Having said that, cyber criminals have evolved the tactics that they use to put pressure on their extortion victims. This is typically in search of leverage. We have seen incidents where cyber criminals have been able to hijack printers inside victim organisations to print off physical ransom notes. We’ve also even recorded hackers notifying the governing bodies and authorities that organisations have fallen victim to a cyber attack. This obviously comes with its
own repercussions for the victims.

We have a whole list of examples of what we’ve seen over the years, but the theme is that threat actors are always looking for different ways to leverage and apply additional pressure to victim organisations in their search for a ransom payment.”

 

View from the negotiator: What kind of trouble could an organisation get into if they tried ransomware negotiation themselves?

“The threat actor could become annoyed and frustrated pretty quickly if a victim organisation attempted to negotiate without knowing the ins and outs of the preferred communication method. This could encourage the threat actor to launch subsequent attacks to name and shame their victim or release sensitive data if negotiations don’t progress quickly enough.

Professional ransomware negotiators have a pre-planned negotiation strategy, which is agreed upon with the insured organisation and Breach Counsel for these types of incidents. This strategy will be executed in accordance with how specific incidents develop to ensure the best possible outcome can be found for the victim.”

 

Leave ransomware negotiations to the professionals

Ransomware negotiation is a subtle and nuanced skill that requires a combination of experience, instinct, and industry knowledge. Organisations shouldn’t be left with the burden of negotiating themselves, which is why we partner with experts to ensure support for a ransomware attack is on hand 24 hours a day, 7 days a week.

The threat from ransomware is set to continue, but we have the team to support our insured organisations if they’re affected.
Find out more about our cyber cover here.

Brit enters HNW market with Private Client launch

28-05-2020 |People
Read more

Brit expands newly launched Private Client offering with further hires

14-07-2020 |Private Client
Read more

Brit Private Client ranked first in high net worth report

02-05-2022 |Private Client
Read more

Brit Private Client Home Automation

24-11-2021 |Private Client
Read more

Brit appoints Tara Parchment to build Private Clients proposition

26-07-2018 |Private Client
Read more
London Footer White

A Fairfax Company

©2024 Brit Group Services. All rights reserved.