"We Wait, Because We Know You" - Inside the Ransomware Negotiation Economics

Presented at Black Hat Europe 2021, Nov. 11, 2021, 2:30 p.m. (30 minutes)

Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is therefore now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning IT environments. Currently, research on targeted ransomware activity primarily looks at how these attacks are carried out from a technical perspective. Little research has however focused on the economics behind digital extortions and digital extortion negotiation strategies using empirical methods.

This session explores three main topics. First, can we explain how adversaries use economic models to maximize their profits? Second, what does this tell us about the position of the victim during the negotiation phase? And third, what strategies can ransomware victims leverage to even the playing field? To answer these questions, over seven hundred attacker-victim negotiations, between 2019 and 2020, were collected and bundled into a dataset. This dataset was subsequently analyzed using both quantitative and qualitative methods.

Analysis of the final ransom agreement reveals that adversaries already know how much victims will pay, even before the negotiations have started. Each ransomware gang has created its own negotiation and pricing strategies meant to maximize its profits. We however provide multiple strategies which can be used by victims to obtain a more favorable outcome. These strategies are taken from negotiation failures and successes derived from the cases we have analyzed and are accompanied by examples and quotes from actual conversations.

When ransomware hits a company, they find themselves in the middle of an unknown situation. One thing that makes those more manageable is to have as much information as possible. We aim to provide victims with some practical tips they can use when they find themselves in the middle of that crisis.


Presenters:

  • Zong-Yu Wu - Threat Analyst, Fox-IT, part of NCC Group
    Zong-Yu Wu is a threat analyst and a member of Fox-IT threat intelligence team. He investigates mainly financially motivated threats in the cyberspace and provides in-depth analysis of malware and TTPs. His research interest covers adversaries' decision-making behavior.
  • Pepijn Hack - Cybersecurity Analyst, Fox-IT, part of NCC Group
    Pepijn Hack is a cybersecurity analyst at Fox-IT. He graduated from university in 2020 with a bachelor's degree in Criminology and a master's degree in Crisis and Security Management. He loves to combine these two fields with his passion for technology.

Links:

Similar Presentations: