When it comes to online extortion, sometimes breaking up is hard to do. So said cyber incident response experts Siobhan Gorman and Eben Kaplan, speaking at the 2018 RSA Conference in San Francisco this week.
In some cases, IT leaders at organizations targeted by ransomware attacks will attempt to carry on extended conversations with their assailants, but such relationships are fraught with risk, warned Gorman, a former tech and cybersecurity reporter for the Wall Street Journal and current partner at the crisis communications and PR consulting firm Brunswick Group in Washington, D.C. There may be valid reasons for reaching out to an attacker, such as to buy time to formulate a response plan, or to negotiate a lower price, in cases where the organization has decided to pay a ransom to regain access to its compromised data or systems, she said. However, the criminals involved may see the contact as an opportunity to probe for additional vulnerabilities or raise the stakes, either financially or emotionally, to reach their desired outcomes.
The session, titled “How to Break Up with Your Extortionist: Tales from the Ransom Front Lines,” was inspired by an incident response engagement where the victim organization had corresponded extensively with an attacker, and after deciding not to comply with the ransom demand, was seeking advice on how to end the relationship. “The company was done negotiating and wanted to break it off, but needed some closure,” said Kaplan, a principal consultant on the incident response team at cybersecurity services provider CrowdStrike Inc. “We told them, it’s fine just to break it off,” said Kaplan, a former security policy advisor within the Department of Homeland Security, Congress and the Council on Foreign Relations.
It’s important to note that, as with other human relationships, there can be repercussions when a breakup goes badly for one of the parties, Gorman said. Some attackers will selectively release sensitive information stolen from the victim in an effort to re-engage, raise the stakes and force a more profitable resolution. Leaks can include emails detailing the negotiation. “Know that your correspondence may be made public at some point, so make sure what you say is defensible,” she said.
Hackers often use a variety of tactics to play upon the emotions of their victims. These can range from initially blocking access to data and systems, to selectively releasing documents that might cause embarrassment, to trashing networks or deliberately leaking valuable assets that represent a business risk.
An example of the latter tactic was employed in a rash of ransomware incidents targeting media companies last year, such as the widely publicized attack against the entertainment company HBO. That revolved around a $5.5 million ransom demand, backed by a public threat to release a supposed 1.5 TB of stolen material that included unseen episodes of the popular TV show Game of Thrones. The hacker made direct outreach to reporters and employees, eliciting a high degree of interest in the crime. Such attacks can include threats of physical violence against employees and even family members.
In the case of a hacker known as Dark Overlord, perhaps best remembered for leaking unreleased episodes of the NetFlix show “Orange is the New Black,” the perpetrator threatened physical harm against children attending a school district in Columbia Falls, Montana, if ransom demands were not met by school officials.
Kaplan warns that while paying a ransom may seem like the quickest way to a resolution, if is far from a sure thing. In so-called “false flag” attacks, the hacker may have no intention of restoring systems or data, regardless of whether a payment is received. In other cases, hackers who are motivated by ideological or emotional factors may carry out their threats to destroy or release data even if their monetary demands are met. Finally, paying a ransom — however small the amount — can result in the victims’ names being added to a “sucker list” compiled in underground forums, indicating organizations that are likely to be susceptible to future extortion attempts.
The best form of protection is to be prepared well in advance of an attack, Kaplan said. This includes implementing strong controls that limit the likelihood of being attacked — and limit the potential damage if you are. He also recommends developing “an organizational playbook for managing cybersecurity incidents, including ransomware.” Such documents help ensure corporate leadership understands what to expect in an attack, and maps out the decisions and resources you’ll need in advance.
For Gorman’s part, she recommends that in the event of an attack, be proactive. Organizations can lessen the impact of a public ransom demand by being the first to reach out and inform employees, customers, and key stakeholders, and by focusing on transparency, communicating with in a clear, accurate, and consistent fashion. Both speakers urged online extortion victims to waste no time engaging expert legal, forensic, and reputational advice to lessen the impact of an incident.
Steve Kovsky is a freelance writer based in the San Diego area.