Five Tips from the Cyber Negotiator
You’ve been hacked, and the hackers are demanding ransom. That’s when you call Geert Baudewijns, whose job is to negotiate with hackers worldwide following a ransomware attack. On Wednesday, November 6, Baudewijns will deliver a keynote presentation at Cybersec Netherlands.
- Paying Ransom is Usually Unavoidable
“My main task is to reduce the ransom amount. Because paying is almost always inevitable,” says Geert Baudewijns. Some organizations, often governmental, have a policy of not paying ransom on ethical grounds. “Based on the so-called ‘wall of shame’ of ransomware groups, we see that seven out of ten victims pay. Once you pay, you typically disappear from such a wall.”
Sometimes, it’s simply a practical consideration. “Most companies recover their data faster after paying the ransomware ransom than they would by performing their own restore,” he notes. Meanwhile, the company is at a standstill. “Often, it’s like this: if you don’t pay, there’s a chance you’ll go bankrupt.”
- Ransoms Based on Revenue Figures
Ransoms demanded by hackers (almost always to be settled in bitcoins) are usually based on revenue figures. For large organizations, this can be substantial. “For a smaller company, with about thirty to a hundred employees, you should typically expect to pay between fifty thousand to one hundred fifty thousand euros.”
However, revenue figures say little about profit. “As a result, some companies can indeed run into trouble because of such an amount,” he states. “Profit figures are harder to find, but if hackers have them, you’re in a difficult position as a negotiator. Because then hackers know exactly how much a company can really pay.”
- Data Publication is Not a Disaster
What scares many companies is the hackers’ threat to publish company data. Often an unfounded concern, according to Baudewijns. Hackers can’t just place that company data on the internet without risking identification. Therefore, they put that confidential data on the darknet, where it’s much harder to find. “Moreover, on the darknet, it takes much longer to download data.”
Furthermore, publishing that company data is a negotiation tactic. “If I can convince the client to let the data be published if necessary, I stand stronger as a negotiator against the hackers,” he asserts.
- More Than Ransom: Four Negotiation Objectives
In each negotiation—which lasts about a week and a half on average—Baudewijns sets four goals. “First, keeping the price as low as possible for the client, that’s obvious. Second, obtaining the correct keys to decrypt the data, starting with the most important.”
But the other objectives might be even more important. “The main one is to find out if and what data the hackers have stolen and copied, so the client can better assess the risk,” he explains. “And fourth, also quite crucial: getting in writing how the hackers gained access, so we can secure those system weaknesses.”
- Expect a Slow Recovery
Many people think that once the encryption keys are in, everything will quickly return to normal. “But that’s not how it works,” the negotiator notes. “The software hackers use to encrypt utilizes the server’s full power. However, the decryption software only uses ten percent of the server’s power. So, it takes much longer,” he points out.
Decrypting data is just one part of the story. “Additionally, you need to completely rebuild the network; otherwise, the hacker will be back in no time.”
Source: Computable.nl
