If you are under a ransomware attack right now, contact us and we’ll help you with our proven incident response steps. If you are not facing a ransomware attack but want to create an incident response plan template, first take a look at our customized Prepare Respond Recover (PR2) program and see how it is far superior to an incident response template for improving your chances of achieving a more favorable outcome.


The story

Not long ago, the IT tech at Company X received a ransomware note. A hacker wanted a whole bunch of money before he would give back control of the company’s files. The IT technician contacted the CISO who said to shut down two servers, which he did. And negotiations started. 

They missed something. Did you spot it? 


Ransomware attacks are growing

Let’s be clear: ransomware attacks – that is, a cyber attack by which a hacker takes control of a company’s systems, network, or data and demands ransom in exchange for not doing anything harmful, are on the steep rise. 

Today, businesses suffer ransomware attacks every 40 seconds. You’ve heard of Software as a Service? Now there is Ransomware as a Service! It appears that it’s not a matter of IF but WHEN you’ll have to deal with a ransomware attack in your company. 

With this in mind, we asked our Incident Response Expert, Yuri Kogan, several questions including: 

  1. Is there room to negotiate in a ransomware attack?
  2. How can you lower the ransom?
  3. How can companies prevent falling victim to ransomware attacks? 

Plus other important questions you’ll find below.


Is there room to negotiate in a ransomware attack?

YK: There is always space to negotiate. It’s important to identify what the attacker wants. Is money the motivation, bragging rights or something more nefarious? Once we know what they want, we know where to begin. 

There are two strategies in ransomware negotiations: 

  1. Negotiating towards a result.
    Here we have to give something (example, money) to get what we want (control of our systems, our data returned, etc.)
  2. Tactically using negotiations to achieve other ends.
    Here we want time to gain intelligence about the hacker or to buy time for the cyber defense team to do their job. 


Can you lower the ransom?

YK: Typically, a hacker is open to negotiate the final ransom. But they’ve done their homework and know their bottom line.


How can you lower the ransom?

YK: What you don’t want is the negotiator or incident response expert to show up and start jockeying with the technical response team over who has control. 

When the two parties have met to discuss the incident response, and they agreed on each other’s roles before an event, the client gets a better result. Or they’ve worked together in the past. In either case, the client gets a better result. 

I suggest that companies keep a list of professionals and know who to call if there is an event. This will ensure from the getgo that less time is lost getting to know each other or jockeying for leadership. They get right to work to lower the ransom and enable the company to continue operating.


What does an attack look like?

YK: In the Company X story above, the hacker was in the system for weeks, remaining quiet. But throughout this time, he moved laterally and accessed more parts of the network. He gained control of high privileged accounts and then exfiltrated and encrypted private data. Only then did he pop up and say:

“Hello! Guess what?”

Case Study-How CISOs can avoid being caught with their pants down-V1-LI


What to expect with Incident Response?

YK: In 2020, ransomware negotiations averaged 5 days. In 2021, the average was 8 days.

Typically, the longer the negotiations, the lower the percentage of ransom the client paid. 

If a company uses best practices in backing up their data and they are able to come back from backups, then they can stay in negotiations longer to work on lowering the ransom. If they are not prepared for this, they need to resolve the attack quickly, but this could result in paying a higher ransom. 


Who makes the decisions?

YK: A ransomware attack requires business decisions, not just technology decisions. The company’s leadership should be involved from the get-go. 

This is where Company X’s IT team failed. They did not inform the CEO who would not have allowed those servers to be shut down due to factors only he knew about. The cyber team should have presented the CEO with options.

When Yuri is involved, he deals with the threat actor or he synchronizes the necessary professionals (IT, HR, legal, etc.). But the company’s management ultimately makes the decisions. 


Why is critical infrastructure a popular target now?

YK: Critical infrastructure often comprises IT systems, OT networks, power transmission lines, communications systems, SCADA and PLC industrial control devices, etc. Each of these provides a separate attack vector for a hacker to target. Disabling one system can disrupt the entire infrastructure. . . and this could result in outages to the public for an extended period of time depending on the infrastructure and the nature of the attack. 


How can companies stay ahead of hackers? 

  1. Take steps to prepare while things are calm. CybergymIEC’s Prepare Respond Recover plan outlines our incident response steps.
  2. Don’t wait for a regulator to tell you what to do. 
  3. Ask your vendors and contractors about their level of preparedness as well as the cyber defenses they have in place. 


Does the deck favor the hacker?

YK: You spend all day working to improve your business while a hacker someplace in the world is spending his time perfecting his attack on you. He might try hundreds of times but only has to succeed once. We, on the other hand, have to be “on” 24/7/365. 


Where do nation-state attacks on critical infrastructure fit in?

YK: Nation-states might not sponsor a financially motivated attack, but if they benefit from a cyber attacker’s agenda, they will look the other way. On the other hand, sometimes state-supported threat actors might initiate an attack that looks like a ransomware attack but has no financial motivation but rather a purely destructive one.


How does PR2 help?

YK: Our Prepare Respond Recover (PR2) ensures you will be ready for any cyber event. It goes beyond a template. 

We learn about your company’s forecast, weaknesses, and critical assets and determine how long you can operate without your information systems. We then build the infrastructure of the different stakeholders and how they work together and most importantly, train the necessary personnel.


After this, we create an SOP (Standard Operational Procedure) or an incident response plan that includes a list of the critical personnel. We also pre-draft public messages to save time during an incident. The client’s PR specialist will use the outline and fill in the details to quickly release communications to protect your company’s reputation.


What is your biggest piece of advice to companies who want to improve their chances of avoiding paying large ransoms in an attack? 

YK: Prepare now. 

Put PR2 on your side