1 of 11

–– Meeting 3 —

Ransomware Negotiations

Attendance

WELCOME!

2 of 11

Updates

Opportunities

Executive Shadowing

  • Interested in a future executive role?
  • We invite you to shadow the executive team
    • Engage in meetings
    • Learn administrative side of running the club
    • Understand different roles to find which fits you best

Student-Powered SOC at Miami

  • Lead by John Virden
  • Real experience learning/working in a SOC
  • Spring 2025 for new student hires

Club Updates

Elections

  • Hosted later this semester
  • If you are interested in leading the club, let us know so we can discuss positions!

Industry Events

Ross Flynn (CrowdStrike) - 10/1

  • OSINT Presentation

Mark Jeanmougin (Siemens)

  • 11/12: DFIR Series: Workshop #2
  • TBD: Comprehensive AI Discussion

3 of 11

Current Events Discussion

Scattered Spider “Retires”

The Hacker News

From there:

  • Accessed sensitive IT and Security documents
  • Moved laterally through environment
    • Dumped credentials
  • Reset a Veeam service account password
  • Assigned Azure Global Admin perms
  • Relocated VMs to evade detection

Scattered Spider, and 14+ other organized cybercrime groups claimed to “retire.”

Threat intelligence leaders warn that this could mean:

  • They are regrouping under a new alias
  • Suffered an internal disruption

4 of 11

How Do Ransomware Negotiations Work?

Cole LaCamera

5 of 11

What are Ransomware Negotiations?

What people generally assume:

  • Ransom note is received by a victim
  • They pay/don’t pay the ransom
  • If they pay, they get all of their data back right away and in its entirety

What they don’t consider:

  • Parties involved in negotiations
  • Regulations preventing payments
  • Efficacy of decryption keys

6 of 11

Ransom Negotiation Basics

Cybersecurity Insurance

  • Many companies pay for cyber insurance to cover ransomware payments
    • Some have retainers for:
      • DFIR
      • Negotiators
      • SIRT Help
  • Some companies put money in a holding account, to be used for ransoms
    • This depends on risk appetite
      • Do you NEED data to be operational?
      • Are systems IT or OT?

How Do We Get to Negotiations?

  1. Ransom Note is received
  2. Victim brings in legal counsel (establishes privilege)
  3. Cyber insurer is engaged (usually legal handles this)
  4. Insurance brings in ransom negotiators

Now the fun starts!

7 of 11

8 of 11

Negotiation Tactics

Stalling

  • Prolongs the negotiation process
  • Allows victim time to determine scope of the compromise

Determining Scope

  • The company needs to know how much of their environment was compromised
  • What data was affected?
    • Is that data critical for production?
  • Does the threat actor really have what they claim?

Demanding Proof

  • Companies will ask the criminals to provide proof that sensitive data was exfiltrated
    • Many groups will provide a few files, a file tree, and a single-use decryption key
    • Company assesses whether the data was really stolen

9 of 11

Decryption Key Efficacy

Many people think that paying a ransom means you get all of your data back.

Statistics prove otherwise (Darwin’s Data):

  • Only 20-30% of companies get their data back after payment
  • 8% got all of their data back
  • 29% got back less than half

Overall, roughly 70-80% of companies don’t get their data back despite paying a ransom.

So why do companies still pay ransoms?

  • Some companies NEED data to be in production so that systems/processes do not fail, even if a small percent
    • System downtime can often cost more than the ransom itself
  • Threats of posting sensitive data online can cost companies millions in reparations to exposed customers
  • Sometimes hoping half data can be recovered quickly is preferable to none
    • If backups can be relied on to recover the other half

10 of 11

More Considerations

Regulatory Requirements

There are regulations in place that prohibit or regulate ransom payments:

  • OFAC fines for paying sanctioned “terrorist” groups
  • Some states have bans that prohibit ransom payments by government agencies
  • CIRCIA requires critical infrastructure to report when a ransom is paid
  • SEC regulated companies may need to disclose ransom payments

Other Considerations

  • How will a company’s reputation be impacted by paying a ransom?
    • Does that outweigh potential harm if data is exposed?
  • Is the threat actor group trustworthy?
    • Funny enough, many groups have good/bad reputations.
    • Some will say they’ll provide a key, then disappear when the ransom is paid
  • Can the company afford the ransom?
    • Many threat groups will find the cyber insurance policy and demand exactly how much is covered.

11 of 11

Simulation Games

Optional: Read Ransomchats

  • These are real, redacted negotiation conversations
  • Review the conversations to identify tactics

Game Simulations:

  • You should have received an email with links to the simulations
  • Play the games, effectively navigating negotiations using the tactics discussed

Links:

Financial Times: https://ig.ft.com/ransomware-game

RansomChatGPT: https://www.yeschat.ai/gpts-2OTo9yuE4X-RansomChatGPT

eBanking: https://www.ebas.ch/en/ransomware-game/

Kaspersky: https://www.kaspersky.com/response-game/en/