2020 saw a significant increase in the number ransomware attacks due to the expanded attack surface and vulnerabilities caused by the pandemic and distributed workforce. On top of that, in October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory noting that companies can be fined if they make a ransomware payment. This leaves companies in a tough spot – especially smaller ones with limited means that may be facing an existential crisis when they get attacked by ransomware.

Ransomware negotiator breeding ground

It’s understandable how companies can become generally frantic after getting hit with ransomware: They can’t access their data, they can’t operate their business and they don’t know what to do. The government tells them not to pay ransom but the insurance company, if they have cyber insurance, is saying to pay the attacker. 

Most companies, even within security staff, do not have experienced ransomware experts and crisis negotiators on staff, so they need to turn to outside experts. This has created a fertile breeding ground for the nascent ransomware negotiator industry. But, as it stands now, it is an industry with no certifications or professional associations, so anyone can call themselves a ransomware negotiator. And, in some cases, inept ransomware negotiators have left companies in worse shape than they found them in by inciting threat actors to do even more damage. 

Ransomware negotiator credentials

So, what should you look for when hiring a ransomware expert to drive crisis planning and response at your enterprise? Here are four critical credentials:

1. Documented experience with successful ransomware negotiations – Ransomware negotiators require specialized skills. If you’re embroiled in an intellectual property (IP) lawsuit, you don’t just hire a general-purpose lawyer for the job. You hire an IP specialist. The same dynamic applies here − companies need help from experts with specialized experience in cyber intelligence and ransomware, so they can effectively validate the threat (believe it or not, some threat actors are less than truthful) and develop a remediation strategy based on your business risk profile.
2. Demonstrated understanding of various threat actors and syndicates – Experienced ransomware negotiators will know how to deal with the types of ransomware attacks by both threat actor syndicates and “freelancers.” Each of these situations calls for different approaches – the threat actor syndicates tend to follow a “playbook” that can be more predictable than a lone threat actor. For example, a syndicate is likely to be extorting multiple victims at a time, which could make them more amenable to a quick settlement, even if it's significantly reduced from the original ask. On the other hand, you might be the only victim for a freelancer, which means they’ll be trying to maximize their profit. As with any negotiation, knowing the adversary is critical to a successful outcome.  
3. Executive-level business acumen – Experienced negotiators will not only be able to deal with and respond appropriately to the threat, but also understand the victim’s priorities and communicate with security leaders and C-level executives as part of the process. Ransomware is not just a cybersecurity problem; it’s a corporate crisis. And, as with any corporate crisis, critical decisions need to be made from the top level – like whether or not to pay the ransom, how to notify investors, how to respond to regulatory exposure, etc. Negotiators need to be able to guide companies through this process so executives understand the situation and their responsibilities, and they also need to have the ability to “play Switzerland” in what can be a tumultuous situation with many factors at play, including emotions, differences of opinion, internal politics and more.
4. The ability to coordinate effective corporate crisis response – Negotiators need to evaluate the company’s corporate crisis response plans and determine if they have the proper integration of legal, communications, law enforcement, finance, the board and other functions to avoid compliance violations, lawsuits and reputation damage after payment. Legal is one of the most integral parts of the equation, so the ability for a negotiator to clearly understand the legal ramifications is paramount.

As reports in the news have clearly demonstrated, ransomware is easy money for threat actors, which is why attacks continue to proliferate. It is critical that chief security officers, regardless of size, take ransomware attacks as seriously as they do other risks. There is only one chance to do it right – and there are endless ways for negotiations to end badly – including angering the threat actor so you become a repeat target, where the threat actor collects the ransom and attacks the company again. Experienced negotiators will help validate threat actors claims and also ensure as best they can that they hold up their end of the bargain.

The best approach is to engage a ransomware negotiator before you’re attacked, so they can work with you to create a sound crisis response plan. Then, when an attack hits, instead of feeling frantic, you’ll know exactly who to call.