A reporter once asked the infamous bank robber Willie Sutton, “Why do you rob banks?” Sutton’s answer: “Because that’s where the money is.”

Whether that conversation actually took place is up for debate. What’s not is the fact ransomware attacks are on the rise — and one of the biggest reasons is that’s where the money is. We are an information economy, dependent on data and the Internet to thrive. In fact, data is often the heart, but also the Achilles heel of businesses, and the bad guys take advantage of that dichotomy.

Threat actors are now not only encrypting critical business systems, but also backups. They’ve brought businesses to a standstill, leaving some non-operational and really, with no good options for recovery. In many cases, it’s been pay the ransom to obtain a decryption key — or go out of business.

Step one: Assess the damage

Response to ransomware attacks begins with a scoping call to gather as much detail as possible about what happened. As a standard practice, incident response (IR) teams also run through a series of technical questions to gain a better understanding of the client environment and ensure that the bad actors don’t still have a foothold or access into the environment.

It’s critical to understand the extent of the compromise, conduct a root cause analysis, regain control of the environment, and determine if and what data may have been stolen. Once bad actors deploy ransomware, it’s not uncommon for them to monitor victim email communications. Some will even call victims — a new tactic seen in 2020 when Conti ransomware first became active.

In short, there’s much to do behind the scenes before communications, let alone negotiations, can begin with bad actors.

Communications channels and approvals to negotiate

Generally, bad actors provide high-level information in ransom notes on what’s happened and how to contact them to begin negotiations. Depending on the ransomware group, they’ll provide either an email address or a URL, typically a .onion link that requires a special web browser like Tor.

If a URL, the site will have more instructions, the ransom amount, and in some cases, a timer. Some sites require a special code or key, usually included in the ransom note; others require victims to upload a copy of the ransom note; and most have a chat program for communicating with the attacker.

If there’s a timer, it’s typically set for seven days and will start when you enter the site. Once time runs out, the ransom usually doubles. In some cases, if circumstances beyond the victim’s control delay a ransom payment, it may be possible to negotiate an extension. At the end of the day, this is a business transaction, and bad actors want to get paid.

It is important to note, however, that companies cannot pay ransoms to countries, entities, or specific malware variants on the U.S. Department of Treasury’s sanctions list. If a bad actor is not on this list, service providers take direction from the victim companies and their legal counsel regarding negotiations and payment.

Negotiation process

The ransom negotiation process is often shorter when the group communicates via website because the channel is always open, and less time is spent awaiting email responses. Either way, every interaction matters and factors into the next step of the process — especially as the response team is simultaneously analyzing intelligence gained from the forensic investigation, monitoring the network, running the crypto wallet ID through blockchain analysis, and conducting a series of other checks and balances.

Often, the first interaction is asking for next steps and “proof of life” — in other words, asking the bad actors to decrypt a few files to prove they have the decryption key or, if they’ve claimed to have stolen data, asking to see proof of what they have. Again, this is a business transaction and without proof, it’s impossible to move forward. There needs to be a two-way exchange at each step; otherwise, the transaction fails altogether.

Skilled response teams often have a good understanding of what the bad actor will accept based on a combination of threat intelligence, historical data, and experience dealing with that group. This knowledge can often be the difference between a company going under or restoring normal operations and bouncing back to life in a timely manner.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.