Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Cracking the code in ransomware negotiations

Reprints
Leeann Nicolo

Ransomware incidents can require delicate skills.

Negotiator Leeann Nicolo, Denver-based incident response director for cyber insurance and security company Coalition Inc., said a typical ransomware case begins with her contacting the hacker, either through a chat forum on the dark web or email, in response to the message the criminal has left behind when files are encrypted. 

“I usually kick off the start of communications by asking, ‘Can you help me?’” using terms such as “‘I’ and ‘me’ instead of ‘we’ and ‘us’ to make it seem like we are small,” said Ms. Nicolo, who has handled 500-600 ransomware cases.

She also makes a point of using plain English, because English may not be the hacker’s primary language. “I make sure everything I’m saying” can be handled by Google’s translation function and that “it translates in a straightforward way, making sure that no matter what language they speak, they understand what I’m saying,” Ms. Nicolo said.

As the next step, “they’ll usually come back with some sort of authenticated copy and paste message,” telling her the data is encrypted, how much is being demanded and the wallet — the app that allows cryptocurrency users to store and retrieve their digital assets — where the ransom payment should be made. 

Ms. Nicolo said she then investigates, gathering threat intelligence to see if payments have been made to the wallet in the past and
to learn about the hackers’ communications style.

At that point, negotiations generally begin, with the hackers revealing how they came up with the monetary amount. 

Negotiations continue for anywhere from eight days to two weeks, with the company paying a negotiated amount, she said.

In about 70% to 80% of the cases, the bitcoin is purchased, its receipt confirmed and the decryption key sent, she said. 

In the remaining cases, the hackers come back and “re-extort,” demanding additional ransom, and this is usually negotiated down, Ms. Nicolo said.

 

 

 

 

 

 

Read Next

  • Hackers exploit system loopholes with ransomware

    Companies have faced a surge in ransomware attacks during the COVID-19 pandemic, but despite the onslaught they can dramatically reduce if not eliminate the threat of ransomware, experts say.