To pay or not to pay? That is the question companies must answer when they find out their computer systems have been taken over by ransomware.
It doesn’t matter how professional, funny or even friendly ransomware notes may be written, the response of a company is typically the same: Panic.
“It’s such a terrible and impactful thing where people are dealing with a lot of stress and a lot of worry,” said Mark Lance, Vice President of Threat Intelligence and Incident Response for GuidePoint Security.
Get top local stories in San Diego delivered to you every morning. Sign up for NBC San Diego's News Headlines newsletter.
Lance said he has hundreds of ransomware negotiations under his belt. Lance said the first thing that needs to be done is to settle everyone down who is panicking.
“Being that calming voice that’s able to help them through and get them back to a point where they can continue to be successful and effectively operate their business,” Lance said.
Local
What’s next? Lance said he and his team assess the data breach to see if they could recover the system without paying the ransom, an amount that can be in the millions of dollars often paid via cryptocurrency from the company’s coffers or a cyber-insurance policy. This is not easy and may even be pointless, according to Lance.
“They’re very specifically making sure they’re encrypting and preventing access to backups that will allow you to restore,” Lance said. "They’re also taking steps now like stealing information, so even if you are able to restore, they’re still going to try to get payment from you based on the information and threat to release.”
In the meantime, Lance also reaches out to the digital attackers, usually through text messages or a chat portal on the dark web. He tries to buy time. He wants to know who is on the other side of the negotiating table. He added that he must be careful to not draw out the negotiations to the point where they terminate.
“So one thing that we leverage and is absolutely critical within our communications with these cyber criminals is our history of dealing with that specific criminal organization," Lance explained. “We can look at trends in communicating with them in the past to see if they offer reductions in payment.”
You heard that right: Lance said they’re often communicating with the same cyber-criminals over and over again.
So, has Lance and his team ever been double-crossed?
“We’ve had instances where less sophisticated groups with less history have said things like, ‘We've come to agreed-upon terms and what's going to occur when we make the payment,’ " Lance said. "We make the payment and, unfortunately, they don't uphold their end of the bargain and ask for additional money."
However, Lance pointed out, organized groups tend to keep their word in order to keep the money coming in. Some will even explain the vulnerability of a system that provided them with access to the company's computer systems so their victim can take the necessary corrective action.
The cyber-negotiator made it clear, though, that there are never any guarantees no matter how battle-tested his playbook is.
“Because you are dealing with a criminal organization, people who have just taken down your infrastructure and stolen information from you, and yet we are expecting for them to be honorable,” he said.
According to Lance, only after these and other boxes are checked, can a company make the most informed decision if it will pay or not pay.
Ed. note: An earlier version of this article incorrectly referred to Lance as 'Vance.'
