What happens when ransom negotiations fail?
Leading financial services firm Ameritrade has been targeted and victimized by the notorious Cl0p ransomware group following a failed ransom negotiation.
Cl0p claimed the Ameritrade data breach last week.
In the latest development in the ongoing crisis, the ransomware group has declared that it will release the company data after ransom negotiations went south.
Cl0p ransomware group listed Ameritrade as a victim last week, thanks to the ongoing MOVEit vulnerability attacks.
The cybercriminals have openly criticized the company’s legal team, alleging a dismal performance during the Ameritrade ransom negotiations, further intensifying the situation.
The ransomware group has now escalated their offensive tactics by threatening to leak sensitive data stolen from Ameritrade’s systems.
An official response is yet to come on the Ameritrade data breach or the subsequent ransom negotiation.
Ameritrade data breach and the failed ransom negotiation
Cl0p ransomware group, known for its brazen attacks and extortion strategies, took to their leak site to publicly deride Ameritrade’s negotiating approach.
The group mocked the negotiators, referring to them as “stupid donkey kongs” and criticizing their choice to store sensitive data in a vulnerable file transfer system.
“This expected happen when big donkey kong king of company say to negotiating democratic babes to waste time,” said the post.
The ransom negotiation attempts over the Ameritrade data breach threat reportedly involved offering $4,000,000 as a resolution, with staggered payments of $500,000 every two days.
However, the ransomware group dismissed the proposal, claiming to be wealthy enough to withstand such offers and refusing to be coerced into a prolonged negotiation process.
They threatened to expose Ameritrade’s data, stating that countless organizations face the same fate depending on their willingness to pay the ransom.
The leak site post also highlighted an alleged exchange between the negotiators and the ransomware group, exposing what the group considered a joke-filled and ineffective negotiation approach.
According to the Cl0p ransomware gang, the company’s representatives reportedly displayed a lack of understanding and urgency, leading the cybercriminals to view Ameritrade’s negotiators as inept and undeserving of their demands.
What makes ransom negotiation difficult
Successful ransom negotiations are the ones that we don’t know about. The Cyber Express can confirm that ransom negotiations and payment happen often.
But when a ransom negotiation fails, like in the Ameritrade data breach incident, it literally explodes on your face!
Take the case of ransomware attack on ION Group. LockBit ransomware gang, the hackers who carried out the breach at financial data firm, claimed that a ransom has been paid.
Other than a Reuters report that quoted the ransomware gang, nothing much was discussed on it. ION Group declined to comment on the matter.
Ransom negotiators are no longer affiliated with specialized cybersecurity firms. They could be internal managers, business consultants, and even lawyers like in the case of Ameritrade ransom negotiation.
Incident response teams are instrumental in managing ransomware attacks and minimizing the impact of data breaches.
These professionals possess a unique skill set that combines technical expertise, knowledge of cybercriminal tactics, and strong communication and negotiation skills.
Ransom negotiation: The do’s and don’ts
Kurtis Minder, CEO of GroupSense, has built a reputation as an expert in ransomware negotiation and has helped many clients respond to ransomware attacks.
According to him, there are other options available than the obvious one of paying off, and that the decision to pay the ransom should be carefully considered.
Negotiators can work closely with a company’s executives, security staff, legal department, and press handlers to ensure that the company’s needs are accurately and firmly represented during the negotiation process.
They can also help companies communicate their stance on paying the ransom and negotiate the terms of payment if that is the route the company chooses to take.
When engaging in ransom negotiation, these negotiators establish direct communication channels with the ransomware gang or the individuals behind the attack.
Their primary objective is to gather crucial information, clarify ransom demands, and negotiate the terms of potential payment.
The remuneration of ransom negotiation varies, according to the executive commissioned.
“For example, if the original ransomware demand was $100 000, and we ended up lowering it to $50 000, you save $42 500 and pay us 15% of the saved amount ($50 000), or $7500,” said the offer document of Atlant Security, a US-based cyber and IT security company.
A successful negotiation requires the negotiators to verify the attackers’ claims, ensuring their capability to decrypt files or restore access to systems.
By requesting evidence, such as samples of decrypted files or demonstrations of the decryption process, negotiators can assess the credibility of the attackers’ promises.
According to Atlant Security, ransomware negotiation should always begin with a series of preparation meetings with company executives and their legal team.
“These meetings help establish any potential leverage points in the negotiation which would be convincing to the hackers and give them no other option but to agree to your conditions.”
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
