Chapter 1, Part 2: All hands on deck in C-suite ransomware response
January 31, 2022 – Published on Compliance Week and National Cyber Security News
In this article, the writer depicts a fictional cyber incident based on real-life scenarios described by expert interviewees, media reports, and other publicly available resources. While the details surrounding the characters, company, and ransomware attack are imagined, the business concerns and legal issues raised are plausible and based on actual cases.
The article also includes commentary from GuidePoint Security’s head of threat intelligence, Tony Cook, who provides insights into the ransomware negotiation process.
“A lot of times, the ransomware actor doesn’t actually affect most of the organization. It might just be a small population of it,” said Tony Cook, head of threat intelligence at GuidePoint Security. “Maybe the [actors] did hit everything—or maybe they didn’t. Maybe they don’t know anything. Maybe you can just restore from backup and never have to talk to these guys.”
Threat actors set their monetary expectations off what they perceive they have, said Cook. “So, if I take an entire server’s worth of information from a very large organization, and I take a folder called ‘personal identifiable information,’ I’m thinking I have your crown jewels,” he said.
Much like the art of haggling with a used car salesman, a threat intelligence expert from an incident response firm will talk down the extortion fee, which is another reason why a company should not rush to pay a ransom outright.
“If you come across in the first portion of your negotiation as, ‘Whatever you need! I need to get back up!’ they’re going to jack up that price,” said Cook. “It’s really how you come across in the first initial portion that will set the pace for the rest of the negotiations.”