Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:45 PM
Connect Directly

Treasury Dept. Advisory Shines Spotlight on Ransomware Negotiators

With attacks showing no signs of abating, some companies have begun offering services to help reduce ransom demands, buy more time, and arrange payments.

The emerging ransomware negotiator industry has come into the spotlight recently following an advisory from the US Department of the Treasury for companies that facilitate ransom payments to threat actors on behalf of victims.

The advisory, from the department's Office of Foreign Assets Control (OFAC), warned of potential regulatory trouble that such organizations could face if ransom payments ended up in the hands of adversaries on OFAC's Specially Designated Nationals and Blocked Persons List (SDN). US persons and entities are prohibited from conducting transactions with anyone on the SDN list or with any individual or organizations from countries that OFAC has officially sanctioned, such as North Korea, Iran, Ukraine, and Syria.

Related Content:

US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What Is End-to-End Encryption?

OFAC's advisory did not introduce any specific new limitations for organizations willing to pay threat actors a ransom to get back access to their data after a ransomware attack. It mostly reminded organizations of potential violations of existing US policy they would trigger if they — or anyone acting on their behalf — made the payment to individuals or entities on OFAC's sanctions list. OFAC currently has numerous threat actors on its cyber-related sanctions list, including ransomware operators such as North Korea's Lazarus group and those behind the SamSam, Dridex, and CryptoLocker campaigns.

The OFAC guidance has focused attention on companies that offer ransomware negotiation services to enterprise organizations. Over the past two years or so, a handful of these companies have emerged with services designed to help ransomware victims professionally communicate with and negotiate a mutually acceptable outcome with their attackers.

Threat intelligence firm GroupSense is one recent example. Earlier this month, the company introduced a new service that it says can help ransomware victims navigate a slew of issues following an attack. According to GroupSense, it can help organizations evaluate and confirm attacks, negotiate with threat actors to reduce ransom demands, manage cryptocurrency payments, arrange for the destruction of any stolen data, and carry out other post-transaction activities.

Ransomware incident response firm Coveware offers a similar menu of ransomware negotiation services. Like GroupSense, the company claims it can help ransomware victims communicate with their attackers and negotiate lower ransom payments if needed. As part of its retained services, Coveware procures and pays cryptocurrency to attackers on behalf of victims and helps them decrypt and recover data.

A handful of other mostly small companies — such as CyberSecOp, Arete Advisors LLC, and Gemini Advisory — tout ransomware negotiation services as well. The Wall Street Journal recently described Arete as helping the city of Florence, Ala., negotiate a reduced ransom payment after a June 2020 attack.

The FBI and many other security experts have advised organizations not to accede to cyber-extortion attempts, warning that the practice only encourages more attacks. In its advisory, OFAC warned about payments to actors on its SDN list as actually posing a national security threat.

Despite such warnings and potential liability exposure, many companies continue to pay off their attackers rather than risk operational downtime and data loss following a successful ransomware attack. A study of 5,000 IT professionals that Vanson Bourne conducted on behalf of Sophos between January and February 2020 found that 26% of companies that fell victim to a ransomware attack the past year paid a ransom to get their data back. Fifty-six percent restored encrypted data via backups, and 12% of the respondents in the study described using other means to get the data back.

Growing Demand
Moty Cristal, CEO of NEST Consulting, an Israel-based firm that offers ransomware negotiation services, says demand has increased in the past two years. Many of his engagements are with victims of highly targeted attacks involving ransom demands ranging from the high hundreds of thousands of dollars to several million dollars. In some cases, Cristal and his small team work directly with the victim. In other instances, the company is brought in as part of a larger team of incident responders.

The actual task itself can include everything from understanding the scope and purpose of the attack to buying time for the victim, improving the final deal and securing the decryption key. In addition to communicating with attackers, Cristal says sometimes he is called in to speak with board members or other senior executives at the victim organization during the negotiation process.

"I'm a key player in a much larger effort to manage a cyber crisis," Cristal says. Success in these roles can be measured in multiple ways, including minimized downtime, minimized damage, securing relations among key stakeholders in the company, securing business continuity, and brand reputation. "If the head of the incident response team tells me 'I need you to buy me six days' and I buy him a week or eight days, I have dramatically contributed" to the crisis management effort, Cristal says.

According to Cristal, the warnings contained in the OFAC advisory do not apply to his services. "My role as a negotiator is to gather information to assist the incident response team," he says. "It is not my responsibility whatsoever to recommend whether companies should pay or not pay. I leave that to the full discretion of the decision-makers."

Reid Sawyer, head of the emerging risks group at insurance broker Marsh Advisory, says OFAC's recent guidance highlights the need for organizations to pay attention to their contracts when signing up with ransomware negotiators. "You want to make sure that contractually your third party is accounting for any potential interactions with SDN as they move forward," he says.

They need to ensure the third party can show evidence of those policies and procedures, he says. "It's very similar to how you treat any third-party vendor risks." In dealing with third-party ransomware negotiators — or even if dealing directly with a threat actor — organizations also need to ensure that any cryptocurrency transactions don't flow through or touch those on OFAC's SDN list, he says.

More generally, OFAC's advisory is a reminder for organizations to include potential ransomware payments in their existing sanctions compliance program, Sawyer says. Organizations need to understand that in some situations, OFAC's strict liability standards could make them civilly liable for ransomware payments even if they didn't realize they were dealing with an SDN entity, he cautions. "Organizations should be immediately auditing their existing sanctions compliance program or implementing a new one to include ransomware," Sawyer says. "CISOs should have a seat at the table. They need to be a part of the conversation."

In a real ransomware situation, an organization — or negotiator working on its behalf — may not know if the threat actor is an OFAC-sanctioned entity, he says. So, it needs to think of how to mitigate liability exposure in those situations. For example, having a sanctions compliance management program in place and being willing to work with law enforcement in the event of a ransomware attack can both mitigate liability risks, says Sawyer.

Importantly, Sawyer adds, OFAC's restrictions on ransomware payments affects not just US companies but also foreign entities that have any US business ties or business nexus.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink.
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
PUBLISHED: 2020-10-26
Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
PUBLISHED: 2020-10-26
Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.