Cyber Insurance News has wondered how often ransomware gangs — groups of criminals often supported by hostile foreign powers — can be trusted.
We asked Jennifer Coughlin of Mullen Coughlin, “a law firm uniquely dedicated exclusively to representing organizations facing data privacy events, information security incidents, and the need to address these risks before a crisis hits.” She was presenting at the recent RPS webinar Cyber Market Update: What’s New & What’s Next, based on RPS’ 2023 Q3 Cyber Market Update. Our related report on that event: “Irresponsible Underwriting” Arises in Cyber Insurance Market As Capacity Increases & Premium Growth Moderates: Risk Placement Services
Coughlin’s answer: “More often than not, they do honor their word…because they’re running a business too.” She added: “And if they get a bad reputation out there that they extort, and don’t give the key and return or delete the data…people are going to see that.”
By checking her own database and input from other ransomware negotiators and researchers, Coughlin is able to track the “reputation” of the gang with whom she’s negotiating. In general, if the group has done what it promised in past encounters, it can be expected to act accordingly in the current situation. While the gangs usually unlock access to or return data, Coughlin is skeptical all of them erase stolen data after being paid (although she notes the gangs may have their own data storage challenges.)
Coughlin did provide one example of “dishonest” ransomware crooks. In this case, her research raised red flags because the criminal was not previously known and demanded too little ransom.
“So the average ransom demand is $2.1 million. …(W)e’re expecting the average demand to be around there. But in every single ransomware matter that we have, we I have, I have a dashboard on Power BI where I track the variance. I track the demands received the payment, industry sector and a whole bunch of other information… And I had one a few weeks ago and the ransom notice that’s over to me and the demand is half a Bitcoin and immediately like red flags everywhere, absolutely everywhere. Bitcoin is not even close to $2.1 million and we then get the (group’s) name. Never heard of them. And it was it was a strange situation because I know how to counsel organizations as they’re investigating and responding to data privacy incidents, but we utilize the data that we gather on our matters to give them real dollar figures. And real experience. And here I have a matter coming in where the demand, the math works out to be, it was (an) $11,000 payment. And the client said, ‘What do I do?’ And I said, you’re not going to get your data back. Like let’s just call a spade a spade. We’re not going to get the data back. I’m not sure we’re gonna be able to clear OFAC because we’ve never dealt with these people before [Cyber Insurance News: OFAC is the Office of Foreign Assets Control, federal office which “administers and enforces economic sanctions programs primarily against countries and groups of individuals.” Paying ransom to an entity on the OFAC list can be illegal.] But we were able to clear OFAC and the client said: ‘You know, it’s $11,000 I need the state. If I can’t get it, then I’m really going to be in a bad situation.’ And sure enough, as we all predicted, I said he (the hacker)’s either going to reinstall it or just completely bail on us. And he re-extorted (and demanded another half bitcoin)… (I) negotiated with him to get it down to a quarter of Bitcoin and then he gave us the password (to recover the client’s data) and the data that he uploaded was junk and at that point, the client is all in maybe $50,000.”