Before he retired after 30-plus years in law enforcement, Nick Shah OBE (pictured) had managed between 1,000 and 1,500 kidnap and ransom scenarios. He stepped down from traditional law enforcement after moving to Africa several years ago but, having over three decades of experience dealing with criminals, negotiating ransoms and building insights into criminal psychology, led to his natural next step – setting up his own risk and crisis management business, SJ Group International.
Not being the type to cut back his workflow, however, he then also struck up a conversation with Neil Hare-Brown, owner and CEO of the cyber risk consultancy STORM Guidance, and they were both struck by the similarities of the roles they played in the market. Shah joined STORM as a ransomware negotiator around two years ago and supports the firm’s cyber response services by delivering a strategic and tactical negotiation response to ransomware attacks.
“When some sort of attack has happened, a demand comes through – and that invariably is through a web-hosting chat forum where the threat actor puts their demands and there’s a ticking clock that shows you the time you’ve got left to deal with that,” he said. “On some occasions, they do create emails but [whichever format] they use, we communicate with them through that.
“There’s some misunderstanding about the word ‘negotiations’, however, because everyone thinks that you negotiate the price and that we’re there just to get the lowest price. Actually, it’s far from that. We engage with the attackers to obtain as much information as possible to enable the client to make a enhanced risk assessment.”
Read more: What is actually fuelling cybercrime?
STORM works to encourage clients, where possible, to engage with attackers to obtain this information and thus increase the quality of their threat assessment. Actual ransom negotiations are generally at the latter stages of any engagement, he said, and STORM actively works to look at all the options available, rather than merely paying demands. Through engagement with attackers, he can elicit valuable information, for example, the group the attackers are linked to, what geographical location they may be based in, and the likelihood of them keeping to the terms of any agreement.
“The natural thing is that this allows us time, because time is always ticking,” he said. “So, while we’re engaging, we can negotiate some delays through natural conversation. And, the adverse side of this, is that if you don’t engage, you really don’t know what the actual threat is and miss the opportunity to gain intelligence. You also don’t know what the attackers are likely to do, when they’re likely to do it or if they’ve done anything like this before - which is what we find out.”
Shah encourages clients to engage in these conversations where it’s appropriate, and he noted that it tends to be appropriate in the majority of cases. Exceptions include the rare occasion that a client is convinced that the threat facing them is minimal and business continuity is within reach within a matter of days. Engaging does not mean that the ransom will get paid, he said, and, for a myriad of reasons, the preferred option is always not to pay.
Of course, he said, if a client feels it’s the correct course of action for them, then the team will work with that and try to help them pay the least amount possible, but that is very rare. In the time, he has been with STORM, for instance, far less than 1% of cyberattack ransoms have been paid, and when they are it’s at the behest of the client.
Having your business held to ransom in this way is incredibly stressful for the business involved, he said, whether you’re a giant institution or a small family-run business. And there’s a real complexity to negotiating a cyber ransom; from reading the profile of the threat actor, to dragging out conversations for as long as possible, to discerning the correct course of action.
Given this complexity, Shah’s warning to businesses looking to engage with a negotiator in the cyber space is to pay close attention to whom you are enlisting and their experience in the market.
“What I see [in this market] quite a lot is people who are only trained in the low-level suicide intervention area, coming into the private sector, and selling their skills as a negotiator for things that are far more complex,” he said. “And they’re not at all properly trained, and certainly not properly experienced in dealing with complex negotiations. And it’s not just in ransomware, I see it in the kidnap and extortion world, as well. So, [my advice] is that this space is pretty small so it’s important to select an appropriately trained and experienced negotiator.”