Negotiating with cyber criminals is not recommended…

For a start they are criminals, trying to extort you. I have heard business owners comment on ransomware gangs as though they are businesses you need to interact with. Now I know threat actors are shaping themselves to be business like with, help desks, means of paying the ransoms, public business plans etc., etc..

But they are not legitimate businesses.

Both the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) do not think that the hackers should be paid for their illegal activity – however they wrap up the extortion process. They sent an open letter to The Law Society and The Bar Council outlining why it is better for everyone’s (including those infected with the ransomware) not to engage with the threat actors by paying the ransoms demanded.

That brings us to today and a case in the United States. If you do interact with the hackers, especially if you engage with them to cover up the hack and pay them, you could be committing a criminal offence. And whilst the hackers are free spending your money, you could be in prison – no matter how senior you are in a company:

Former Uber security chief convicted for concealing a felony – BBC News

Joe Sullivan Uber’s former chief security officer was convicted, in a San Fransisco court, after covering up a data theft of about 57 million Uber users’ records and 600,000 driving-licence numbers, which included paying the threat actors off and getting them to sign a non-disclosure agreement about the data theft.

Joe Sullivan was fired from Uber in 2017 following the 2016 hack and plead guilty to obstruction of justice and concealing a felony.

There is one more twist to this story, Sullivan had previously been employed in prosecuting cyber-related crime for the San Francisco US attorney’s office.

So better to have a cyber security plan, understand your risks, mitigate where possible and know how your organisation is going to respond to an incident including any disclosures you may need to make, rather than planning to pay the threat actors off.

Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

If your plan to defeat ransomware is to pay up, then read on… – CyberAwake

state sponsored hacking 200