Interview with ValÃry â Managing Leaks in Ransomware Negotiations

pValÃry coâfounder and editor of LeMagIT and an experienced specialist in cybersecurity and endâuser computing has long translated complex technologies into practical adviceIn this interview he shares how organizations should manage crisis communication during cyberattacks with a specific focus on the risks and impacts of leaked ransomware negotiations â from first responses to coordination with internal teams and authorities â so they can protect stakeholders and preserve trustpp1Can you explain what ransomware negotiations typically involve and why they are sensitiveppValÃry Ransomware negotiations generally involve information about the victim of the attack starting with its name Thats very sensitive for a victim that hasnt publicly disclosed the attackEven if theres no intention to pay the fact that a conversation is taking place can be misinterpreted Leaks during the process can undermine the goals of the negotiationAdditionally exchanged files â whether theyre raw lists of stolen data or encrypted files being tested for decryption â can contain PII or IP making them highly sensitivepp2What are the key risks associated with leaks of ransomware negotiationsppValÃry The first risk is obvious an undisclosed cyberattack becomes public If a ransom had been paid to suppress the news that intent failsWorse sensitive information shared during negotiation might be exposed wrecking any planned communication strategypp3How can leaked ransomware negotiations impact an organizationâs reputation and overall security postureppValÃry In case of a cyberattack resilience depends on two pillars IT and communicationAs shown in a 2022 BessÃGP Goldstein analysis communication is essential to trust If communication appears inconsistent or unprofessional â especially in leaked chat logs â it damages trustLeaked conversations may also make the victim a target for additional threat actors looking to exploit perceived weakness It has happened beforepp4What steps can organizations take to ensure the confidentiality of ransomware negotiationsppValÃry First minimize exposure to the ransom note â especially with employees and customers But when its printed or unavoidable find a way to establish a secure channel to the threat actorSecond do not upload ransomware samples to public sandboxes or VirusTotal â at least not until incident response is completeAnd finally if a payment is made ask the threat actor to delete the chat and verify that its actually gone Some groups like Akira are known to do this regularlypp5Are there specific tools or technologies that can help prevent such leaks during the negotiation processppValÃry Many ransomware groups operate via webâbased negotiation interfaces If a chatroom seems compromised they can open a new one Details can be exchanged using ephemeral file sharing services or other discreet channelsSome threat actors also accept switching to email Tox or Sessionpp6How important is encryption when communicating with threat actors during ransomware negotiationsppValÃry Threat actors usually only care about encryption while the negotiation is ongoing After that their interest in confidentiality dropsFor victims who intend to pay and keep the attack secret encryption is critical For others maybe notBut in any case the rule is assume leakpp7Should organizations establish predefined protocols for ransomware negotiations If yes what should these protocols includeppValÃry Absolutely Just as youd prepare an incident response plan you should plan communication protocols for ransomware eventsConsider scenarios based on how the ransom note appears and build processes to keep those conversations confidentialBut remember the threat actor is not trustworthy Some like LockBit 30 and DragonForce routinely publish failed negotiations And you have no guarantee those chat logs werenât tampered withpp8How should organizations handle thirdâparty involvement eg cybersecurity firms law enforcement to minimize the risk of leaksppValÃry Thatâs a near nobrainer Incident response firms are usually highly trustworthy Theyâre contractually and operationally focused on confidentialityThey also typically restrict access to conversations â even internal technical teams donât see thempp9What are some common mistakes organizations make during ransomware negotiations that increase the risk of leaksppValÃry One big mistake refusing to engage at all If no one logs in to the attackerâs chatroom anyone with access to the ransomware sample or note might do it and extract infoEven if you wonât pay itâs smart to at least engage ask for a new chatroom and get the old one deletedThis risk varies Some ransomware builds the ransom note using runtime arguments making it harder for third parties to reenter negotiations from the samplepp10If you had to give one key piece of advice to organizations facing ransomware negotiations what would it beppValÃry Dont do it yourself Ask law enforcement your insurer or a professional incident response firm who should negotiate on your behalfVictims are rarely in the right headspaceIdeally youâve already defined a strategy and goals before youâre in the middle of a crisisppMany thanks to ValÃry for his clear actionable guidanceLeaked ransomware negotiations can be devastating both technically and reputationallyEffective crisis communication is less about perfect answers and more aboutppBy preparing these principles and protocols in advance organizations can respond with clarity â and preserve trust when it matters mostp