Treasury Dept. advisory shines spotlight on ransomware negotiators

The emerging ransomware negotiator industry has come into the spotlight recently following an advisory from the US Department of the Treasury for companies that facilitate ransom payments to threat actors on behalf of victims.

The advisory, from the department’s Office of Foreign Assets Control (OFAC), warned of potential regulatory trouble that such organizations could face if ransom payments ended up in the hands of adversaries on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN). US persons and entities are prohibited from conducting transactions with anyone on the SDN list or with any individual or organizations from countries that OFAC has officially sanctioned, such as North Korea, Iran, Ukraine, and Syria.

OFAC’s advisory did not introduce any specific new limitations for organizations willing to pay threat actors a ransom to get back access to their data after a ransomware attack. It mostly reminded organizations of potential violations of existing US policy they would trigger if they — or anyone acting on their behalf — made the payment to individuals or entities on OFAC’s sanctions list. OFAC currently has numerous threat actors on its cyber-related sanctions list, including ransomware operators such as North Korea’s Lazarus group and those behind the SamSam, Dridex, and CryptoLocker campaigns.

The OFAC guidance has focused attention on companies that offer ransomware negotiation services to enterprise organizations. Over the past two years or so, a handful of these companies have emerged with services designed to help ransomware victims professionally communicate with and negotiate a mutually acceptable outcome with their attackers.

Threat intelligence firm GroupSense is one recent example. Earlier this month, the company introduced a new service that it says can help ransomware victims navigate a slew of issues following an attack. According to GroupSense, it can help organizations evaluate and confirm attacks, negotiate with threat actors to reduce ransom demands, manage cryptocurrency payments, arrange for the destruction of any stolen data, and carry out other post-transaction activities.

Ransomware incident response firm Coveware offers a similar menu of ransomware negotiation services. Like GroupSense, the company claims it can help ransomware victims communicate with their attackers and negotiate lower ransom payments if needed. As part of its retained services, Coveware procures and pays cryptocurrency to attackers on behalf of victims and helps them decrypt and recover data.

A handful of other mostly small companies — such as CyberSecOp, Arete Advisors LLC, and Gemini Advisory — tout ransomware negotiation services as well. The Wall Street Journal recently described Arete as helping the city of Florence, Ala., negotiate a reduced ransom payment after a June 2020 attack.

To read the complete article, visit Dark Reading.