Navigating Ransomware Settlements – What You Need to Know

The decision to pay a ransom is challenging for businesses and government agencies. While no one wants to support cyber criminals, many victims face operational disruptions or costs that exceed the ransom amount.

Cyber security measures, including backups and user training, can help reduce the risk of an attack. Other strategies include identifying the source of an attack and reporting it to law enforcement.

What is a Ransomware Settlement?

A ransomware settlement is a financial agreement between a business and a threat actor that settles a cyberattack and its associated damages. In most cases, extortionists demand payment in Bitcoin or other digital currencies because they allow them to remain anonymous and instantly make large transactions.

When companies are forced to pay a ransom, they often face regulatory fines and damage to their reputation. As a result, they may decide to pursue a settlement to avoid the risk of losing their customers and business partners. However, professionals in the industry like Fortinet suggest ransomware settlements should be avoided if at all possible to help reduce the risk of another attack.

Many businesses are also hit by lawsuits from victims harmed by the attack. A study found that only 33% of companies conduct regular training on cybersecurity threats like ransomware, and only 46% believe they can detect a threat before it occurs.

Moreover, third-party vendors can be held financially responsible for ransomware attacks that impact their customers. For example, some reached a $6 million settlement with individuals affected by a 2021 ransomware attack on its service that disrupted payroll for Tesla, Whole Foods, and Metropolitan Transportation Authority.

Healthcare organizations can also face lawsuits and penalties for breaching the Health Insurance Portability and Accountability Act (HIPAA). For instance, Community Health Systems settled a $20 million class action lawsuit with 28 states after a ransomware attack exposed the PHI of up to one million patients.

What are the Benefits of a Ransomware Settlement?

If you are one of the 1.1 million Health patients affected by last year’s ransomware attack, watch for your class action settlement claim letter. The settlement, which awaits the court’s approval, offers a variety of benefits, like free identity theft monitoring.

The settlement will compensate victims whose personal information was compromised during the attack, which paralyzed the system and caused appointment delays. Among other things, it will pay for replacement computers and software and the cost of a data recovery company to retrieve any compromised files. It also includes reimbursement of out-of-pocket expenses and cash payments to help with emotional distress.

While it is straightforward to prevent ransomware attacks, many companies do not make it a priority. According to a recent study, only 33% of organizations conduct internal training on ransomware, and only 29% believe their employees can identify threats.

However, ransomware negotiators – a group that did not exist just a few years ago – are stepping in. These individuals, many of whom are ex-police or military, manage the fraught discussions between victims and hackers to negotiate a ransom payment. They also partner with cyber insurance companies to settle claims and reimburse victims. However, some worry that they are aiding criminal activity by facilitating payments to hackers.

How Do Ransomware Settlements Work?

A ransomware attack typically results in a threat actor telling you that your information has been encrypted and can only be accessed once you pay them a sum. This type of cybercrime is a huge problem and is estimated to be one of the fastest-growing crimes in the world.

Even though the FBI and other government agencies strongly advise against paying the ransom, there are times when businesses see no alternative to restoring their systems. For instance, Lake City, Florida, had to pay a $460,000 ransom after cybercriminals threatened to turn off the town’s water pumps and other critical systems.

In some cases, threat actors will publish a list of companies that have not paid the demanded amount to shame victims and encourage them to comply. The infamous Ryuk and Maze ransomware variants most recently used this tactic.

When a company experiences a ransomware attack, it is vital to notify the insurance carrier immediately. During the first hours and days, there will be a flurry of calls between the insured, breach counsel, and the insurance carrier as the claim professional begins coordinating the investigation/response. The airline may also request a copy of the incident response plan and additional information, including control tests and mitigation efforts such as frequency of backups (ideally, disk-based backups are better) and multi-factor authentication for access to cloud-based backup systems.

How Can I Negotiate a Ransomware Settlement?

As attacks on organizations multiply, many businesses need help paying the ransom or ignoring it and diverting resources to recovery. Both options have risks, but a third option is standard in hostage situations. In a recent webinar, a 25-year veteran hostage military crisis negotiator who turned his skills to cybercrime shared the best practices for negotiating with ransomware attackers.

The first step is to get security experts or professional negotiators involved as early as possible. They can help define negotiation goals and work to reduce the ransom amount. It is important to remember that the person you negotiate with works on commission and has a vested interest in getting as much money as possible from your organization.

Another tactic is to offer to pay in cryptocurrency, which is more difficult for attackers to convert into real dollars. This will make them more likely to accept a lower ransom.

If your organization has a cyber insurance policy, it is critical to notify the insurer immediately after discovering a ransomware event. They will ask you a series of questions about the attack, including details about how your data was affected, the cost of remediation, and the total amount of loss.

Working with a firm that can settle ransom payments 24/7 is also essential. Threat actors operate in remote time zones, and many attacks happen at night or on weekends. A company can help you settle the ransom quickly and avoid further damage to your business.