Negotiation with REvil Ransomware Group Initial ransom demanded: $7.5 million USD.

This report provides an exhaustive account of negotiations conducted with the REvil ransomware group on behalf of a client. The attack left the client's operations incapacitated, prompting urgent attempts to resolve the matter and secure decryption tools to restore functionality.

Timeline and Key Actions

Initial Contact

The negotiator introduces themselves and outlines the financial constraints of the client.

Initial ransom demanded: $7.5 million USD.

Counteroffer: $500,000 USD, citing financial struggles due to the pandemic and economic downturn.

REvil’s Response

REvil rejected the counteroffer, asserting the price was non-negotiable.

Offered a discount to $6.75 million USD for prompt payment.

Threatened to publish sensitive data if demands were not met.

Prolonged Negotiations

Several rounds of negotiations occurred, with the client gradually increasing the offer.

Milestones:

$750,000 USD: Rejected by REvil.

$1 million USD: Considered insufficient; ransom reduced to $5 million USD.

Final Settlement

After extensive discussions, REvil agreed to $1.27 million USD, a significant reduction.

Payment was made in Monero cryptocurrency.

Decryptor tool was provided post-payment.

Key Steps in the Negotiation Process

Assessing the Situation

Immediate evaluation of the financial capability of the client.

Review of insurance coverage to determine the extent of business interruption compensation.

Data Analysis

Analysis of exfiltrated financial documents to confirm client's financial constraints.

REvil used this data to counter arguments, asserting the company had the capacity to pay more.

Strategic Negotiation

Persistent emphasis on the client’s inability to meet high demands.

Highlighted costs of rebuilding systems versus paying ransom.

Reinforced the limited value of stolen data to de-escalate ransom expectations.

Securing Decryptor

Confirmed decryptor capabilities for universal use across affected systems.

Verified step-by-step guidance for decryptor usage to ensure smooth restoration.

Post-Payment Inquiry

Requested a security report detailing the attack's entry point and methods used.

Learned:

Credentials for the Citrix server were purchased on the dark web.

Kerberoasting was used to escalate privileges.

Lack of 2FA on critical systems was a primary vulnerability.

Lessons Learned

Critical Security Gaps

Inadequate password hygiene (e.g., weak passwords like "12qwer34").

Absence of 2FA on sensitive systems.

Employee endpoints infected, leading to credential compromise.

Ransom Negotiation Tactics

Begin with a lower counteroffer and gradually increase to find a middle ground.

Use financial reports to argue inability to pay excessive amounts.

Data Handling Post-Attack

Ransomware groups often do not retain exfiltrated data once payment is received.

Logs of deleted files are typically not available.

Recommendations for Future Mitigation

Implement Robust Security Measures

Enforce strong password policies.

Mandate multi-factor authentication (MFA) for all critical systems.

Employee Awareness and Training

Conduct regular security training to reduce susceptibility to phishing and malware.

Proactive Monitoring

Invest in cybersecurity tools for real-time monitoring and detection of suspicious activity.

Incident Response Planning

Develop and test comprehensive incident response and disaster recovery plans.

Evaluate Insurance Policies

Ensure cybersecurity insurance covers ransom payments and related costs.

Conclusion

The negotiation underscores the importance of thorough preparation, financial assessments, and strategic concessions. While the outcome minimized the financial burden on the client, it revealed critical vulnerabilities that must be addressed to prevent future incidents.