What it’s like to negotiate with ransomware gangs

Ransomware gangs have attacked hospitals and healthcare organizations with greater frequency because they know they have a good chance of getting paid, industry analysts say.

Some cyberattackers will take down a system’s computers and electronic records, and won’t relinquish control until a ransom is paid. Attackers also often seek private health information that is highly valuable on the dark web.

A ransomware group’s attack on UnitedHealth Group’s Change Healthcare last year proved to be the most damaging cyberattack the healthcare industry has ever seen. It affected 190 million Americans and disrupted hospitals and other providers across the country. Attackers have breached large hospital systems and are also going after smaller, rural hospitals.

But ransomware groups can be willing to negotiate how much they pay.

Andrew Carr, a ransom negotiator for Booz Allen, works with hospitals and companies in other sectors that have been attacked by ransomware groups.

“Ransomware has developed over the years,” Carr tells Chief Healthcare Executive®. “So I've been in this space for quite a long time, and early on there were a lot of hard-nosed threat actors. But they've realized that some money is better than no money. So they often will negotiate.”

• Read more: CHE cybersecurity panel: How hospitals can protect their patients, and their systems

Ransomware groups will accept less than they hoped on some occasions, particularly if their attack was less successful than they had anticipated.

“They often will negotiate, especially if it's one where they maybe realized that they didn't have as much of an impact on the organization as they thought they did,” Carr says. “Especially now in recent years, organizations are becoming increasingly prepared. They're taking proactive cybersecurity measures much more seriously, and we're seeing a much better resilience to these types of attacks. So sometimes they are willing to negotiate and come down on their demands.”

In an interview with Chief Healthcare Executive, Carr talks about dealing with ransomware groups, assessing threats, and working with health systems to deal with cyberattacks. In some instances, a ransom negotiator can help a hospital see that they don’t have to pay.

(See part of our conversation in this video. The story continues below.)

Gaining intelligence

Federal officials reported a 264% increase in ransomware attacks of healthcare organizations between 2018 and 2023.

Authorities discourage healthcare organizations - and companies in any sector - from paying ransom demands, but they also acknowledge it’s a difficult decision for hospitals and health systems.

If hospitals can’t use their electronic health records or other key systems, lives can be at stake, so health systems will pay to restore their systems and serve patients. Andrew Witty, then-CEO of UnitedHealth, told a Senate committee last year that the company made a $22 million ransom payment.

Carr says Booz Allen doesn’t participate in payments, but negotiations can give organizations information about the damage they’re facing and can inform next steps.

“It’s frankly not even always about negotiating,” Carr says. “We often refer to it as threat actor communications, rather than threat actor negotiations, because much of the time we're really trying to gain intelligence and insight for the victim organization, whether that be the method of attack, the method of ingress into the environment, whether that be information related to stolen data.”

“So sometimes we're just trying to get information on what data the threat actor claims to have taken, if they really did take it, to help the organization understand the risks that they're exposed to,” he explains.

Some ransomware groups can be civil during negotiations.

“You'd be surprised at how cordial, how professional the interactions typically are,” Carr says. “They're certainly individuals and groups that you know are a little bit more terse, but for the most part, you know, there's ‘please,’ ‘thank you,’ … polite interactions. And that goes a long way. So you kind of feel them out, you try to gain an understanding of their appetite for a negotiation, and you kind of just take it as it goes.”

Some more professional groups will assist organizations with regaining access to their networks.

“Sometimes you need unique decryptors for different systems, because the encryption keys are different,” Carr says. “So it really depends on the group and the method of encryption that's employed. And sometimes, frankly, the decryptors don't work as well as intended. Now, many of the more formal groups will try to assist you in the decryption effort, because, as I said before, they see this as a business, but that's within reason, right? They're not going to go out of their way to be overly kind in these situations.”

Even after getting a payment, some ransomware groups will demand more money in another extortion attempt.

But some of the more established groups understand that if they demand too much, others will learn about their tactics and be less willing to pay or negotiate.

“If they have poor interactions with these victim organizations, word is going to get around,” Carr says.

“This is a small world that we live in, in incident response, and word gets around pretty quickly,” he explains. “Especially if groups will re-extort, that gets around pretty quickly as well. So, you know, they understand …. if they want to get paid, they should approach it in a kind of formal business-like manner, and that goes a long way as far as keeping the communications flowing and keeping them on track.”

• Read more: Hospitals face risks from attacks aimed at their vendors

Refusing to pay

More often than not in Carr’s negotiations, organizations decide against paying a ransom demand.

“The vast majority of times that we interact with threat actors, the organization will choose not to pay,” he says.

Healthcare organizations have developed better cybersecurity defenses in recent years, and they also have developed stronger recovery plans, Carr says.

“They're better prepared,” he says. “They have better backup strategy. Their staff within the organization knows how to react and deal with these things.”

Sometimes, Carr says negotiations are about buying time for health systems and other organizations to recover.

Talks are also engaged to get attackers from dropping harassment campaigns.

“They'll send large amounts of internet traffic to the organization to try and make it so they can't perform their business functions,” Carr says. “They might send emails to the staff or clients. So sometimes the negotiations are simply to get them to stop those tactics, while the organization shores up their defenses, gets ready for the remediation effort, and kind of stalls things out so that there's not a larger impact.”

With hospitals remaining a frequent target of ransomware groups, Carr says health systems should focus on building robust defenses and crafting detailed plans to deal with a breach.

Hopefully, taking such steps can avoid negotiating with criminals, and deciding if a ransom should be paid.

“Resilience and preparation is going to be the absolute best thing that an organization, especially healthcare, can do,” Carr says.

• Get more: CHE cybersecurity panel: The scope of recent ransomware attacks