Inside Ransomware Negotiations and Cyber-Attack Responses
S-RM, a London-based cyber-incident response firm, claims to have the UK's largest such team with approximately 150 first responders worldwide. In notable cases like Scattered Spider, what began as a 30-minute Teams call for a retailer escalated into a 24-hour operation involving rotating experts. Typically, clients are contacted within an average of six minutes.
The firm's primary objective is to limit attacker access to stop data exfiltration and encryption, effectively 'stopping the bleeding.' They provide extortion support and negotiators may participate in ransom talks, though the final decision rests with the client or policyholder, with an emphasis on avoiding ransom payments when possible.
S-RM maintains detailed intelligence on threat actors, noting negotiating patterns and group reliability. More established ransomware groups are more likely to honor settlements by deleting stolen data or supplying decryption keys. However, sanctions enforcement against state-linked groups is challenging due to their tendency to rebrand after listing, creating a "whack-a-mole" situation in applying penalties.
Restoration and recovery efforts have become prioritized over forensic analysis, focusing on quickly bringing systems back online. The UK's National Cyber Security Centre has shifted from a passive information recipient to a proactive entity, now reaching out to victims and facilitating information sharing, marking a significant change in approach.
Additionally, investigations such as those involving Jaguar Land Rover have pointed to Russia as a potential suspect in cyber attacks. It has also been clarified that the retailer affected by the Scattered Spider ransomware was not Marks & Spencer or the Co-op.
