Don’t Respond to Ransomware Attackers With AI, Experts Say

When in a stressful situation, your brain can feel scrambled, making it hard to think clearly about the next move. Turning to an artificial intelligence chatbot like ChatGPT for help might be tempting.

But if ransomware attackers threaten you, that may not be a good idea.

“Typically, AI is not sensitive enough to pick up on human emotion or provide the necessary nuance required to connect with threat actors and diffuse the situation, and this is where it can escalate,” Moty Cristal, from ransomware negotiator and incident response firm Sygnia, told TechRepublic. 

Notorious ransomware group BlackBasta has been known to offer discounts for quick payment but also accept ransoms and not provide the victims with a working decryption key. Medusa, another group, uses “triple extortion,” where an affiliate claims a negotiator has stolen a paid ransom and demands an additional payment for the true decryptor. 

This shows that anything can happen during the negotiation stage, and you shouldn’t go into it blindly relying on what AI tools tell you to say.

Negotiators must remain approachable to avoid angering the attacker

Maintaining the right tone with attackers throughout ransomware negotiation is crucial. It is not uncommon for them to leave backdoors in malware that let them retaliate with additional encryption, or even by wiping all data, especially if they sense a lack of respect or that they’re being strung along.

Therefore, negotiators try to remain “approachable,” Cristal said. An AI could encourage victims to break the golden rules of not using “negative language” or telling the threat actor outright that they won’t pay the ransom. 

Attackers “can be extremely polite, even friendly to begin with,” Sygnia’s Vice President of Corporate Development Guy Segal told TechRepublic. But they may get more “aggressive and threatening” if they don’t get what they want quickly — which would be the case if all hope of payment was extinguished. 

“Defensive behaviour will create a more hostile atmosphere,” Cristal added. 

Falling victim to ransomware does not mean game over, and good negotiation can limit the damage 

Maintaining the right tone is not only important to prevent the attacker from inflicting further damage — but also to get as much information out of them as possible.

Negotiators may be able to steer the conversation to learn what data the cyber criminals are holding, how they breached the system, and the likelihood that they may return or publish their data.

“Every threat actor has their motives and life experiences that make them who they are — conversing is important to understand how we approach the situation,” Cristal explained. 

“Do they have enough data to damage the company? Could they cause real-world damage, particularly for critical infrastructure clients, or impact people’s lives? The threat actor may well be happy with a smaller ransom payment than their initial request because they just need the money.”

Learn the best ways to prevent ransomware so you never have to worry about striking the right tone with a cybercriminal.