When hackers kidnap their data, companies are increasingly using ‘breach coaches’ and negotiators

Cyberinsurers can help providers recover from digital attacks or even make ransom payments to recover lost data.

When hackers kidnap their data, companies are increasingly using ‘breach coaches’ and negotiators
[Photo: Tim Gouw/Pexels; Wikimedia Commons]

It’s a nightmare scenario for many executives: Finding out that your company’s computers have been infected with ransomware that’s holding critical data hostage.


“These are very urgent situations,” says Bill Siegel, cofounder and CEO of Coveware, a ransomware recovery company based in Connecticut. “The position the companies are typically in is one of severe business disruption.”

For companies that have never dealt with ransomware before, it may not even be clear who to call to begin to look into the situation. But for the growing number of organizations with cyberinsurance policies that cover digital attacks, the answer is often their insurers, who will often quickly put them in touch with so-called “breach coaches“—a term that usually refers to specialized attorneys who’ve essentially become fixers in the fight against ransomware.

John Mullen, whose law firm Mullen Coughlin specializes in data breach situations, says his firm operates hotlines where dozens of insurers, brokers, and their clients can leave voice messages in the event of a ransomware attack or other breach.

“We see it within a minute,” Mullen says. “Within two or three minutes, we’re clearing conflicts. Within 10 minutes, we’re reaching out.”

Attorneys like Mullen naturally can provide legal advice to companies, including guidance about their obligations to disclose an attack to customers or regulators, and even though they’re often referred to clients by insurers, they represent the ransomware victims, not the insurance companies. But they also serve as kind of central coordinators when it comes to ransomware response, coordinating with computer forensic experts who can determine the extent of the attack, companies that can notify customers impacted by a breach, and IT firms that can quickly provide staffing to fix issues. If company leaders determine they need to pay a ransom, breach coaches can even pull in specialized companies such as Coveware that have experience negotiating with attackers and verifying that paying the ransom is likely to actually result in unlocking files.

“If you would, we’re the general contractor,” Mullen says. “We’re going to bring in the plumbers.”


One advantage of having a law firm lead the response is that conversations about what happened can be relatively candid, since discussions between clients and lawyers are usually legally protected.

“Right off the bat, the communication with the client is covered by the attorney-client privilege and the work product doctrine,” says Sean Hoar, chair of the data privacy and cybersecurity practice at Lewis Brisbois. The firm regularly gets calls from insurers and end clients looking for help with ransomware and other digital attacks.

“People call us breach coaches,” he says. “I prefer to use the term outside counsel.”

It is often the worst days of their life”

Tim Francis, enterprise cyber lead at Travelers

Security firms say ransomware is on the rise. IBM recently reported that attacks were up 67% year-over-year in the last quarter of 2019. The coronavirus outbreak may only make the problem worse: While some organized crime groups behind the attacks have reportedly said they’ll avoid healthcare organizations during the pandemic, some hospitals have still been struck by such attacks, and there have already been reports of ransomware and other digital scams targeting people seeking information about the virus.

Insurers offering cyberrisk policies, which can cover ransomware and other types of digital attacks, look to offer emergency response services to their customers dealing with high tech disruptions, even if the problems are spotted in the middle of the night. The “quickly growing” cyberinsurance market is currently worth about $3.1 billion per year, according to a report from the National Association of Insurance Commissioners. They can put their clients in touch with experts and potentially cover the costs of responding to the attack, whether that means recovering data, notifying customers or, if need be, even paying ransom.

“It is often one of the worst days of their life,” says Tim Francis, enterprise cyber lead at insurance giant Travelers, which provides 24-hour access to claims representatives for cyberattack victims. “Even when they have an incident response plan in place, even when they pull the plan out, even when they practice the plan, it’s nothing like it is in the real world.”


Francis declined to discuss specific customers by name—in addition to clients’ natural desire for confidentiality about previous incidents, it’s often considered unwise to discuss too publicly that you’re carrying insurance. But, he says, a typical ransomware scenario usually involves an organization discovering that an employee accidentally clicked a link in a phishing email, inadvertently installing malware that compromised the company’s network and files.

“It’s not just being a financial resource,” says Francis. “It’s to put them in place with experts, ourselves included, to help them understand that, okay, things are not great but we can control this, we can deal with it, and we’ve got the right people in place to deal with that process.”

Those are the breach coaches themselves. They’re also the forensic firms the breach coaches help choose, who need to be a good match for the victim organization in terms of size and software familiarity. And they’re the technical experts at firms like Coveware, who could analyze the malware involved and even assist in negotiating the terms of the ransom and making payment in cryptocurrency if the victim decides to pay.

“As an example, just even the transacting the bitcoin can be complicated,” says Francis. “For an organization that otherwise has no experience with that, that alone can be intimidating or complicated.”

How to negotiate with hackers

Whether to pay is not always a simple decision: Many organizations naturally don’t want to give money to criminals, and some can simply recover data from backups without having to decrypt the files that have fallen into the hands of hackers. But ransomware experts can provide information about how likely victims of particular types of malware are to actually get working decryption tools if they pay up, says Siegel, explaining his company tracks recovery rates from different ransomware variants.

“They can gain a lot of confidence in going down that route that if their case ends up like all the other ones that we’ve done, they’ll get back up and running,” he says.


One option, says Francis, is to try to negotiate with hackers to pay a portion of the ransom to recover a limited number of files, which can help verify that the attackers actually can decrypt the files.

There can also be legal considerations involved: Hoar says his firm insists that any ransomware negotiation experts it works with be able to do sufficient due diligence to make sure that a payout won’t run afoul of anti-money-laundering laws and similar regulations. Such requirements can run two ways: Siegel says Coveware won’t work with clients who haven’t retained legal counsel if there’s a risk of a data breach.

Sometimes it’s a total bluff”

Bill Siegel, cofounder and CEO of Coveware

The company often handles negotiations with ransomware attackers through email or encrypted chat, looking to meet client needs as far as timelines for decryption and ability to pay. “We are constantly changing up the way we communicate with these groups to try to maintain a negotiation advantage,” says Siegel.

Naturally, people involved in the ransom negotiation world can be tight-lipped about exactly what techniques they use. One advantage that negotiators sometimes have is that attackers don’t always know what their victims are able to pay, or even exactly who victim companies are, meaning skilled negotiators can often talk ransom demands down. Occasionally, Hoar says, it can even be helpful to appeal to the attacker’s altruism and, say, mention the good work done by a nonprofit client.

“I may find where I’ve got an opportunity to insert that kind of information in case it gains my clients anything,” he says.

If attackers do turn over decryption software, there’s still a question of what to do with it to make sure it doesn’t include additional malware. Some ransomware remediation companies will run the decryption software in a “sandboxed” environment where it can’t reach other data. Coveware often extracts the actual key or password used and inserts it into its own custom made software, Siegel says. Its decryption tools are often faster and ensure clients don’t have to run additional software from the very hackers that attacked them. If there’s a risk that data was actually stolen as part of the attack, Coveware can work with the victim and its attorneys to figure out what’s actually happened.


“Sometimes it’s a total bluff,” says Siegel. “Sometimes there has indeed been gargantuan amounts of data exfiltrated.”

Once the data’s restored, the job isn’t necessarily done: Insurers can also be involved in covering work to make sure the victim can’t get victimized once more. In a recent addition to Travelers’ services, once the immediate threat has been addressed and data recovered or decrypted, the insurer and its experts will work with companies to harden systems and policies to make sure they’re less likely to be struck again. Simply getting hackers out without taking steps to keep them from coming back ultimately didn’t feel sufficient, Francis says.

“That doesn’t quite feel like we’ve done enough for the customer,” he says.


About the author

Steven Melendez is an independent journalist living in New Orleans.