[noduerme]

I don't think I would ever pay ransom under any circumstances. Not for data or system functionality. I'd throw the computers in the river. I know this about myself because I had to deal with a kidnapping and extortion of my best friend in south america around 15 years ago.. and a few years later a ddos extortion attempt on one of my servers (the criminal was released from prison recently and I won a federal judgment against him for damages). Not a day goes by that I don't wish misery and sickness on those people. But something emerged in me during those crises that was not necessarily something I liked about myself in the long run. I wouldn't negotiate. I'm ashamed to admit I risked a friend's life by lying to the kidnappers. But I couldn't believe a word they were saying or even know if she was alive. I went cold and stopped cooperating. It was terrifying but I was in shock. I played poker with someone's life. It's something you don't really know about yourself or ever want to know until you're in the situation. I still have nightmares about it.

[Rasta1s]

For the attacker, this may just be another bullet, another target. Killing or erasing your company's data, for the attacker, may mean absolutely nothing.

How do we go from here? Your job as a negotiator is to get them get them off their "fight mode" through the use of time, dialogue, and empathy.

By saying "I wont negotiate" you're building a gloom vision that there is no future. If the threat is real, you're out of time and out of luck. As Voss says, "She's dead"*

Further readings:

Stalling for Time: My Life as an FBI Hostage Negotiator ( by Gary Noesner)

Never Split the Difference (Chris Voss)

Ego, Authority, Failure (Derek Gaunt)

Movie: A Hijacking (IMDB)

* "60 seconds or she dies" challenge on Youtube (Chris Voss).

[__jf__]

Link to the interesting “60 secs or she dies” roleplay: https://m.youtube.com/watch?v=_NWElrHgbGo

[Rasta1s]

There's a bunch of videos (some better than others), that's why i didn't link to one or another.

The goal of this exercise is to control your emotions and behavior. Easier said than done. I can see how the author above had a problem being logical about the situation. I still have those issues myself even knowing what needs to be done, things just happen. Tough skills and even tougher for a "natural born assertive".

[noduerme]

I just delved into this. Fascinating stuff. I think in part it's not that I'm naturally assertive but that I'm the opposite. I can't put myself in the mindset of the attacker. So I'm looking for a technical fix, a way around. I also thought clearly, if I pay, they'll just ask for more. Because how can you possibly expect someone doing something like that to keep their word? So to me it's a bit like the boundary described in that video where giving the hostage-taker a car is just not a viable option.

Tangentially related to technical fixes: There was an incident recently where my brother had his phone simjacked, and the attackers changed his google password. He recovered access by email but they kept changing the password as quickly as he did. Both parties were still logged in. I called his phone number, someone picked up and then hung up. So I got on Skype on a couple different machines and basically DOSd the phone with calls from random skype numbers nonstop. After about 15 minutes of this they either turned off the phone or the 4G. It bought enough breathing room to change the 2FA on the account and lock down his bank accounts that used gmail as his verification address. If they'd been smart or fast enough to change both the recovery email and the SMS 2FA it would have been game over.

[Synaesthesia]

No such thing as "under any circumstances". The circumstances determine your decision, and what your priorities are.

[noduerme]

Right. True. But I mean I'm not sure if my decisions would be based on logical priorities. The first experience really primed me. Terrorized me. Made me want to kill people who do things like that. The second, the one that didn't involve a human life, brought down a transatlantic cable and cost mid six figures not including me working 72 hours straight trying to get into my own servers to migrate them. I not only refused to pay the ransom, which was around $2k, I didn't even disclose the ransom letter to the clients who were down until it was over. I got on the phone with the FBI and devoted a solid chunk of time over the next year to hunting down the attacker. That's not a good priority. It came from deep damage and unresolved anger about the earlier situation.