9 min read

What happens in a cyber-attack? Cyber-criminals negotiations

Featured Image

Last week, details of FatFaces’ cyber-attack surfaced. Some incredible details were reported from the attack, including screen shots of negotiations with the Canti cyber gang.

I closely follow the cyber news and this type of detail is rarely revealed. This is why these intimate details are so significant. Later in this article are screen shots of the negotiations between FatFaces’ negotiators and the cyber-gang. Quite astonishingly the cyber-criminal also advise how to prevent a cyber-attack in the future. In the article we will cover:

Cyber attack Taboo = under-reported cyber crime
How is this relevant to businesses in the West Midlands?
What negotiations between a cyber gang and victim look like
Sequence of events of a ransomware attack
What security would a cyber-criminal recommend?
What should Birmingham businesses do next?
What if I have been victim of FatFace’s cyber-attack?
What should I do if my business has been victim to a cyber attack?

Cyber attack Taboo = under-reported cyber crime

Cyber-attacks remain under cloak and dagger. The Cabinet Office's 'The cost of Cyber Crime' report suggests there is a "lack of available data and what we believe to be a significant under-reporting of cyber crime."

Cyber attacks are taboo: reputational damage and the fear of losing trust with customers and suppliers are the main reasons why many businesses keep it to themselves.

In reality, most businesses will have had some kind of cyber attack attempt. It is reported that last year alone, UK businesses had 20% rise in cyber attack attempts compared to the previous year, facing an average 686,961 attempts to breach their systems online.

Of the cyber crimes reported, figures are notably rising. Most recent figures from the Department for Digital, Culture, Media and Sport's 'Cyber Security Breaches 2021' report suggests that 27% of businesses and 23% of charities experience some form of a cyber attack at least once a week. The most common by far are phishing attacks (83% businesses, 79% charities). This is followed by impersonation (27% businesses, 23% charities).

How is this relevant to businesses in the West Midlands?

Let’s remember that cyber-criminals are indiscriminate. Any business can be targeted, no matter their size. Cyber attackers are not interested in what you do, they are interested in extorting money. Cyber gangs are based around the world - it really doesn't matter to them where you are based, you are still a target.

The insights and lessons that can be learnt from this attack can be applied to any business - across all sectors and all business sizes. So if you are a small or medium business based locally in Dudley, Stourbridge, Worcester, Wolverhampton or Birmingham – here are what negotiations with a cyber-criminal look like:

Negotiations between a cyber gang and business

Cyber criminal urge for speedy payout in negociation between Conti gang and FatFace

Cyber attack negociation between Conti and FatFace


Ransomware sequence of events

Computer Weekly have reported the following sequence of events took place for FatFace: 

  1. The hacking group, Conti gang, entered the fashion retailer’s network on 10th January 2021 via a phishing attack. This was probably caused by an employee clicking on a spam email link. Good email filtering and employee training can help to prevent this.

  2. Between the 10th January and the 17th January 2021 – just seven days, the cyber gang had access to FatFaces’ IT administration passwords and rights. In that time, they took 200GB of data. Most cyber attacked go unnoticed for over 100 days, so the gang moved quickly in this instance. The gang identified their cybersecurity systems, back-up servers and storage.

  3. On the 17th January, cybercriminals launched a ransomware attack. This is when FatFace would have first learned about the attack. We don’t know the full details, but typically a cybercriminal will ask for money in exchange to get their IT systems back online. They may also threaten to release sensitive data onto the dark web if they are not paid.

    Below is an example of a computer screen interface used by a cyber criminal to notify you (victims) that you are being held for ransom. This particular interface is from REvil and offers victims/negotiators a deadline before demands are doubled:
    What happens in a cyber attack - Ransomware warning screen 
  4. Next, FatFace began negotiating with the cybercriminals. Below are the interactions between cyber criminals and negotiators. Historically, negotiations would take place via email, but today, hackers use 'customer service instant chat' functionality instead - as you would expect from a corporate support desk:

    Support: Well, your online sales seem pretty nice to me, we've went through the databases and the traffic statistics before calculating the initial offer

    Support: I will need some time to discuss with my boss if we have go down a bit though, basing to the fact that you have a large offline retail network. And we will review the financial documents that are in our possession.

    Negotiator: Yes, please discuss wit your boss. We have a e-commerce presence, but it is small and it only makes up about 25% of our revenue. The majority of our sales and profit comes from our stores which have basically come to a halt.

    Support: And what about your cyber insurance? Most of our attacks are now covered by the insurance companies when the demands cannot be handled by other reasons.

    Support: We are ready to make it fast, but we need a better offer. Make a step towards us and we will make the same. Let's make it faster by walking towards each other in a more timely manner.

    Negotiator: It's hard for us to me more 'timely' because there is an analysis and then approval process. It goes up many layers of people and takes a few days to complete. I haven't told everyone of your $5M offer because it would take 3-4 days to get an answer from our side. I was hoping you'd come back today with a step towards us and then I can bring that number to everyone to get a decision without many delays.

    Support: Give me half an hour. We will discuss on how to make it faster and I will get back to you

    Negotiator: Okay I will be here. Of course, the lower the price, the fast it ca be for us to approve. I will wait to hear from you.

    Support: We have had an urgent meeting. I could convince everyone that we want this deal to be closed by the end of the week and managed to get you a new price that is way way better than the previous one. We are ready to accept $2.65mil

    Negotiator: Thank you very much for this. I will tell everyone immediately and we will have a meeting tomorrow to discuss. We would also like this to be closed.

    Cyber criminals access to financial and insurance documents

    When the cyber criminals accessed FatFace's IT infrastructure, they also have accessed FatFace’s cyber insurance and financial documents to understand what ransom payout the business could afford. This provides the criminals with the upper hand in the negotiation.

    Businesses should consider where important documents like these are saved. Speak to your IT department or IT support for advice.

    Outsourced negotiator

    FatFace seem to have outsourced a specialist to negotiate with the hackers. Rob Wight at Tech Target suggests that this approach to resolving a ransomware attack is typical today. Most businesses pay the ransom as it is perceived to be the quickest way to get business back to normal, however, it is not that simple. 

    Outsourced negotiators will "assess the threat actors and ask some key questions, [such as] has the group exposed victims' data even after they've received ransom payments?". But Wright suggests that the ransom amount can always be negotiated down, which is what happened to FatFace, from $7m to $2m. 

  5. Next, the Fashion retailer negotiated and paid the agreed $2m ransom to the Conti ransomware gang.

  6. After the negotiations had finished, Conti hackers gave their own cybersecurity recommendations to FatFace, which are detailed below.

What cybersecurity do cyber-criminals recommend?

Here are the security measures recommended by Conti gang to FatFace following their cyber-attack:

  • Implement email filtering
  • Conduct employee phishing tests
  • Review their Active Directory password policy
  • Invest in better endpoint detection and response (EDR) technology – use a product that protects the internal network and isolate critical systems
  • Implement offline storage and tape-based backup.

What should Birmingham and Black Country SMEs do next?

Check what security measures you already have in place. Ask your IT department to list what you currently do. If you have outsourced IT support, look at your invoice and work out what security coverage you currently have. If your IT support has not offered you these fundamental best practice security measures, I would also question whether they take cybersecurity seriously and if they have your best interests at heart.

Cybersecurity has evolved and outsourced IT providers should be proactive. The best IT support businesses will communicate security measures they recommend for your individual. Cybersecurity measures are affordable to SMEs today, but ensure your IT department has time to implement and report on your security. If they spend their time firefighting issues todays (e.g. printer not working), then they will not have time to consider tomorrows threats.

We offer the Enhanced Security Package to our clients. This contains all of the cyber-criminals recommended cybersecurity measures and more, for example, ongoing staff training. If you remember, the attack likely began because an employee clicking on a spam link within an email (phishing attack). Being able to spot and report spam links could prevent an attack from ever taking place. 

What if I have been affected by FatFace cyber attack?

FatFace have already notified customers that some personal data, including names, postal and email addresses and limited credit card data, have been compromised. They are also offering affected customers a 12-month subscription to Experian’s identity theft service. We would highly recommend taking them up on this offer if you have been victim to the attack.

What if my business has been victim to a cyber attack?

  1. Get in touch with your IT support or IT department. They should already  have an agreed 'cyber response plan' or 'action plan' in place. Each attack will have its own characteristics, so the response will be dependant on the individual circumstances. 
  2. Head to the National Cyber Security Centre website for general guidance about response and recovery, it is also best to get in touch with them.
  3. You will also have to report the incident to Action Fraud.
  4. If you are suffering a live cyber attack (in progress), please call Action Fraud's hotline 0300 123 2040. This line is open 24/7, every day of the week.
  5. If data has been breached, it is mandatory to notify the Information Commissioners Office within 72 hours, under new General Data Protection Regulation (GDPR) rules.

If you need help creating a cyber response plan or cybersecurity, get in touch or request a call back.

Request call back