Hello, I’ll be your ransomware negotiator today – but don’t tell the crooks that – The Register | Region & Cash

interview The first rule as a ransomware negotiator is that you do not admit to being a ransomware negotiator – at least not to LockBit or any other cybercrime gang.

Instead, these negotiators pose as simply company representatives, said Drew Schmitt, a professional ransomware negotiator and senior threat analyst at cybersecurity firm GuidePoint Security.

“The main reason is that most ransomware groups say, bluntly and explicitly, ‘We don’t want to work with a negotiator. If you bring a negotiator to the table, we’ll just publicize your stuff anyway,'” Schmitt said The registry. Hence the need to impersonate a regular employee.

Ransomware, of course, is malware that encrypts any valuable files it can find once it’s on a network and demands payment to decrypt and recover the information. Recently, gangs have also been stealing copies of the data before encrypting it so they can leak it or sell it if the demand isn’t paid. Sometimes they just dump the files and don’t bother to encrypt them. Sometimes, the crooks use the stolen files to harass or take advantage of a victim’s clients or users. There are all sorts of things extortionists can do and demand once they are on your computers and have your data.

Schmitt said he negotiates a ransom or two a month, and victim organizations range from very small businesses to large corporations, spanning all industries. Manufacturing, technology, construction, government and healthcare were the hardest hit in the second quarter of this year, according to research for his company’s latest ransom report.

I’ve also seen initial claims of $25 million…they’re everywhere

He said he once saw a ransom note from a “less sophisticated group” who only wanted $2,000. “But I’ve also seen initial claims of $25 million,” he added. “So they’re everywhere.”

Schmitt said he negotiated ransoms down to zero dollars on two occasions. “Both in different types of healthcare, as we walked down to the table and said, ‘Hey, we’re a healthcare organization. We have a responsibility to save lives,’ they were basically saying, ‘Sorry, I’ll give you a free decryptor.'”

Of course, these are the outliers, and some groups like Hive are targeting the healthcare industry specifically because they believe hospitals are more likely to pay to make all the mess because, among other things, lives and highly sensitive personal data are at stake to get away .

In fact, a Sophos report earlier this year indicated that 66 percent of healthcare organizations surveyed were affected by ransomware in 2021 – up from 34 percent the year before, a 94 percent increase.

Of course, as ransomware and pure blackmail become solid sources of income for bad guys, so does demand for things like cyber insurance and ransomware negotiators, who act as intermediaries between the ransomware gang and the victim. Sometimes you might want to put someone between you and the criminals, someone who can initiate the payment in cryptocurrency, or negotiate down the demand, or get the decryptor from the extortionists, and so on.

According to research released in March by Palo Alto Networks Incident Response Team, the average ransom demand in 2021 for attacks of which it was aware was $2.2 million, a 144 percent increase from the previous year. Meanwhile, the average payment rose to $541,010 last year, a 78 percent increase from 2020.

From email ransomware to Tor leak sites

Schmitt started working in Incident Response (IR) and Threat Intelligence about six years ago and says he “slipped” into ransomware negotiations in 2019.

“It was a natural progression of working in incident response,” he said. As ransomware infections became more prevalent, Schmitt rose up the IR ladder, playing various roles in the investigation and response process. “And one of those ended up in a negotiation with a threat actor.”

Back then, around 2019, these negotiations took place via email. But since then, ransomware gangs have matured and evolved their businesses to include instant messaging with victims to negotiate deals, affiliates to help spread the malware, and collaborators with non-technical roles like the larger, above-ground one World learned through the Conti leaks earlier this year.

Today, most criminal groups have their own websites to operate from, and some have PR and marketing departments and internal helpdesks.

Instead of dealing with emails, “it’s now usually just a URL” that redirects a victim to the Tor-hidden extortionists’ website, and the communication between victim and crook takes place in a chat box displayed in the Tor browser will, said Schmitt. This is where Schmitt is typically called in to help with incident response and sometimes ransomware negotiations.

The negotiation process itself involves bringing all the key lines of business around the table: C-suite executives, cybersecurity analysts, attorneys, HR and PR reps.

“All critical teams that will be involved in administrative response in addition to technical response,” Schmitt said. “All of these actors will be involved to determine what the negotiation strategy looks like.”

Should you negotiate with criminals?

However, the first question they must answer is whether they should even negotiate with the criminals.

US federal authorities say organizations should not pay ransom demands [PDF], and some private security firms even suggest that this exposes companies to subsequent ransomware attacks. Regardless, the question isn’t easy to answer, and the decision to negotiate or not is a two-pronged decision, we’re told.

How will this affect our brand if we show up on a ransomware leak site?

“You see it from a purely technical point of view,” says Schmitt. This includes determining whether the company is able to recover data encrypted by the ransomware from backups, decrypt the files using a free tool, or otherwise bring the IT environment back online without paying a ransom.

“And then the other side is legal,” he said. “This is where you start answering questions about: How will this affect our brand if we are exposed on a ransomware leak site? If we have disclosed certain types of data on a ransomware leak site, how will this potentially affect compliance? What are the risks and what are our choices?

One thought that Schmitt says doesn’t typically come up in the discussion — unless the criminal gang has been sanctioned by the U.S. Treasury Department or similar body, in which case it’s illegal to pay them a ransom — is that Ethics of paying a ransom which in turn funds additional illegal activities and potentially repressive regimes supporting or orchestrating ransomware campaigns.

“To be perfectly honest, there just isn’t a lot of discussion about where the funds go after the fact,” he admitted.

LockBit has remained the most prolific gang over the past two years, Schmitt said, adding that Conti also employed his fellow negotiators before that group disbanded to form other gangs.

And each of these criminal organizations has their own quirks, stories, and methods that can be useful to know about and exploit during the negotiation process.

“We keep detailed records of all interactions we have with various threat groups and then use that to our advantage – this technique may work better than this technique, or this group is known for negotiating, or you can’t push that group for a very long time before they get bored and move on,” Schmitt said. “They all have traits that we use to ensure we don’t push the wrong buttons and give ourselves the highest chance of success in pushing the ransom as far as possible reduce.”

But even the criminals have usually done their homework. For example: researching the cyber insurance policy of a victim organization.

“We often see this as a negotiating tactic,” said Schmitt. “‘We found your insurance policy, we know you have $10 million of coverage, so let’s start here.'”

The payment of the initial claim does not happen very often. There is always some haggling and quibbles. Businesses also need to consider recovery costs and other expenses related to the security breach when figuring out what budget they have to deal with the problem, he said.

Just like buying a car

“But this is where we start,” Schmitt commented on the first demands. “And from there, it’s really the traditional back-and-forth negotiation process that you would see in a lot of other business applications — or when trying to buy a car.”

That is, if you’re locked in a room with the car salesman for days while he threatens to leak your private information on a website for all to see, and if he might decide to raise the asking price if you do it too long to to reach an agreement.

Schmitt admitted it’s a scary job. “The stakes are really high,” he said. “When it comes to incident response in general and ransomware in particular, the burden is really high.

“For more clients that you work with, it’s the worst point in their careers and it might be the worst point they’ll ever have and you’re pushed into this situation where you’re trying to help them get out of it coming out the worst time of her career.” ®

Leave a Comment