Negotiating with Ransomware Criminals Creates New Business for Security Professionals

A growing swarm of ransomware attacks has created a cottage industry of tech geniuses willing to do what companies and law enforcement agencies don’t do: negotiate with cybercriminals who are taking systems and data hostage.

The stated policy of the FBI is that it does not negotiate with cyber attacks, in the same way that it does not negotiate with terrorists. That refusal has helped open a market for private cybersecurity professionals who specialize in interacting with attackers on behalf of victims who have made the difficult decision to pay rather than wait for the government to resolve their case.

The increase in attacks on victims with an incentive to pay has created a lot of potential work that did not exist a few years ago. The FBI is investigating “about a hundred different variants” of ransomware responsible for tens to hundreds of attacks, said Tonya Ugoretz, deputy deputy director of the FBI’s Cyber ​​Division. She said there were maybe a handful of such shocking variants a year or two ago.

Cybersecurity firm GroupSense handled its first ransomware trading case last year, said its founder, Kurtis Minder. He said the first negotiation by the Arlington, Virginia company led law firms assisting victims and a cyber insurance company involved in the case to remit surplus work to him.

After Mr. Minder added ransomware trading to offerings on his company’s website at the behest of a law firm, he said he received more requests for his services, especially from those who couldn’t afford expensive attorneys or a insurance policy to cover digital setbacks. .

Mr. Minder, however, was not a trained negotiator. He quickly caught up by reading books and taking classes online, particularly by watching MasterClass videos from Chris Voss, a former FBI hostage negotiator. He also relied on his connections between federal officials.

“I asked for a lot of favors, like I just called people that I knew were trained negotiators and asked them questions,” Minder said. “I gave them specific scenarios that I was going through as I went through them and said, ‘What would you do?’ So I learned on the job, I like to say that I built the bike while riding it.

Now, the Minder ransomware negotiation team has three main negotiators and several analysts who speak more than a dozen languages. Negotiators focus on interacting with the victim and crafting messages for cybercriminals, while analysts handle the technicalities of the dark web conversation and do the forensic work necessary to understand the adversary.

Information such as the attacker’s identity attribution, the amount of the ransom that the attacker will often accept, and the transactions that the attackers recently completed are collected and placed on a portal where the GroupSense customer can review the data in real time. Mr. Minder’s team also has a scribe who takes detailed notes of his strategies for clients to see on the portal.

“Before we send any message, it doesn’t matter if it’s ‘hello’ or if it’s the actual offer, we get the customer’s approval. Every message, ”Minder said. “And some clients like to get involved, like it’s spy versus spy to them.”

He said adversaries often speak English as a second language and his team does not have the benefit of using eye contact or changing vocal intonation when negotiating in cyberspace. As a result, the cadence of digital messages, language choice, and small details like when, if ever, to use capital letters can prove crucial.

Minder said he urges his clients to alert police and the FBI in hopes that the government is taking an inventory of the cases, including details on what ransoms were paid and gathering other information.

When asked if FBI agents are trained to interact or negotiate with cyber attackers, Ugoretz said the FBI has experts in crisis negotiation, but declined to provide additional details about the agents’ cyber training.

The FBI has advocated for not paying ransoms, but wants victims to contact them regardless of whether they choose to pay digital attackers.

“If, in the case of ransomware, we learn that an entity is in a negotiation with a ransomware actor or is thinking of paying a ransom, the sooner they bring us in, the more likely we can help. ”Ms. Ugoretz said.

In the case of the ransomware attack against the main US fuel supplier Colonial Pipeline, the FBI was summoned before the company decided to pay the attacker, and the bureau eventually helped recover around $ 2.3 million in cryptocurrencies, most of the payment made for the pipeline. business.

Paying ransomware attackers annoys other federal agencies because it may encourage future attacks and violate sanctions imposed by the US government. Last October, the Treasury Department’s Office of Foreign Assets Control (OFAC) warned that the Companies that make or allow payments to attackers who are sanctioned by the United States government run the risk of violating laws that carry civil penalties. Knowing about violations of OFAC rules and related laws could lead to criminal liability, according to an analysis by the Jones Day law firm.

But figuring out whether an individual attack is linked to an entity sanctioned by the US government can be difficult. For example, the DarkSide company that attacked Colonial Pipeline used a ransomware-as-a-service model in which malware developers and the affiliates who implement it share portions of victims’ payments.

President Biden has linked the DarkSide group with Russia, and DarkSide announced plans last year to use servers in Iran, according to technology publication Bleeping Computer.

Whether the attackers using DarkSide’s service were sanctioned entities or not, Bleeping Computer reported that DarkSide’s intended use of infrastructure in Iran led ransomware trading firm Coveware to stop facilitating payments to DarkSide given the existing sanctions against Iran.

Colonial Pipeline CEO Joseph Blount told a Senate committee that his company had no direct contact with the attackers, but hired negotiators and legal staff who they repeatedly checked to make sure that his company’s payment would not violate the rules of OFAC.

Attorneys for the pipeline company incorporated the Mandiant division of cybersecurity firm FireEye before the company decided to pay the ransom, according to House committee testimony from Charles Carmakal, senior vice president and chief technology officer for FireEye Mandiant. .

Carmakal declined to provide details to The Washington Times when asked what advice he gave Colonial Pipeline on how to assess whether to pay the ransom.

“One thing we don’t do is we won’t negotiate with threat actors. We will not communicate with them. We don’t get involved in paying for all threat actors, ”Carmakal said. “Now one thing we sometimes do with organizations that request it is that we will help them think through the process of potentially involving a threat actor in a communication or potentially paying them. So we’ll walk you through these are certain decision criteria. “

The decision is then left to the victim.

To avoid falling victim to a ransomware attack, Ugoretz advocated using multi-factor authentication and patching common vulnerabilities to block initial access points that attackers use to breach systems.

Minder said initial access agents buy their leaks from ransomware gangs in underground markets, alerting many would-be attackers to potential targets. He said the technical sophistication required to launch an attack is “next to nothing.”

“This is totally preventable, it’s a cyber hygiene problem,” Minder said. “I mean, but I think the main thing is that some people just assume that these bad guys have these really sophisticated cyber tools. They don’t and they don’t have to. It’s super easy “.

Minder also said that he urges victims not to Google ransomware negotiators lest they fall victim to scammers posing as negotiators. Instead, he advocated consulting a law firm to connect victims with the right help.

He said his team doesn’t see ransomware trading as a profit generator (he’s charged an hourly rate with a cap), but uses the service to find potential customers who are likely in need of other cybersecurity products from his company as well.

Sign up for daily newsletters

Add Comment