A growing swarm of ransomware attacks has created a cottage industry of tech whizzes willing to do what companies and law enforcement won’t — negotiate with the cybercriminals who are taking systems and data hostage.
The FBI’s stated policy is that it does not negotiate with cyberattackers, the same way it does not negotiate with terrorists. That refusal has helped open a market for private cybersecurity professionals who specialize in interacting with the attackers on behalf of victims who have made the difficult decision to pay up rather than wait for the government to solve their case.
The increase in attacks against victims with an incentive to pay has created plenty of potential work that did not exist a few years ago. The FBI is investigating “about a hundred different variants” of ransomware responsible for dozens to hundreds of attacks, said Tonya Ugoretz, FBI Cyber Division deputy assistant director. She said there were maybe a handful of such highly impactful variants a year or two ago.
Cybersecurity company GroupSense handled its first ransomware negotiation case last year, said its founder, Kurtis Minder. He said the Arlington, Virginia, company’s first negotiation prompted law firms assisting victims and a cyber-insurance company involved in the case to refer a surplus of work his way.
After Mr. Minder added ransomware negotiation to the offerings on his company’s website at the prodding of a law firm, he said he received more requests for his services, especially from those who could not afford costly lawyers or an insurance policy to cover the digital setbacks.
Mr. Minder, however, was not a trained negotiator. He hurriedly got up to speed by reading books and taking online classes, particularly watching the MasterClass videos of Chris Voss, a former hostage negotiator with the FBI. He also leaned on his connections among federal officials.
“I called in a lot of favors, like I just called in people I knew that were trained negotiators and asked them questions,” Mr. Minder said. “I gave them specific scenarios that I was going through while I was going through them and saying, ‘What would you do?’ And so I kind of learned on the job, I like to say I built the bicycle while I was riding it.”
Now, Mr. Minder’s ransomware negotiation team features three main negotiators and several analysts speaking more than a dozen languages. The negotiators focus on interaction with the victim and crafting the messaging for the cybercriminals, while the analysts handle the technical aspects of the conversation on the dark web and do the forensic work needed to understand the adversary.
Information such as attribution of the attacker’s identity, what ransom amount the attacker will often settle for and what transactions the attackers recently completed is collected and placed into a portal where GroupSense’s customer can review the data in real-time. Mr. Minder’s team also has a scribe take detailed notes of their strategizing for clients to see in the portal.
“Before we send any message, it doesn’t matter if it’s ‘hello,’ or if it’s the actual offer, we get approval from the client. Every single message,” Mr. Minder said. “And some clients like to get involved, like it’s spy versus spy for them.”
He said the adversaries often speak English as a second language and his team does not have the benefit of using eye contact or changing vocal intonation when negotiating in cyberspace. As a result, the cadence of the digital messages, language choice and tiny details such as when, if ever, to use capital letters can prove crucial.
Mr. Minder said he urges his clients to alert law enforcement and the FBI in hopes that the government is taking inventory of the cases, including details about which ransoms were paid, and collecting other information.
Asked whether FBI agents are trained to interact or negotiate with cyberattackers, Ms. Ugoretz said the FBI has experts in crisis negotiation but declined to provide additional details about agents’ cyber training.
The FBI has advocated against paying ransoms but wants victims to contact them regardless of whether they choose to pay the digital attackers.
“If, in the case of ransomware, we’re made aware that an entity is in a negotiation with a ransomware actor or thinking about paying a ransom, the earlier we are brought in, the more likely we are to be able to help,” Ms. Ugoretz said.
In the case of the ransomware attack on major U.S. fuel supplier Colonial Pipeline, the FBI was brought in before the company decided to pay the attacker, and the bureau ultimately helped recover about $2.3 million in cryptocurrency — the majority of the payment made by the pipeline company.
Paying ransomware attackers irks other federal agencies because it may encourage future attacks and violate sanctions imposed by the U.S. government. Last October, the Treasury Department’s Office of Foreign Assets Control (OFAC) warned that companies making or enabling payments to attackers that are sanctioned by the U.S. government risk violating laws bringing civil penalties. Knowing violations of OFAC’s rules and related laws could bring criminal liability, according to an analysis from the law firm Jones Day.
But figuring out whether an individual attack is tied to an entity sanctioned by the U.S. government can be difficult. For example, the DarkSide enterprise attacking Colonial Pipeline used a ransomware-as-a-service model in which developers of malicious software and affiliates deploying it share portions of the victims’ payments.
President Biden has linked the DarkSide group to Russia, and DarkSide announced plans last year to use servers in Iran, according to the tech publication Bleeping Computer.
Whether the attackers using DarkSide’s service were sanctioned entities or not, Bleeping Computer reported DarkSide’s intended use of infrastructure in Iran prompted ransomware negotiation firm Coveware to stop facilitating payments to DarkSide given the existing sanctions against Iran.
Colonial Pipeline CEO Joseph Blount told a Senate committee that his company had no direct contact with the attackers but hired negotiators and legal personnel who repeatedly checked to make sure his company’s payment would not violate OFAC rules.
Lawyers for the pipeline company brought in cybersecurity firm FireEye’s Mandiant division before the company decided to pay the ransom, according to House committee testimony from Charles Carmakal, FireEye Mandiant senior vice president and chief technology officer.
Mr. Carmakal declined to provide details to The Washington Times when asked about what advice he gave Colonial Pipeline about how to evaluate whether to pay the ransom.
“One thing that we don’t do is we will not negotiate with threat actors. We won’t communicate with them. We don’t get involved in the payment at all of threat actors,” Mr. Carmakal said. “Now one thing that we do do sometimes with organizations that ask for it is, we will help them think through the process of potentially engaging a threat actor in a communication or potentially paying them. So we’ll kind of walk them through these are certain decision criteria.”
The decision then is left to the victim.
To avoid falling victim to a ransomware attack, Ms. Ugoretz advocated using multi-factor authentication and patching common vulnerabilities to block the initial access points that attackers use to breach systems.
Mr. Minder said initial access brokers shop their breaches to ransomware gangs in underground markets, alerting many would-be attackers to potential targets. He said the technical sophistication required to launch an attack is “almost nothing.”
“This is totally preventable, it’s a cyber hygiene problem,” Mr. Minder said. “I mean, but I think the main thing is some people just assume that these bad guys have these really sophisticated cyber tools. They don’t, and they don’t have to. It’s super easy.”
Mr. Minder also said he urges victims not to search Google for ransomware negotiators lest they fall victim to scammers posing as negotiators. He advocated instead for consulting a law firm to connect victims with appropriate help.
He said his team does not view ransomware negotiation as a profit-driver — he has charged an hourly rate with a cap — but it uses the service to find leads for clients that likely need his company’s other cybersecurity products, too.