Dark Reading Confidential: Meet the Ransomware Negotiators

Episode 2: Incident response experts-turned-ransomware negotiators Ed Dubrovsky, COO and managing partner of CYPFER, and Joe Tarraf, chief delivery officer of Surefire Cyber, explain how they interact with cyber threat actors who hold victim organizations' systems and data for ransom. Among their fascinating stories: how they negotiated with cybercriminals to restore operations in a hospital NICU where lives were at stake, and how they helped a church, where the attackers themselves "got a little religion."

Dark Reading Staff, Dark Reading

June 27, 2024

54 Min Listen

Becky Bracken, Senior Editor, Dark Reading

Hello everyone and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real-world stories straight from the cyber trenches. I'm Becky Bracken, your host. I'm joined by Dark Reading's editor-in-chief, Kelly Jackson Higgins and managing editor of commentary and copy desk, Jim Donahue, for this month's episode, "Meet the Ransomware Negotiators." Welcome to our guests, Ed Dubrovsky, COO and managing partner of CYPFER, and Joe Tarraf, chief delivery officer of Surefire Cyber. These two ransomware negotiators have agreed to sit down with Dark Reading Confidential this month. Kelly, can you explain a little bit about why we decided to highlight the role of the ransomware negotiator this month?

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Sure, thanks, Becky. And welcome to our guests, Ed and Joe. We're really excited to talk to you today. So this topic is something that's always kind of intrigued us. We write about ransomware attacks every day on the site. We hear about them all the time. Obviously, ransomware is not going anywhere anytime soon. Pretty much every time we see a data breach news story, we assume it was a ransomware attack. And of course, Verizon's new report just showed that a third of all breaches last year involved ransomware or some sort of cyber extortion technique. So we really feel like this topic is not going away. And we really thought it'd be really interesting for our listeners to know more about how it works in ransomware response process, how a company decides to pay the ransom, how that process works through a negotiator. It's sort of been this sort of shadow process that we wanted to shed some light on. So we brought you both in, hopefully to sort of...give us more insights on it so that our listeners can understand how this works in case they ever get in these situations as well. So yeah, that's kind of what we wanted to do. So Ed, I can we start with you and then Joe, if you could weigh in. So sort of a 101 question for our listeners. What exactly is a ransomware negotiator and how did you end up in this position or role?

Ed Dubrovsky, CYPFER

Yes, so that's it's an interesting story. I don't believe anybody really starts with the intent of being a ransomware negotiator. I don't think it's… it's a job, right? I wouldn't also call it a shadow anything, to be honest, because ransomware negotiations in this day and age is anything but in in the shadows, and I'll explain as we kind of go through some of the other questions and topics that we're going to discuss, but I really fell into this role when I was trying to help our clients day in day out . Now bear in mind that when I started negotiating just about 10, almost 11, years ago there wasn't the concept of ransomware as it is today. So ransomware has evolved very, very drastically.

So we had a client that was barely encrypted. Most of the time, encryption was very ineffective back then. And you didn't really need to speak to these criminals, ultimately. So what we've done, we typically help them recover from backups and things like that. And you didn't need to negotiate. But all of a sudden, the day came when one of our clients realized they didn't have good backups. And now the files that they had encrypted back then were very, very important to this particular client. So either they go bankrupt or they choose option B, which is let's try and talk to these criminals and see if we can do anything. Now, there were no negotiators back then. Okay, like you couldn't Google "ransomware negotiator" and get, I don't know, 100 results or whatever it is that's coming up these days. So as part of the digital forensic and incident response activities, I said, hey, you know, I'll talk to these guys and see what the heck they want from us and go from there. And this is how I ended up as a negotiator and really negotiating my first case.

Joe Tarraf, Surefire Cyber

Yeah, and from my side, it's a pretty similar story, but first, thank you for having us. It's really nice to speak to you all about this. Yeah, I've been in the space, in the incident response space, the better part of a decade, but really negotiation as we know it now to Ed's point is a product of the last probably five years, plus or minus one or two years, right? Before then, the ransoms were a few hundred dollars and they were very rudimentary and so on. Come 2019, 2020, that's where we started seeing the uptick in ransom amounts. And that's where we really started seeing in 2021 and onwards, the seven-figure ransoms and so on. So working in the incident response space, you kind of fall into it to Ed's point. It's part of the job that you have to do to best serve the client at this point and something that you had to do.

Now, some of the negotiators came from a law enforcement background. Some of them were like FBI negotiators, hostage negotiators, and so on. I didn't fall into that category. I was in cybersecurity my entire career. And really, I think it's a product of necessity that we became negotiators in this sense.

Becky Bracken

So is there any training that is available or is this an, I mean beyond a law enforcement background, like you say, is there a course that you take or is this an on the job apprenticeship sort of learn as you go kind of a deal?

Joe Tarraf

I mean, I'm sure there are courses and books you can read and so on. I'm more of a believer of experience. Experience is the best teacher. And look, that doesn't mean that anybody can be a negotiator. You have to have a certain mindset. You have to have a certain demeanor. You have to have a certain logical process and critical thinking process and communication skills. But I do believe actually doing the negotiations and getting that intelligence through experience and through other sources is what empowers you to do the negotiations best. It's not a course that gives you that.

Becky Bracken

Do you agree with that, Ed?

Ed Dubrovsky

Yeah, yeah, I would agree wholeheartedly. Really, you know, the concept or the structure of negotiation is something that you can teach anybody in about 10 minutes. To do it well, [it] is based on experience, understanding who your opponent is because it is an opponent and it is a little bit of a chess game.

Okay, and I'll explain very, very simply. Think about it this way. When you start a negotiation, you wanna know, can they deliver on your needs or your client's needs? And you also want to minimize the impact. You wanna minimize the price, right? But you are in a position almost like, I wouldn't say a chess game, but maybe like checkers, right? You always wanna be ahead.

In other words, you don't want them to lead the negotiation. You want to try and lead the negotiation. But you are starting from a position of weakness. You don't really have leverage other than really walking away. If your client has that ability too. And number two, you have to start by asking them, well, what do you want? Right. And they can say 100 million. Right. Or they can say one dollar.

And I'm exaggerating on purpose here. If they start with $1, you know that most likely your client can pay that $1 if they really need the deliverables from the threat actor. However, if they started $100 million and you know your client can only pay $10,000, for example, you're in a position of extreme weakness because your client may actually very much need these threat actors, but they are out to lunch from a demand perspective. So now you have to bring them down, but you're already behind because they have decided that you're worth $100 million. Just for example. So as negotiators, we have to bring them down to the realm of what is possible. And if I know that my client can pay, let's say $10 ,000, I'm not going to start the negotiation at $10,000. So I have to get to a point where I essentially get them to a reality that is much closer to what my client can feasibly actually pay him.

Becky Bracken

And Joe, and so Joe, how do you do that? How do you engage? Is there is there a general way that you are communicating? Is there a general channel that is being used? How are you sort of… it seems as if you almost have to establish a working relationship with this criminal? Is that sort of how you're approaching it?

Joe Tarraf

I'm very careful about calling it a working relationship or any type of relationship because the reality is they these are in my mind evil threat actors doing evil things to good people. So we got to be very careful not to call it a working relationship with them. They are adversaries. They are opponents as Ed mentioned, and to Ed's point I think a two-part answer to your question here, Becky: one is the mechanism and two is the approach of getting them down on the [ransom].

Really, when we engage in negotiations, it's for one or more of three objectives. And these objectives can overlap. Objective one is our client operationally is down. They don't have good backups to be able to restore, or restoring those backups will take so much time and effort that it's inconceivable. So you want to negotiate for a decryptor, which is a tool that decrypts the data. And that's by far the driving force of actually making a payment if you need to.

Objective two is to gather intelligence from them. So what do I mean by that? It's specifically around generally what they took, what data they exfiltrated, because ransomware actors nowadays, they use two levers to extort you. You've got the lever of I've locked your data and if you want to use the data, you have to pay me. But they also have the lever of I've stolen your data. And if you don't pay me an amount, I'm going to post it publicly so anybody can download it.

So what we want to do with objective number two is gather as much intelligence around that stolen element, stolen data element. What did you take? And we can go pretty in depth to that. Objective three is to buy time until we figure out what's happening, what the impact is, and get our arms around the situation better. So it's stalling for time until we get to a decision point of do we need objective one or two or both for whatever reason. Now the mechanism of communicating could be different depending on the threat actor. Some of them use emails, some of them use the Dark Web chat portal, where you're basically negotiating with them in real time. Others use something like an encrypted application like Telegram. So depending on the threat actor you're dealing with, could be either.

Becky Bracken

And it seems all these objectives require getting them talking. And is that sort of getting them to spill their guts and give you the intel? What is the way that you get somebody to spill their guts to you?

Ed Dubrovsky

So everything that Joe said is exactly textbook. What we as negotiating are trying to kind of achieve in the method of negotiation. But I would add just a couple of things to kind of preset our conversation. The threat actors, we don't work with them, right? But they know if we're negotiating with them or not-- because you have to remember just like we have experience negotiating with threat actors, they have experience negotiating with negotiators. Okay, so if we come in and we start with a very typical show me what you have, show me you can decrypt, show me and they can see very, very quickly if we're delaying and that is our tactic, buying time, as the industry likes to call it, but you're really not buying anything just so you understand. Or do we present a communication that is shaking them a little bit, getting them out of the comfort zone, and they're wondering if, what is the outcome here? Are they negotiating with a negotiator? Yes or no, that type of thing. So this is why it's really, really important when we talk about negotiators to understand that they understand us as well. You have to understand your adversary, right? This is why I am very much against the so-called textbook negotiation strategy because again, we're dealing with individuals, criminals, really, really bad people, but ultimately very, very good at what they do. Otherwise they wouldn't be in this business that would be a one-stop, one-attack type of a negotiation attacker type of thing, and then they would disappear. And these are the really high-risk type of negotiations. And this is also a very high risk for our clients. If we don't understand who we're negotiating against and how do we stay ahead of them because they know what to expect. And if we just play textbook, to that, they can again, they have the leverage, they will squeeze the maximum value out of us. And this is what we try to avoid.

Now in terms of communication, you know, I've seen communications happen over various channels. I've seen the Web chats, which are very prevalent these days, still see some emails. In other words, threat actors that really don't have the infrastructure to support anything more advanced. And certainly, we are starting to see more and more of the instant messaging type of tooling where they sometimes call us, right? Because those instant messaging capabilities allow for them to call us. And you definitely never want to pick up the phone when they call type of thing, right?

But it also introduces a lot of risks to negotiators because you wanna make sure that you are as much as possible anonymous. Because if they can pinpoint who they're talking to, even if your method of communication is very similar, then they can again adjust their negotiations because they believe that they're dealing with a negotiator. So you always have to tell them, look, we're working towards a good ending for you, right? But you don't want to signal that. Right. And this is really, really critical as well. So shake them a little bit, keep them wondering, and yet keep on promising the world type of thing.

Kelly Jackson Higgins

How do you know that they're going to hold up their end of the deal, though? I mean, you're dealing with, like you said, some pretty nefarious characters. How can you kind of tell that you're really getting the right person who can actually make a negotiation … that's a fair negotiation?

Ed Dubrovsky

Great question.

Yeah, no, great question. And you know what? You don't really know in any type of scenario. However, you know, most of these cases are under a particular brand of a ransomware group. For example, everybody knows Black Cat, for example, Black Cat is gone now. But when they were operating, you knew for a fact that when you agree on a particular set of deliverables, and they would deliver majority of the big things, right? The decryptor key, deletion log, and so on and so forth. Can you really trust them that they deleted all the data? No, you can't and you can never, right? Because there are multiple layers within these ransomware groups. The decryption key with a big group who cares about their, let's call it, nefarious brand, they would typically deliver those as well in all cases. I've never had a big group actually not deliver after payment. And I've been doing this for a long time. However, it's when you're dealing with these one-offs, the ones that don't really have an infrastructure, the ones that don't really have a brand name to them, that they will not hesitate to say, Okay, you know what? You paid me. Thank you very much.

This is the last you're gonna hear from them. Not gonna deliver. Now they won't actually tell you all this, right? But you have to remember that threat actors, and when I say threat actors, I'm kind of grouping, you know, the brand, the website operator, the access broker, the threat actor itself, who actually deployed around somewhere. There are many, many layers.

And majority of the ransomware cases we're handling they're financially motivated. But that is not the sole motivation. Never is. It's not just, you know, I just want money and I don't care about anything else. Well, if he just wanted money and you're Russian, why don't you attack Russian companies too? No, I only attack USA-based. Right. So there's always another motivation underneath.

And if the motivation underneath is one, to cause harm to let's say, US companies, Canadian companies, North American, and so on, then at some point once they get paid, if that secondary motivation takes over, there is a risk that you're not going to actually see the deliverables. So there's a risk and we need to navigate that. Joe, what do you think?

Joe Tarraf

No, I mean, I agree there's always an inherent risk in these situations. There's no guarantees in this game. But to Ed's point, it's what I like to call the dragons and the snakes. When you're dealing with there's, you know, a handful of dragons that are really big entities that you know who you're dealing with. You know what to expect from them. And in a sense, they're more reliable. And then you've got the snakes, which are all the one-offs that have no name, no reputation to care about, and really don't really care about upholding their end of the deal. Now, it's interesting, what we see happen is sometimes after these takedowns, the big takedowns that happen, like what happened on Lockbit or Black Cat and so on, you either see a lot of those operators moving to some of the other dragons or you know that they kind of, for the time being, they've just bored into, into snakes essentially. And what I've seen in these cases is a couple of things.

One is your experience in terms of statistics around, all right, these particular threat actors, how much are they willing to move on negotiations? What's their tone like usually? What's the best approach to deal with them, et cetera? Is an aggressive approach better versus a more conciliatory approach, et cetera? That kind of goes out the window when you're dealing with snakes because you have no historical precedent for the negotiations with them. What I've seen them do is not necessarily get payment and walk away. That's very, very rare that that happens with the snakes. What I've seen them do is re-extort. So you negotiate down a ransom with them from, I don't know, say $20,000 to $5,000. And they say yes, and you pay them. And they come back and say, actually, we made a mistake. We want another $500 or $7500 to make that happen. But we kind of expect that. And those are kind of the considerations that we walk lines through as we go through that process when we're dealing with it.

And that's why really intelligence and profiling who your adversary is, that's why it's so paramount. Because you have to educate all the stakeholders around what to expect, what are the considerations, what are the potential pitfalls here, and what's our plan A, plan B, plan C around all of that as we go through the negotiation process.

Kelly Jackson Higgins

Would you each be willing to sort of share with us a story of a type of particularly intriguing engagement you had with a threat actor and so we have an understanding, a sort of a picture of the process itself. I think that's some of what people try to understand a little bit better how that works. You know, how your clients are involved, if at all, are they looking over your shoulder? Are you updating them? What's their role? That kind of thing.

Joe Tarraf

Sure. Typically, I mean, there's a couple of modes to operate. The default mode that we operate in, and there's a degree of variability across matters and clients and so on. But the default mode is we sit down with the clients, with the victims initially. We get a sense of the impact. We walk them through the how to think about the impact. We walk them through the objectives of the negotiations. We get a sense of the situation. Then we formulate a negotiation strategy with them.

So our objective is one, two, three, or whatever it may be. And this is how we approach it using this standard, this cadence, this type of messaging. Our general approach is that we provide suggested messaging for all the stakeholders. If they want to weigh in, they can weigh in and that can include counsel, that can include the client themselves. Some clients like to be involved. Other clients are like, you are the experts, you deal with it. We just, just keep us in the know. So depending on the on the desire of the client, there's the variabilities, but we typically operate with in a collaborative manner. That's the best approach. We're very clear around our recommendations based on our experience and our suggestions, but it's really a collaborative effort with the stakeholders.

Ed Dubrovsky

Just to kind of interject to what Joe said, we have many cases where the clients, lawyers, sometimes carriers and other stakeholders, they want to negotiate, and we are basically the parrot. In almost all cases that I've handled and I've probably handled, you know, upwards of 6,000 matters. One case only where the client injected themselves into the communications, worked to the benefit of the client. Okay. And the reason that is, is because there are certain biases. Everybody has a bias, right? But a client is very emotional as well.

And other stakeholders may be biased by certain other things. Okay, so everybody has a bias. It doesn't really matter. Even negotiators have biases, right? And I'll tell a story in a second as well. But we have to remember that a negotiator is really an advisor first and foremost. We are probably a very special breed in terms of the experience that we have. And it's very difficult for a businessperson on the client side or anybody else to look around and say, well, you know, as a business person, I'm a really good negotiator, so I'm gonna bring those skills to this negotiation, not realizing that they could be very emotional. They could trigger the wrong thing with the threat actor. And we've seen numerous cases where a threat actor says, you know what, I don't need this. I'm here for the easy money. And, you know, as a threat actor, this negotiator, whoever's talking to me on this other side is really ticking me off and I'm done. I'm moving on to the next client. Okay. And it happens and it happens quite a bit when there is not the right cadence, not the right communication, and so on and so forth.

And this is why it's really important to understand who you're dealing with on the other side. What are they feeling in the moment? Right? And it's not necessarily building a working relationship, but really you have to understand the devil you're dealing with, right? And sometimes you can change your negotiation from really bad to really good by firing yourself and coming in as a different persona. Sometimes it's a matter of coming in and saying, wow, you know what? You really hurt me here. You really disabled my business, but you really taught me a lot because I got to tell you, you've disabled this business that I built over 20 years and you've done it in 10 and a half seconds, right? That type of thing. So all of a sudden, the threat actor is feeling like, wow, I'm getting some compliments here on my skills and so on. I'll give you a discount. I'll give you 50 % if you pay within 24 hours and all kinds of things like that. We've seen these scenarios. I'm sure Joe has seen those as well, but you know, we're talking about negotiations and one of my fears is that we're trying to convey a really romantic kind of a view of the negotiator.

We have to remember who we're dealing with and I'll tell you a story because I think story is really emphasize. Now this is a bad story. And what I mean by that, it's an attack against a hospital and not just a regular hospital, but a hospital for children. Okay, and I'm not gonna name any names and so on. And there were plenty of hospital attacks that I've handled over the years like plenty. I mean, probably, I'd say over 100. Just so you understand that the scale of the threat here. In this particular attack, what we typically see in a hospital attack is that they attack the computer, the corporate network. They don't really attack the ICUs, the intensive care units, and things like that. In this particular case, they started attacking the ICU, the NICU.

And in that hospital, there were probably close to 100 babies or whatever in the NICU, maybe less, maybe close to 80, I believe. One would have been enough. So I don't know about anybody listening to this podcast, okay, but you should start feeling really, really uncomfortable when you hear that now you have to potentially negotiate with criminals. Right. And I have other more not-so-nice words to describe them, that are attacking children who are on life support. So as you can imagine, I jump on this call very, very quickly. We speak to the client, to the hospital. They're in a state where they have to negotiate, and they need to stop these threat actors from continuing to do the damage they are doing because there's serious threat to human life, baby life. Okay, and so I go in and I said, can you please stop the attack? We're here. We're gonna negotiate. We're gonna pay you. We're gonna reach a really good outcome for you, but please stop attacking because babies are going to die. Well, these threat actors turn around and they say well, I guess a quick payment of $10 million is worth saving babies, but we won't stop until you pay. So pay quickly.

So you have to understand that even as a negotiator, okay, where you have to disconnect from emotions, can you really? No, the answer is absolutely not. You cannot, right? Because you're not a human being if you don't care about babies. What did the babies do? They're barely, you know, in this world for sometimes a week, two weeks, and now they're being attacked by, you know, criminals. But you have to be a very specific kind of a criminal to say, you know what? I don't care if I kill babies. I just want my $10 million. And just so you understand, $10 million is probably a very low price tag when you consider the situation. But you have to be a very specific and then very nasty kind of an individual to say, I don't care. I'll kill people, babies. Okay. For money. And this is the kind of individual sometimes we deal with. So you have to understand, and we still need to reach a certain outcome, a successful outcome for a client probably very very rapidly while communicating with these individuals, without getting into a fight, because that's not going to buy the right outcome.

Becky Bracken

Wow, that is certainly a stark example. Joe, can you maybe walk us through some more extreme examples of things you've seen in the field?

Joe Tarraf

Yeah, I mean, generally speaking, a couple of victim categories really would put anybody on edge. Healthcare is one of them. We had one where we, it was a clinic that was treating stage-four pancreatic cancer patients and that got hit. So, you know, you got to negotiate that, and you got to get it, to Ed's point, you got to get it down to something that is realistic and you have to take your emotion out of it to the degree that you can. You have to focus on the job. You have to focus on the objectives and you have to get it down to what it is, to what you can get it done. Luckily in that case, we were able to, we actually negotiated pretty aggressively with the threat actor. And luckily for us, we didn't have a threat actor like that was as aggressive as Ed's in his case.

We had a threat actor that was willing to work. We came off as aggressive ourselves. We kind of said, look, we're not going to waste time. We don't have time to waste. This is the most that we can pay. You can take it or leave it basically, because that's the extent of we can do.

Now, we didn't phrase it in that specific phrasing, obviously. We put it in a much nicer way, and in a way that lays out the considerations much more thoughtfully. But that was the gist of it. We're not going to go back and forth here. This is what it is. And they accepted. And we got that decryptor. We got the operation up and running within 28 hours or something like that. And that was a success.

But you also see some funnier items, frankly. And there's the starkness, and then there's the one that are a little bit amusing. So a few times we had threat actors that were clearly double-dipping, meaning they were operators that were working with a couple of different groups. And you had encryption from one group, and then you had the same group and another group claiming they have data. And then when you're talking to both of these groups about the exfiltration piece.

You're noticing trends in their linguistics. You're noticing trends in their messaging. You're noticing trends in the way they phrase things. So you're like, all right.

Becky Bracken

Say more about that, Joe. So they're explaining, I'm sorry, they're double-dipping, meaning they're extorting you twice for the same data?

Joe Tarraf

Yes, masquerading as two different organizations, kind of. I'll explain. So a lot of these ransomware groups, they're like in McDonald's, like they're franchise, right? And their operators are a bunch of franchisees. You've got the headquarters that's developing the tools and all that. And you've got operators or affiliates that are the franchisees. So you can have a franchisee that's with one group and another group. And those groups could be competing, in theory. So what ends up happening is...this operator gets in or this group of operators gets in, they encrypt the data using one encryptor from one group, they steal the data, and then they try to extort you as both groups -- because they own the data and they're working from both groups. They don't own the data, they hold the data, at this point and they're working for both groups. Now sometimes they use encryption from both groups as well just to make it a little bit harder on you, just to force you to negotiate two different ransoms as well. So there's always these intricacies that come up. But I think one of my favorites, in the sense that it was a good outcome, was we had an organization that was a nonprofit organization that was really doing very good work helping some of the most vulnerable segments of our society find jobs, meaningful employment, and so on. And they got hit, and they had no insurance, they had no reserves, financial reserves whatsoever. The entity there, the organization that hit them, the threat actor group is a very well-known one. I'm not gonna name names because I don't want them to think that I'm complimenting them in any way. But basically we got on this negotiation with this threat actor group and we laid it out very succinctly saying, here's who we are, this is what you do, this is what we do. We don't understand why you would attack somebody like us because we don't have the financial resources. All our finances are public. Here's what they look like. You're asking for, I think they were asking in the low six figures, all we can pay you was $1,000 to get back up and running and continue doing our work. And that was the reality, that was complete honesty and complete truthfulness there. There was no bluffing, there was no subterfuge whatsoever in that case.

They went away for a while and they came back and they said, we apologize. Here's the decryptor. We apologize for attacking you and our boss. They named their boss apologizes as well. Please .. please accept our apologies and we're moving on. So.

Becky Bracken

Wow!

Ed Dubrovsky

Yeah, yeah, I had a church that was attacked one time, very similar story. And the threat actors didn't realize they attacked a church. But in their ransom note, they said something like, if you don't negotiate, God help you or something like that. So when we when we start negotiating, I said, Well, do you believe in God? Because your ransom note speaks to God. They said, Absolutely. We go to church every Sunday. And I said, well, you just attacked the church. How do you think God may feel about this? And they said, prove to me that this is a church. So I said, well, do you know the website that you attacked? Yes, we know. Can you go there? Yes, it's a church. Can you prove to us that you actually are the church and you can modify the page? So I had, whoever in the church that was responsible on the website add something like, you know, God will smite sinners. And I told them this is going to be added. And they did this. And within about 15 minutes after that, we got the decryptor and we never heard from them again. At no cost. So yeah, it happens.

Becky Bracken

It's so interesting. As flawed though they may be, you are talking about very human things, flashy and compliments and just laying it out. It does really highlight sort of the humanity of, you know, even though they're creeps, you know.

Joe Tarraf

I think it highlights the fact that you have to always be conscious that you're dealing with humans with their own psychologies and personalities and there's no cookie cutter approach. One person has a certain approach, the other responds to a different approach. Some of them like their egos stroked. Others like to be challenged, frankly. There are certain groups that we have a clear trend that when you are actually firm, not impolite, not disrespectful, not true, but firm and to the point with them, they respond actually better. They respect a little bit of strength. Others, they just want you to prostrate in front of them. So, and that's again where the intelligence comes in from. Knowing who you're dealing with helps you tailor your strategy, your tone of conversation to the actor at hand, to the adversary at hand, and get the best possible outcomes.

Jim Donahue

Can I ask, do the threat actors exclusively ask for money or do they sometimes ask for other things?

Joe Tarraf

Generally it's money in my experience, but Ed, I don't know about you...

Ed Dubrovsky

Yeah. So we've had a number of situations. It's not all the vanilla type of ransomware where send me some Bitcoin, and I'll give you some deliverables. We've handled cases of extortion, buying and selling of specific information. And also in, in certain cases we've had, clearly disgruntled employees that wanted guarantees, of somebody to get fired or somebody to, to have an HR entry against them, put in all kinds of little silly things. We've also had situations of clearly children attacking their own schools. And the interest wasn't money, the interest was clearly more of a, maybe a little bit of a destruction, but also they wanted some credibility, some recognition, but also we've seen them very clearly looking at particular people's records.

Becky Bracken

Digital vandalism.

Ed Dubrovsky

And I'll give you another quick story. We had a case of a school, a child attacking the school, where they were, they were demanding money. Okay. But I, as a negotiator, I came on and I said, look, I found you a ransom note. I'm one of the children in the school. Can you tell me what information you took? Because look, there's some sensitive information in my file and I'm being bullied as it is. And I really, really don't want to be bullied if the information becomes, it gets released. And interestingly enough, that that person said, you know what? I'm also in the school, which teachers? So I had to go back and get some teacher names and classes because you know, I forgot when I was a teenager, right? You know, but I had to play the persona of a child.

So I was actually talking to my children, saying what words the young people use and so on and so forth, and then inserting them into the communication. I convinced them to actually back off and not publish and not collect any money and that's it. And they went away. This was really teenager, in my opinion, probably around I would say 14 max in terms of age, but they were holding…This this… it was really a school district. They had probably about I don't know 60,000 students' records that they downloaded and things like that.

Again, it's all about understanding who you're dealing with on the other side because they could say I want money, but really it's not money that they're looking for; they wouldn't even understand what to do with Bitcoin and how to buy anything with it, right? Because it's a digital currency. It's not like you can walk into yet-- into Walmart and then purchase something, right? So, you know, very interesting type of scenarios for sure.

Kelly Jackson Higgins

That's interesting that you had to take on a persona in that particular negotiation. Is that isolated to the just pure extortion-type of attack?

Ed Dubrovsky

Every single one.

Kelly Jackson Higgins

So you got done a persona that maybe either belongs to the victim company or is representing them. Is that okay?

Ed Dubrovsky

Every single time it's a persona and I have to be very, very careful, and many negotiators are not, to make me sound every time like a different person, especially from dealing with the same group because they can tell. They can tell if I'm using by mistake a very pronounced word, especially when it gets translated from English to Russian, for example, it might be even more glaring. Right? So I have to be very careful.

And this is why sometimes when we negotiate, we sound a little bit moronic, to be honest, because we cannot be sounding like a professional negotiator. Show me what you have and then maybe I'll pay you and so on and so forth. Right? It has to be like, fairly random. And it's like this persona that I'm taking, this is the first time I'm ever in this situation and this is crazy and what do I do now? Right? If I come in as too experienced, it can go wrong. So bear that in mind.

Joe Tarraf

On our side, why I think it's best practice is not to have one negotiator. You have a team of negotiators and you always rotate negotiations through these teams. So there's not one negotiator who's always dealing with a particular group … so because each negotiator that brings in, even if the principles are the same, they bring their own nuances to the negotiation. They bring their own nuances to the communication. They bring their own nuances to the linguistics. So if you rotate the negotiations across the negotiators, you make sure that you get that variation, that it's not the same person all the time. Now, that's why, again, that's why the importance of, and we're stressing this a lot because it's really one of the fundamentals of negotiating. The importance of the intelligence is paramount because when you have a team of several negotiators, you can't just rely on personal experience. You have to rely on the joint experience.

So making sure that communication within the team is there, making sure that the profiles that you have for threat actors are robust and well-documented internally and so on so, that everybody can tap into them. That feeds the intelligence to the team to be able to do the job the right way.

Becky Bracken

Well, that is an excellent segue into kind of where I'd like to leave it today. I'm hoping that Ed and Joe, you can provide our audience with something you wish they knew about ransomware negotiations, something maybe they can even use in their own negotiating travels around the universe. What is it that you wish people knew about what you do? We can start with Ed and move to Joe.

Ed Dubrovsky

Sure, sure. So first of all, I do not recommend anybody to negotiate on their own behalf ever. You know, any tip that I might throw out as part of this podcast is not going to help anybody to become a negotiator for themselves. It takes time. There's a lot of components that go into it. Every situation is different. The impact is different. The urgency is different. You know, whether the client is losing a million dollars a day or two and a half dollars a day is a big difference, right? So all of those things when, when they come in, I would say always get a professional, first and foremost. Okay. The other thing to remember about, any type of a cyberattack is that these are…It's a very successful field for the criminals because we are all digital. We're all carrying a phone on and sometimes a tablet and a computer that's connected at all times, and so on and so forth. So the opportunities for them to do what they do best, which is to attack us, are growing.

The best thing that we can do to fight ransomware is to have defenses up and running. And when I say that, I'm being very, very careful because it's also not simple, right? You could have great backups, but if they stole your data and your data is very, very critical, intellectual property, PII or personally identifiable information, personal health information, things like that, you still might have to pay.

So it doesn't end with just, you know, one thing or five things or seven and a half tips, right? The thing is when something bad happens in this realm, you wanna make sure that you know who you're gonna call. There are a lot of scammers and you are not allowed to pay everybody. Even if you had the negotiation knowledge and you had the understanding about what is a Bitcoin and how to buy a Bitcoin and how to transfer it from your wallet to the bad guys' wallet and so on. You have to go today through a lot of compliance. Your bank account could be basically seized or suspended if you make a transfer to a criminal's wallet without the right compliance, without checking things like sanctions and OFAC and following FinCEN and FinTrack in Canada, and so on. And potentially the FBI or Department of Justice can walk over knock on your door and say why did you pay Iran when there are sanctions on Iran? Well, you know, I just I just wanted to pay them. Well, okay, we have as a when I'm speaking to FBI agents. I always say what do we have to do to make sure that we help victims and stay away from the two-by-two cells?

So clients do not have that knowledge. It takes a lot of reporting cooperation with law enforcement, making sure that the right reporting is happening, making sure that you are a, for example, a money service business in the US and Canada, to be able to actually make payments.

So while technically it's simple, my recommendation first and foremost: get an expert. Don't do it yourself. Yes, it's going to cost a little more, but at least you're gonna be protected. Also get a good lawyer because of these type of situations, you wanna make sure that you're doing the right things because your clients, your employees, could sue you and things like that. It's becoming a very litigious environment. So do the right things. Get the professionals to work with you.

And I know it's always going to be a very high stress situation. And when people are kind of cornered, the first thing that shuts down is listening. You have to listen. You have to take in the information, process it, and really try and eliminate as much as possible, emotions.

Joe Tarraf

No, no, I would agree wholeheartedly. Get in the experts to help you. If you have cyber insurance, call your cyber insurance first if something happens. If you don't have cyber insurance, think about getting cyber insurance because it's not just allowing you to put together the team of experts that are going to help you from both the forensics, the negotiations, the remediation, the legal side. It's also going to help you pay the ransom if you need to as well.

So that's point number one. To Ed's second point around listening and so on. Yeah, I think the key point is, and it's a very natural reaction for somebody to have when they see their baby that they've been building over 20 years get hit with ransomware and be at risk. Your response is going to be naturally emotional. Anything other than that, and that's the exception.

You need to, to the degree that you can, not let that, those emotions make you take snap decisions. You have some time to think about it, no matter what the situation is, unless it's a, you know, unless it's a situation like Ed described, and you've got lives on the line, basically. The vast majority of cases do not have lives on the line. The vast majority of cases actually are financial impact, reputational impact, things of that nature. In those cases, you actually have some time. You have some time to take a breath. You have some time to talk through your considerations with these experts. You have some time to understand the situation better and to understand the impact better. And you have some time to make the right decisions. And those are going to help you in the long term rather than taking snap decisions while you're emotional. Because the reality is, even if you get a decryptor today day zero of an attack, you're not flipping a switch and you're back up and running. That's going to take you a certain amount of prep time to prep the environment for decryption, to salvage data for decryption and all that. So no matter what, you're going to have a few days of prep time that you're going to need to do. Use that time to understand your situation and make the informed decisions that you need to make.

Kelly Jackson Higgins

Absolutely fascinating conversation. I have a million more questions, but I know we're up against our time here. I'm amazed how when I stop and think about what ransomware used to be, when it was those emails from the phony FBI trying to shake down consumers to where we are now, it's just mind boggling to me. It's an actual business. And people like you have to be professionals in this business to get victims through it. So we really appreciate your taking the time to explain all this to us today.

It was really great to meet both of you, Ed and Joe, thank you.

Ed Dubrovsky

Thank you for the opportunity.

Joe Tarraf

Thank you for having us. It was great to chat with everybody.

Becky Bracken

Thank you all. The cherry on the cake of our discussion today is going to be a special presentation from Jim Donahue, Dark Reading managing editor, who is going to share a piece of commentary submitted by one of our experts. Jim?

Jim Donahue

Thank you, everyone. I oversee contributed columns from cybersecurity professionals that we run every day, and the column that I'm going to read from today is called "Collaboration Needed to Fight Ransomware," by Brian Neuhaus of VectraAI. I'm not going to read you the whole thing, but he writes:

"The existence of sophisticated tools such as the LockBit 4.0 encryptor also underscores the importance of international cooperation in the fight against cybercrime. As these threats transcend borders, so too must our efforts to counter them. Collaboration extends beyond public and private sectors within a country; it requires a global network of partners sharing intelligence, resources, and expertise.

"Given the financial coffers and organizational discipline of groups such as LockBit, it's evident we're contending with adversaries that practice business continuity with a zeal akin to that of legitimate enterprises. They prepare for eventualities, including law enforcement interventions, with strategies designed to ensure their survival and continued operation. This level of preparation and the professionalization of cybercrime emphasize the need for a proactive and collaborative approach to cybersecurity.

"In the face of these challenges, fostering a strong partnership between the defenders of companies and law enforcement becomes even more critical."

Again, that is Brian Neuhaus writing, a column that Dark Reading ran in April called "Collaboration Needed to Fight Ransomware." Becky, back to you.

Becky Bracken

Thank you, Jim. And we all know that collaboration is needed. I want to thank Joe and Ed for joining us today on Dark Reading Confidential. Thank you for sharing your stories from inside the cyber trenches. I learned a lot. I know our audience did as well. I want to thank Kelly Jackson Higgins, Dark Reading's editor-in-chief, again, and Jim Donahue, Dark Reading's managing editor of commentary and copydesk, for their contributions to this second episode of Dark Reading Confidential.

Thank you all for joining us and we hope to see you and hear you on a future Dark Reading podcast. Thanks everybody.

Read more about:

CISO Corner

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights