Malware, Ransomware, Threat Management

One of ransomware’s top negotiators would rather you not have to hire him

JBS food processing was among the companies targeted by ransomware gang REvil. Credit ratings agency Fitch Ratings said industries that rely too much on a single IT or security provider that gets hit with ransomware could see their credit posture harmed if it leads to significant service disruption. (Chet Strange/Getty Images)

Kurtis Minder, CEO of threat intelligence firm GroupSense, received a lot of press as a top negotiator in ransomware cases. But he'd rather you not hire him or his peers to negotiate. Instead, he says, he'd much rather you stop the ransomware attack before you'd ever need to call him in.

SC Media spoke to Minder about the ins and outs of negotiations, and the ins and outs of never needing a negotiator.

Ransomware negotiations are sometimes portrayed as a money-making racket. I think people are going to be suprised to hear your preference would be to keep people from getting hacked.

For us it's not a profit center. We're not marketing this as something we want to make money off of. We just sort of found ourselves in the middle of it. We're uniquely suited, I think, as an intelligence company. And now we've got a bunch of experience under our belts and are even better at it. But our core business is still cyber reconnaissance and digital rescues, and that's what we want to do. I get beat up a little bit from my board about how much of this stuff I'm doing now, like you're not charging enough.

So, how exactly can a company avoid needing to hire a negotiator?

What's frustrating is that we take inventory of how ransomware threat actors get in each time, and it's a pretty short list of basic cyber hygiene things — you even saw this with the Colonial Pipeline. That attack was not sophisticated and could have been easily avoided. It actually almost matches up with maybe 70% or 80% of the clients that we're supporting, who had almost identical attacks with an old credential, with a weak password on a VPN.

Credential monitoring, password policy, [multi-factor authentication], are preventable problems. Based on our experience, if you do five to seven things, I'm relatively confident, it would reduce your, your likelihood of getting hit by a significant percentage.

What are the five to seven things?

Policymaking and publishing the password policy for an organization. The policy should illustrate the importance of password security. You monitor for data leaks, and you notify IT staff when they violate that policy and they've used their corporate credentials in a non-corporate fashion.

Also anti-phishing. You're rolling your eyes, I'm sure, but these are all things that we know. Create backups and secure remote access, because during COVID, [the majority of attacks] were remote access credential stuffing or credential reuse, where the remote access didn't have MFA enabled, and it was either RDP or a VPN concentrator.

Then, as bonus ones: Encrypt your data at rest, use intelligence services to monitor for breaches and catching the initial access brokers. Those are the people that have broken into networks and sell it, usually to a ransomware operator. We have literally stopped ransomware attacks by detecting them. And, then, upgrading security awareness training.

You mentioned the role of threat intelligence services, like yours, in protecting attacks. How should companies be integrating that into an anti-ransomware strategy?

The challenge with threat intelligence is most organizations don't know how to operationalize it, which is why we're too expensive for a flower shop, because we have an analyst team to help them do that. What we've seen happen in a lot of organizations is they will buy threat intelligence tools, and then they'll take an employee that's currently managing their endpoint system or their IPs or something and they'll put them partially in charge of the intelligence tool. So what you have is a security practitioner who is not an intelligence analyst, responsible for what is probably a full-time job but only doing it part-time while they manage another thing. they just miss things in the use case, the data itself.

The law firm BakerHostetler recently released statistics from its clients, who nearly always used ransomware negotiators, and nearly always received a decryption tool in return. One of the common warnings people are given about ransomware is that criminal groups can't be trusted to provide a decryptor. How are negotiators filtering out bad faith criminals?

Well, there are a few indicators. One is that ransomware-as-a-service platforms have enabled virtually anyone who has dark web access in a bitcoin wallet to become a ransomware operator. If you can identify that's what's occurring, the ransomware operators have a pretty static playbook. And if we see somebody acting outside that playbook, that's a red flag.

There are several different kinds of scammers, some that'll never give you the key, some that are encrypted with two or three keys and they'll sell you one key and then extort you again for the next key. We call those "string alongs." So, basically, the way to identify up front if this is an individual actor versus a group. And you do that by communication pattern recognition. And while we're not 100%, we can usually tell when something looks a little fishy. A lot of times we'll tell the client there is a chance that you're going to get nothing in return for your money. You want to look elsewhere to solve the problem.

We've had a handful of actors we recognize that are acting a certain way because they don't care about their brand. They're going do this six to seven times and then just go buy a Ferrari and never do it again. So, being able to recognize that pattern is what negotiators and Intel people bring to the table.

Is trusting the wrong groups the only hiccup people run into during negotiations?

The real mistake that they make is calling us in after they've already started negotiating, when they realize they made a mistake. Once a week or so we'll get one where somebody tried to negotiate themselves, realized they were in over their head, and it's going poorly. The bad guy doesn't care about the difference between me and that person, the negotiator or that person. They don't care who it is. Once the process has started. It's really difficult to change course. One of our mantras is that negotiations end well when they start well, so if he said he started in the wrong tone, it's a snowball and it's hard to reverse.

The process is not too different from negotiating anything else. But people don't take into consideration that the threat actors are now making a common practice to exfiltrate a significant amount of data before they do the ransom execution. People don't realize that they have your finances. Sometimes they have the cyber insurance policy. So you can't lie to them. One of the mistakes that a lot of people make when they try to do it on their own is to lie about their situation; they lie about their businesses, they lie about how much cash they have in the bank. Bad guys can literally paste screenshots of their QuickBooks.

Do you run into the same people, again and again? Do they know you?

I hope not. I mean, I'm all over the news, for God's sakes. But, yeah, we do run into the same threat actors, over and over again. We do not announce that we're GroupSense or that I'm Curtis. In some cases we will, as part of the strategy, announce that we're a third party representing the affected firm — we do that based on the threat actor, certain threat actors respond well to that. By responding well, I mean they don't play as many games, because they know if a person does this all the time that basic tricks are not going to work, so they skip them.

Some threat actors actually take offense say they do not negotiate with [certain companies] and some of them employ some of the tools that we use back on us. They're looking for patterns and speech and things like that to identify who they're talking to.

One of the common policy suggestions that get floated about ransomware and other cyberattacks is that "first responders" should be required to notify the government if a threat veers on national security. Would that make sense to you as a negotiator?

We always encourage the client to involve law enforcement. It's the second thing we say to them every time. Honestly, yes, there's been instances where I felt like they probably should have done that and they didn't.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.