Skip links

Hi, I’ll be your ransomware negotiator today – but don’t tell the crooks that

Interview The first rule of being a ransomware negotiator is that you don’t admit you’re a ransomware negotiator — at least not to LockBit or another cybercrime gang. 

Instead, these negotiators portray themselves as simply company representatives, said Drew Schmitt, a professional ransomware negotiator and principal threat analyst at cybersecurity firm GuidePoint Security.

“The biggest reason is because most ransomware groups specifically and explicitly say: ‘We don’t want to work with a negotiator. If you do bring a negotiator to the table, we’re just going to post your stuff anyway,'” Schmitt told The Register. Hence the need to masquerade as a regular employee.

Ransomware is, of course, malware that once on a network scrambles all the valuable files it can find, and demands a payment to decrypt and restore the information. Lately, gangs also steal copies of the data prior to encrypting it so that they can leak or sell it if the demand isn’t paid. Sometimes they just siphon the files and don’t bother to encrypt them. Sometimes the crooks use the purloined files to harass or exploit a victim’s customers or users. There’s all manner of things extortionists can do and demand once they are on your computers and have your data.

Schmitt said he negotiates one or two ransoms a month, and victim organizations range from very small businesses to major enterprises, spanning all industries. Manufacturing, technology, construction, government, and healthcare were the hardest hit in the second quarter of this year, according to research done for his company’s latest extortionware report.

I’ve also seen initial demands of $25 million … they are all over the place

He said he once saw a ransom demand from a “less-sophisticated group” who wanted just $2,000. “But I’ve also seen initial demands of $25 million,” he added. “So they are all over the place.”

Schmitt said he has, on two occasions, negotiated ransoms down to zero dollars. “Both in different kinds of healthcare, that when we went to the table and said, ‘Hey, we’re a healthcare organization. We’re responsible for saving lives,’ they basically said, ‘We’re sorry. We’re going to give you a free decryptor.'”

Of course, these are the outliers, and some groups such as Hive specifically target the healthcare industry on the assumption that because lives and highly sensitive personal data are at stake, among other factors, hospitals are more likely to pay up to make the whole mess go away. 

In fact, a report earlier this year from ​​Sophos stated that 66 percent of surveyed healthcare organizations were hit by ransomware in 2021 — up from 34 percent the year before, representing a 94 percent increase. 

As ransomware and pure extortion become solid sources of income for miscreants, there’s naturally been a rise in demand for things like cyber-insurance and ransomware negotiators, who act as intermediaries between the ransomware gang and the victim. Sometimes you may want to put someone between you and the crims, someone who can make the cryptocurrency payment happen, or haggle down the demand, or get the decryptor from the extortionists, and so on.

According to research published in March by Palo Alto Networks’ incident response team, the average ransom demand in 2021, for attacks it was aware of, was $2.2 million, a 144 percent increase from the year prior. Meanwhile, the average payment last year jumped to $541,010, up 78 percent from 2020. 

From email ransom notes to Tor leak sites

Schmitt started working in incident response (IR) and threat intelligence about six years ago, and said he “fell into” ransomware negotiations in 2019.

“It was a natural progression of working in incident response,” he said. As ransomware infections became more prevalent, Schmitt started moving up the IR ladder and playing various roles in the investigation and response process. “And one of those ended up being a negotiation with a threat actor.”

Back in the day, circa 2019, these negotiations happened via email. But since then, ransomware gangs have matured and evolved business operations to include instant messaging with victims to figure out deals, affiliates to help spread the malware, and employees with non-technical remits, as the larger, above-ground world learned through the Conti leaks earlier this year. 

These days, most crime groups have their own websites through which they operate, and some have PR and marketing departments as well as in-house help desks. 

Rather than faff about with email, “now it’s usually just a URL” directing a victim to the extortionists’ Tor-hidden website, and communication between victim and crook happens in a chat box displayed within the Tor browser, Schmitt said. This is the point at which Schmitt usually gets called in to help with the incident response and, sometimes, ransomware negotiations. 

The negotiation process itself involves bringing all the key business units to the table: C-suite executives, cybersecurity analysts, lawyers, HR, and PR representatives. 

“All the critical teams that are going to be involved in the administrative response in addition to the technical response,” Schmitt said. “All of those players are going to be involved to determine what the negotiation strategy looks like.”

Should you negotiate with criminals?

The first question they need to answer, however, is whether to negotiate with the criminals at all. 

US federal agencies say organizations should not pay ransom demands [PDF], and some private security firms even suggest this exposes businesses to subsequent ransomware attacks. Regardless, it’s not a simple question to answer, and the decision to negotiate or not is two-pronged, we’re told.

How is this going to impact our brand if we’re exposed on a ransomware leak site?

“One is looking at it from a purely technical perspective,” Schmitt said. This includes determining if the company has the capacity to restore from backups data scrambled by the ransomware, decrypt the files with a free tool, or otherwise bring the IT environment back online without paying a ransom.

“And then the other side is legally based,” he said. “This is where you start answering questions about: how is this going to impact our brand if we’re exposed on a ransomware leak site? How is this going to potentially impact compliance if we have certain types of data exposed on a ransomware leak site? What are the risks associated with this, and what are our options?”

One thought that Schmitt said doesn’t usually come up in the discussion — unless the criminal gang has been sanctioned by the US Treasury or a similar body, in which case it’s illegal to pay a ransom to them — is the ethics of paying a ransom that, in turn, finances additional illicit activities and potentially oppressive regimes that back or orchestrate ransomware campaigns.  

“If I’m being totally honest, there’s just not a lot of discussion of kind of where the funds go after the fact,” he admitted.

LockBit remains the most prolific gang over the past two years, Schmitt said, adding that Conti also kept his fellow negotiators busy before that group disbanded to form other gangs.

And each of these crime orgs have their own quirks, histories, and methods, which can be useful to know and exploit during the negotiation process. 

“We keep detailed notes of all the interactions that we have from various threat groups, and then we use that to our advantage — this technique might work better than that technique, or this group is known to negotiate, or you can’t push that group very long before they’ll get bored and move on,” Schmitt said. “They all have traits that we use to make sure we’re not pushing the wrong buttons and giving us the highest chance of success, for lowering the ransom as much as possible.”

However, the criminals have typically done their homework, too. For example: researching a victim organization’s cyber insurance policy. 

“Fairly often, we’ll see this as a negotiation tactic,” Schmitt said. “‘We’ve found your insurance policy, we know you have coverage in the amount of $10 million, so this is where we start.'”

Paying the initial demand doesn’t happen very often. There’s always some bargaining and quibbling. Corporations also have to factor in recovery costs and other expenses related to the security breach when figuring out what kind of budget they have to tackle the problem, he said. 

Just like buying a car

“But this is where we start,” Schmitt commented, referring to the initial demands. “And really from there, it is the traditional back and forth negotiation process that you would see in many other business applications — or trying to buy a car.”

If, that is, you’re locked in a room with the car salesperson for days on end while they threaten to leak your private information on a website for all to see, and when they may decide to raise the asking price if you take too long to reach a deal.

Schmitt admitted it’s a high-anxiety job. “The stakes are really high,” he said. “With incident response in general, and especially ransomware, it’s really high stress.

“For more of the clients you’re working with, it’s the worst point in their career and it might be the worst point they’re ever going to have, and you’re thrust into that situation of trying to help them get out of the worst time of their career.” ®