Ransomware: Statistically, it's likely to happen to anybody.
Kurtis Minder: From a macro level, I will zoom out and say that every company that pays a ransom is incentivizing that industry.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week. And later in the show, we welcome back Kurtis Minder from GroupSense. We're going to be talking about the burgeoning ransomware negotiation industry. All right, well, let's start things off here with some stories. Joe, why don't you kick it off for us?
Joe Carrigan: Dave, my story come from ZDNet. Remember when it used to be Ziff Davis?
Dave Bittner: Yes, I do (laughter). Yes, I do.
Joe Carrigan: So ZDNet is reporting on a new HP-Bromium study that came out in October that is reporting a 1,200% increase in Emotet detections, and that's over the last - over the previous quarter from July to September. Now, what is Emotet? This is - I know we're not really a technical podcast here. We're a social engineering podcast. But Emotet is a piece of software, malicious software, malware that began life as a banking Trojan. And a Trojan is a Trojan horse. It's a piece of software that does something you don't think it's going to do. It's actually a program. It's not like a virus that will attach itself to other pieces of code. And there's all kinds of different malware definitions that I'm not going to get into, but it's actually a program on your computer that provides all kinds of features.
Joe Carrigan: And originally, it was used for getting people's banking credentials, like your username and password for a banking account. It would sit there and wait until you went to your banking website. And then when it saw your credentials being entered, it would send those off to whoever is operating the botnet. But what's going on now is there is this huge increase, and these things are not really doing anything. They're just getting into the system and sitting there.
Dave Bittner: Biding their time.
Joe Carrigan: Biding their time. And what HP and Bromium are speculating on here is that this is the beginning of some kind of marketing campaign for these things. They're going to sell - whoever's behind this is going to sell these Emotet-infected botnets, this collection of machines, because one of the things that they get when they have Emotet on the machine is they essentially get a backdoor into whatever network it is. And that could be really, really valuable. Now, some of these are probably just sitting there on somebody's home computer, which is possible as well. But some of them are sitting on business networks...
Dave Bittner: Right.
Joe Carrigan: ...Which are even more valuable because now if I have a backdoor into someone's business network, I can get in there, install ransomware or steal data or do whatever it is I want or further compromise things. The social engineering angle is how Emotet often gains access to these networks, and they usually gain access via phishing. And the people who are behind this campaign have been seen to use thread hijacking, and we've talked about this before. They get into someone's email account - the business-email compromise. And instead of injecting themselves into a conversation and saying, hey; send the money here, it's a lot easier to say, hey; here's a document for you, and it's a malicious document, right?
Dave Bittner: But they take advantage of an existing email thread.
Joe Carrigan: Exactly. That's why it's called thread hijacking.
Dave Bittner: Right, right.
Joe Carrigan: There's an existing thread, and they're sending something back and forth. And the reason I say it's easier is because you don't have to wait for somebody to be talking about finances. You can just say, oh, by the way, here's something else. You can inject this into the conversation a lot easier than you can waiting for the discussion of financial stuff to come up.
Dave Bittner: Right. Trust has already been established...
Joe Carrigan: Yes.
Dave Bittner: ...Because the origin of the thread was legitimate.
Joe Carrigan: Right. And the email is probably the proper email. This is...
Dave Bittner: Right.
Joe Carrigan: ...A common tactic. We see phishing attacks all the time to gain access to your cloud email account, like your Office 365. Or I guess it's Microsoft 365 now, right? That's what they're calling it these days. The reason they're doing that is because that's a very effective way of getting inside an organization because let's say you and I are both talking on CyberWire addresses, and I send you an email that says, hey, Dave; check out this story for the next week's podcast. And it's a malicious link with a drive-by download.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: That's how that works.
Dave Bittner: My initial impulse would be to trust that link because it was coming from you...
Joe Carrigan: Exactly.
Dave Bittner: ...In a way that - yeah, exactly. It all looks legit - no reason to think otherwise.
Joe Carrigan: Yeah. The phishing lures are being written in languages like French, German, Greek, Hindi, Italian, Japanese, Spanish and Vietnamese. So these guys are casting a very broad net here.
Dave Bittner: Yeah. It's interesting how they're, you know - they seem to be in this infrastructure-building stage where...
Joe Carrigan: Right.
Dave Bittner: ...They're very methodical about this - you know, building up the botnet, building up an inventory that they can then turn around and sell either access to those machines, to the botnet itself to do the types of things that botnets do or, as you say, just access to individual networks, saying, hey; who'd like to buy access to this company's network? You know, the bidding starts here.
Joe Carrigan: Right. Yep. That's exactly what's going on.
Dave Bittner: That's fascinating - interesting story. All right. Well, I've actually got a twofer this week.
Joe Carrigan: All right.
Dave Bittner: Rather than having one big story, I've got two shorter ones that I thought didn't rise to be enough content to stand on their own. But in between the two of them, I think it makes for some interesting conversation, as happens sometimes here. The first one is about some bad guys who are using an interesting image manipulation technique to evade detection. So these folks are going after Office 365 accounts. It's a phishing campaign. And, you know, very often the way that they do this is they will redirect you to a landing page, a login page that is imitating the legitimate login page for something like Office 365.
Joe Carrigan: Right.
Dave Bittner: And it looks exactly like the actual page. You know, it's easy to do because online, the code is right there to copy and paste, right?
Joe Carrigan: That's exactly right. They have to send you the code for the web page because that's how the web works.
Dave Bittner: Right. So evidently, one of the ways that folks are trying to detect this sort of thing is they're using image recognition software to see when someone's using the same background image that, for example, Microsoft uses in their login page.
Joe Carrigan: Right.
Dave Bittner: So, you know, they have these pretty - these pastoral images, these pretty, you know, calming, beautiful landscapes and things like that. We're all familiar with them. But they're easy to detect. Image recognition software has no trouble finding this. So what the bad guys have done is - they use an inverted version of that image. So if you imagine, you know, like a film negative - right?
Joe Carrigan: Right.
Dave Bittner: Everything's inverted. The luminance is inverted. The colors are inverted. So it's an inverted version of the image. Well, they use that, and then they use the CSS, the cascading style sheets, which allow you to invert an image back again.
Joe Carrigan: Ah.
Dave Bittner: (Laughter) Right?
Joe Carrigan: That's clever.
Dave Bittner: So - it is clever.
Joe Carrigan: That's clever. They're inverting it twice, which takes it back to the original look and feel, right?
Dave Bittner: Yep.
Joe Carrigan: So you, user, are sitting there looking at the - what looks like the exact same image.
Dave Bittner: Right.
Joe Carrigan: But the computer goes, nope, that's not the same image Microsoft uses.
Dave Bittner: Right. Exactly. Funny - it seems to be the exact opposite of the image Microsoft uses.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: That's a very clever trick.
Dave Bittner: It is clever, and I think it's just another step in the cat-and-mouse game here. I suspect we will probably start to see image recognition systems that routinely look for an inverse. You know, you'll have a - I don't know - search for inverted version button option, which is probably slower but wouldn't be hard to do because inverting an image is a pretty easy, straightforward kind of thing to do, you know?
Joe Carrigan: Yeah, you just flip the numbers around.
Dave Bittner: Yeah. It's probably not even that, you know, mathematically expensive to do...
Joe Carrigan: Right.
Dave Bittner: ...In terms of processing power. So - but I just thought it was a clever thing. I don't know that there's anything, you know, users can really do on their end to protect against themselves. It's more just, you know, not getting on these pages to begin with...
Joe Carrigan: Right.
Dave Bittner: ...To log on.
Joe Carrigan: This still all boils down to don't click the link.
Dave Bittner: Right, right.
Joe Carrigan: Yeah.
Dave Bittner: Exactly. But I thought it was worth mentioning just as a clever way that the bad guys are getting around some of the detection systems that are out there.
Joe Carrigan: That is interesting.
Dave Bittner: Yeah. The other one is just a real quickie here. You know, as we are coming up past the election here in the U.S., the bad guys are using that to glom on with their scams. I saw several folks share images where - the old chestnut of Elon Musk giving away Bitcoin.
Joe Carrigan: (Laughter) Right.
Dave Bittner: For some reason, it never gets old because I guess it works. Everybody knows Elon Musk is a rich guy. So if there's anybody who's going to give away free Bitcoin, it would be him. So they're glomming on to some of the election things. I've seen some things where, you know, they reply to a tweet, for example, that President Trump will put out. What's interesting, too, is the wording here. So this claims to be from Elon Musk. Of course, it's not. The actual @ username on Twitter has nothing to do with Elon Musk.
Joe Carrigan: Right - looks like they've compromised a verified account on Twitter, though, because they've got the blue checkmark.
Dave Bittner: Yep.
Joe Carrigan: But it's not Elon Musk's account. They've changed the username to Elon Musk.
Dave Bittner: Correct.
Joe Carrigan: Or the display name, rather.
Dave Bittner: Correct. And what's interesting here is the wording. It says, it's all but decided now. In other words, it's over. To celebrate, we are giving to the people. Now, it's referring to the election because it's replying to something that President Trump tweeted about the election, about mail-in ballots and so on and so forth.
Joe Carrigan: Right.
Dave Bittner: What's interesting is that the wording here is specifically noncommittal. I mean, you could be on either side - right? - and this will resonate with you.
Joe Carrigan: Right.
Dave Bittner: It's all but decided by now. In other words, it's over. Either side could - right?
Joe Carrigan: Yeah. Either side's going, woo-hoo (ph).
Dave Bittner: Yeah. Exactly. This was released, you know, at a time when the election had not yet been settled. Lots of things were up in the air. Votes were still being counted. You know, both sides are rooting for their team and so on and so forth. And so it just struck me as a clever way to word this to maximize the impact regardless of who reads it.
Joe Carrigan: Yeah, I agree 100%. That is definitely playing on your optimism bias.
Dave Bittner: Yeah. Yeah. And it has a link that goes to, you know, a phony website and then a link to a YouTube video as well. It seems like these folks take advantage of YouTube's inability to police this stuff effectively, and that's where they'll put more information to try to hook people on these scams as well.
Joe Carrigan: Yep.
Dave Bittner: But another quickie - just keep your eyes out for that. You know, remind your loved ones that whenever there's something happening, something topical that people are emotional about - and, boy, an election would count for that (laughter)...
Joe Carrigan: Right.
Dave Bittner: ...There's going to be people out there trying to attach their scams to it. So just be mindful of that. All right. Well, those are my stories. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Our Catch of the Day comes from a listener named John (ph). And he says, we have recently seen an interesting wave of email-based vishing attacks, such as the ones below. And he sends along two emails, and there's not really a lot to read here. But the first one comes from McAfee - it looks like it comes from McAfee - and says McAfee invoice. And it looks like an invoice for LifeSafe charging you $491. And underneath, it says T&C, like terms and conditions. Why don't you read the T&C's, Dave?
Dave Bittner: All right. Well, it goes like this. It says, in the event that you might want to proceed with the administrations, if you don't mind, disregard the invoice. In the event that you wish to drop it and go for an inversion of the cash, kindly call us. The charges will think about your ledger in next 24 to 48 hours - McAfee support team.
Joe Carrigan: And then they have a contact number.
Dave Bittner: (Laughter).
Joe Carrigan: This is terrible English.
Dave Bittner: Right.
Joe Carrigan: You have to read this because I am incapable of reading bad copy.
Dave Bittner: (Laughter).
Joe Carrigan: The next one is a fake Amazon invoice, and it says, hello, user. Thank you for shopping with us. We'll send a confirmation when your item ships. And then it's a bill for $719.24. And - interesting - there's no item on this. It just says, we're charging you $719.24.
Dave Bittner: Right.
Joe Carrigan: And it says, hope to see you again soon - customer support help desk. And it has an 800 number. So John continues. He says, the interesting thing is that there is no working links in either of these emails. In both cases, they use a decently sized charge to inspire a sense of urgency, which is a good observation. The only means of contact to resolve this issue is a phone number. Have you ever tried to get a phone number from Amazon?
Dave Bittner: (Laughter) They do not exist (laughter).
Joe Carrigan: Right, they don't. Actually, Amazon will call you. It's a - but you have to hunt for that feature. You really do.
Dave Bittner: Right.
Joe Carrigan: It's miserable. The customer service...
Dave Bittner: It's playing a game of Where's Waldo?
Joe Carrigan: Right, exactly.
Dave Bittner: (Laughter) Trying to find Amazon - a phone number for Amazon.
Joe Carrigan: This is interesting. John says, I called both from a burner number. And in both cases, they wanted me to connect to a web-based remote access tool, which you should never do, by the way.
Dave Bittner: Yeah.
(LAUGHTER)
Joe Carrigan: In the McAfee case, they needed to, quote, "uninstall the software from my system, so I would not be charged." And for the Amazon one, they needed to see me log into my Amazon account so they could, quote, "validate I was credited." They were sincere and sounding helpful and believable. I made sure to waste at least half an hour of their time while not actually following any of their instructions (laughter).
Dave Bittner: Oh, OK. So I guess I'm seeing the other side of this. So this is not - the real attempt here is not to get you to actually pay this invoice.
Joe Carrigan: No, it's not.
Dave Bittner: The attempt here is to get you to challenge the invoice.
Joe Carrigan: To call the number.
Dave Bittner: Right. And then they get your credentials.
Joe Carrigan: Yep. They can install software on your machine or do anything.
Dave Bittner: Right. And that's the ballgame.
Joe Carrigan: That's the ballgame. That's exactly what the end game is here - is they're trying...
Dave Bittner: Interesting.
Joe Carrigan: ...To get onto your machine, or they're trying to get access to your Amazon account.
Dave Bittner: Right. So how do we advise people to protect themselves against this?
Joe Carrigan: Number one, just be aware of what these scams are. That's always the best part. That's why we do this podcast, right?
Joe Carrigan: Yeah.
Joe Carrigan: Number two, don't call the number. This is a fake invoice. If they're going to charge you on a credit card, you can always dispute the charge on a credit card and say, nope, that's a fraudulent charge. But that's never going to happen with these. These are just phishing emails that have been sent out. And the Amazon invoice - it says, hello, user. And Amazon will never send you something that says, hello, user. They'll send you something with your name on it, if they send you anything at all. And the same with the McAfee invoice - it says, dear user. And then it has your email address underneath of it.
Dave Bittner: Yeah. I'll say the Amazon one looks pretty convincing...
Joe Carrigan: It does.
Dave Bittner: ...More convincing than the McAfee one.
Joe Carrigan: Oh, by far.
Dave Bittner: I mean, they've definitely imitated the style of what you would expect to see in a communication from Amazon, much more carefully crafted than the McAfee one.
Joe Carrigan: Yes.
Dave Bittner: That's interesting. Yeah. And I guess that point you made earlier - I mean, never allow anyone to remotely install software on your machine or have remote access to your computer.
Joe Carrigan: Right.
Dave Bittner: That is just a big, old, gigantic red flag. Don't ever do that.
Joe Carrigan: (Laughter) That's right. So even if you do call them and somebody says, we need to - in order to resolve a billing issue, we need you to connect to web service at - no, that is never necessary to resolve a billing issue.
Dave Bittner: All right. Well, interesting stuff for sure. And we thank our listener - was it John? - for sending that into us.
Joe Carrigan: Yes, John. Yep.
Dave Bittner: All right. Yeah, much appreciated.
Joe Carrigan: If you get one, send it along, so we'll - and maybe we'll feature it.
Dave Bittner: That's right. All right. Well, that is our Catch of the Day.
Dave Bittner: Joe, I recently had the pleasure of speaking to Kurtis Minder once again. He's been on our show before.
Joe Carrigan: Yes.
Dave Bittner: He's from an organization called GroupSense. But this time, we were talking about the ransomware negotiation industry, which is fascinating that - and I suppose a bit sobering - that we've hit the point now with ransomware where there's a whole industry that's popped up of professionals who are there to help you negotiate with these ransomers. And that's something that Kurtis Minder has some expertise on. So here's my conversation with him.
Kurtis Minder: You do hear a little bit of, we made the right investments in our security stack. I'm surprised this got through. But, frankly, it's going to happen. You know, statistically, it's likely to happen to anybody. A lot of the attack vectors are actually pretty easily avoidable. It's usually, like, account takeover or phishing - right? - is usually the point of entry.
Dave Bittner: Well, let's walk through it together. I mean, when you head into a negotiation, where do things stand, and how do you get started?
Kurtis Minder: Well, it depends on the program maturity of the customer. Larger enterprises typically have some kind of incident response plan that may or may not capture what to do in the case of a ransomware incident. A lot of smaller companies, mid-level companies do not have a plan. So it really depends on who you're interacting with. In the case of the larger companies, our team is usually being pulled in by either the cyber insurance company or the incident response firm that is already on retainer for this customer. And typically, in the room, you're going to have somebody from the business leadership of the company - so a CEO or somebody like that, CFO. But you also have somebody from the technical leadership, typically the CISO. And often - and we do recommend this - you notify law enforcement. So there might be a representative from law enforcement there. The cyber insurance and an internal and/or external counsel will all sort of be involved in the decision making about the ransomware and how to negotiate. In smaller companies, it's the IT manager (laughter) and maybe the IT person. And so they have a little bit harder time sort of navigating this.
Dave Bittner: How do you go about, at the outset, sort of setting expectations for what's going to happen?
Kurtis Minder: You know, I do this at the outset but also frequently throughout the process. You need to remind the affected companies that if we have decided to do a negotiation - and that's if - you don't always do it, but if you decide that you're going to engage the threat actor and do a negotiation, you know, it's important and incumbent on me to remind them that we're about to enter into a deal on the honor system with someone who has no honor or accountability (laughter), right? So results may vary. That said, there's been some studies done that show that only about 1% of the time do these guys actually dishonor the contract. That number may shift a little bit over time, but generally speaking, these folks are operating a legitimate and illicit business. But if they didn't honor these ransomware payments, then no one would ever pay them. And they know that. And so they often do honor them.
Dave Bittner: So let's work through it together. I mean, you reach out to the folks who have installed this ransomware. But where's the negotiation begin?
Kurtis Minder: Well, a lot of folks don't realize this, but what typically happens is you come into the office one day. You find out your files on your file server or your systems are locked. On one of those systems, you'll find a note. It's typically a text file or something like that. Or some of your executives may receive emails. More often, it's the note. What a lot of people are surprised to find out is that note does not actually ask for any money, typically. The note's - they just say, hey, look. done this to your system. If you want to recover your files, please reach out. And they give you, usually, two email addresses to communicate with. And they have a primary and a secondary if no one responds to the primary. And there's a whole reason behind this. It's complicated (laughter).
Dave Bittner: So you reach out. And who makes the first offer?
Kurtis Minder: I want to be careful about trades and tactics. But generally speaking...
Dave Bittner: Yeah.
Kurtis Minder: ...We typically like the threat actor to put the first number out. And we also don't assume that we're paying anything. So often, you know, our first message to the threat actor is, thanks. Can you unlock my files, (laughter) right? So don't assume anything. And, of course, you know, 100% of the time, they ask for something in return for that. But it's part of a psychological process. I think the important thing to understand is how - the tone to set with these folks. One, they're typically operating primarily in a foreign language. So this is a - English is a second or third language for them, so simple communications but also trying to be cognizant of tone. And treating them almost like a businessperson or in a business transaction tends to work better than, you know - like, for example, you do not need to tell the threat actor that they've done something bad. They know that (laughter). It does not help your cause....
Dave Bittner: Right, right, that was the whole point. Yeah. Right, right (laughter).
Kurtis Minder: Right. It does not help your cause. So you know, the more that you treat them like a peer and/or a business associate and that this is a business transaction, the better off you're going to be.
Dave Bittner: Ah, I see. So shaming them isn't going to get you anywhere.
Kurtis Minder: No, no. And we've actually been pulled into a number of cases where it has gone wrong. And they've pulled us in sort of in the middle of the negotiations. And we've seen the transcripts of what taking the wrong approach can do (laughter). So I think the message to convey is, like, don't try to do this yourself. There is an art form to it. And there's quite a bit that understanding the threat actors themselves brings value to this. And that's - you know, as an intelligence company, that's something we already know. So we bring that to the table.
Dave Bittner: In terms of the threat actors themselves, are they expecting some level of negotiation? Is that how these things work?
Kurtis Minder: Yes. They try to mitigate it. Sometimes they'll put some sort of bogus threats on the front end to try to tell you not to bother (laughter) to negotiate. But so far, 100% of the time, they've capitulated and negotiated to some level. It also depends on the type of threat actor. So we're talking about kind of two different sorts of operations. There's one that is threat actor groups. Those folks have a playbook. And you're also talking about individual actors who have less of a playbook, but you're probably the only one they're dealing with at a time. So there's a different sort of way that you engage.
Dave Bittner: Is there an element of buying time here? In other words, while you're in the midst of negotiating, is - does it ever happen that, you know, there are people behind the scenes sort of running the numbers and saying, OK, is it worth it for us to reinstall everything or restore from backup...
Kurtis Minder: Oh, yeah.
Dave Bittner: ...Or those sorts of things?
Kurtis Minder: Yeah. And usually, those decisions are made before we engage the threat actor. You want to have some corporate risk decision made about whether restoration from backups and/or - sometimes you - there are tools that can help you decrypt these things. You want to explore those things. Simultaneously, you want to be engaging in an incident-response process, right? So you have people trying to figure out how they got in. Are they still in? Can we lock them out? Those are all fundamental, I think. But, yes, you're going to do some equation about whether this is a worthwhile endeavor. Sometimes that decision is made for you. If you have a cyber insurance company, they've got actuaries to figure this out for you. So they say, like, well, you know, by our estimation, it costs more for us to help you repair than it does for us to just pay the ransom. It's like, do we total the car? Or do we buy - (laughter) you know what I mean?
Dave Bittner: Right (laughter).
Kurtis Minder: Or do we repair it. It's the same kind of math, right? And so in some cases, the cyber insurance companies will just say, look; just pay it.
Dave Bittner: What about this fear that I think a lot of people have that if they pay the ransom, that's just going to put a bigger target on their back? What's been your experience with that? Do the folks doing this, do they come back for more?
Kurtis Minder: So can lightning strike twice, I think, is kind of the way to ask it? Yeah, I think so. But I doubt and I haven't seen any evidence that the same threat actor does it twice.
Dave Bittner: OK.
Kurtis Minder: From a macro level, I will zoom out and say that every company that pays a ransom is incentivising that industry, which I - you know, while I'm here to help folks pay as little as possible and facilitate the transaction, in some cases, I am not a fan of paying these people (laughter), you know?
Dave Bittner: Right.
Kurtis Minder: And if we can find ways to avoid doing that, I'm all for it.
Dave Bittner: Yeah. And, I mean, we've heard - certainly, that's the message from law enforcement. Or the FBI has said, you know, in most cases, they prefer (laughter), if you will, that you don't pay the ransom for exactly the reasons you described.
Kurtis Minder: One hundred - yeah, 100% of the cases, they will tell you not to pay the ransom. But...
Dave Bittner: Right.
Kurtis Minder: ...They're supposed to say that. Yeah.
Dave Bittner: Yeah.
Kurtis Minder: And we saw the release from the Treasury Department and OFAC about potential civil penalties if you're paying ransom or facilitating the payment of ransom to, you know, threat actors who are on the sanctions list or in - operating in countries that are on the sanctions list. So generally, the government's trying to curb this. My problem with it is that's one-sided approach. If you don't also provide a program for the companies that are affected to solve this problem another way, then it's lopsided. You're probably going to just drive behavior underground. There's a lot - for a lot of these companies, it's a - it could be a business-ending event, right? And so civil penalties are probably not something they're (laughter) worried about.
Dave Bittner: Right. You know, I'm struck by the - I think, the reality that a lot of people are - would admit to themselves that they're probably not great negotiators, you know? I don't consider myself someone who can walk into a car dealership and walk out with a - you know, the best deal that's ever been gotten.
Kurtis Minder: Yeah.
Dave Bittner: Other people feel quite confident in that. Do you have any sort of guidance for folks as to setting that value proposition for themselves in terms of bringing in someone like you? When is it best to - in their best interest to have someone come in to help from the outside?
Kurtis Minder: If you decide, you know, make the business decision that you are going to engage the threat actor, you should 100% of the time bring in a professional to do the negotiation. One of the first things we do when we engage is we let the threat actor know that we are a third party acting on behalf of the affected company. That sends a really subtle message that, hey, the company brought in a professional who's probably done this before and maybe even with my own threat actor group on other companies. And that changes the way that they interact with you. They can tell when your IT guy does it.
(LAUGHTER)
Kurtis Minder: And tries - they can tell. And it changes the dynamic and certainly, in my opinion, probably - and some of the evidence I've seen supports this - worse monetary outcomes.
Dave Bittner: And I suspect, from the threat actor's point of view, when they see a professional negotiator come in, odds are they're going to get something, right?
Kurtis Minder: Yeah. Yeah, I mean, we're paying something, you know, nearly 100% of the time. We've gotten lucky a few times and been able to unlock the files as part of the process. And that sort of mitigated the need to pay. But in most cases, we're going to pay something. But these guys are typically shooting a pretty large, you know, shot over the bow as far as the amount that they're asking for. They recognize that they're probably going to land somewhere in the 10 or less percent of the original number. It depends on the group. And it depends on the affected company. These guys are doing their homework. They do know what your revenues are, (laughter) you know, how many employees you have, that sort of thing. They're getting smart about it. It's a business. But - so it varies. But typically, they're expecting you to pay something. And they recognize it's going to be some fraction of what they've asked.
Dave Bittner: Do you have any, you know, sort of general words of wisdom here for folks who have not - have had the fortune of not yet being hit by ransomware? As someone who's on the inside of this process, who's seen it play out many times, what are the best things folks can do to help protect themselves against this?
Kurtis Minder: Protect themselves against it is just some really basic security best practices. Like I mentioned earlier, most of these attacks are propagated by account takeover, so that's just password policy. Two-factor authentication - turn those things on, enforce them (laughter).
Dave Bittner: Right.
Kurtis Minder: And it'll do miles to save you from this. And then, also, some user education stuff around phishing, some really basic - I know some folks are probably rolling their eyes - Security 101 things are where these problems emanate from. As far as something to tell someone that we're - that has not yet been affected by this, have a plan. And in that plan, assign specific roles and responsibilities like you would a normal disaster-recovery plan. Assume that someday this may happen, and you need to have a set of steps. That plan should typically include, at least, having a corporate counsel on retainer, an IR firm on retainer and, you know, obviously notifying law enforcement on the front end. I always recommend that you do that. So those are the main things.
Dave Bittner: All right. Joe, what do you think?
Joe Carrigan: I'm always glad to have Kurtis on the show.
Dave Bittner: Yeah.
Joe Carrigan: Interesting. Last time he was on, we were talking about a Bromium report. And today, while he's on again, I mention another HP-Bromium report.
Dave Bittner: (Laughter) Right.
Joe Carrigan: It's weird. I don't know.
Dave Bittner: (Laughter).
Joe Carrigan: The vectors are account takeover and phishing. That's how these ransomware attacks happen is they take over your account - your username and password - or through some kind of phishing email. Large companies, there are a lot of people involved in the process. That was interesting, I thought. In small companies, it's usually, like you said, just the IT manager and, maybe, the owner of the company trying to do this. And, you know, that's never going to be as helpful as having a lot of heads on this, right? You're entering into a deal with a dishonorable person once you start working with a ransomware attacker. But I find it interesting that he says only about 1% of these deals don't honor the payment. So most of these guys, 99% of them, when you send the money, they will unlock your computers. And...
Dave Bittner: Right.
Joe Carrigan: ...We talked about this before. The reason they do that is because if they stop doing it, nobody will pay ransom.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right. It's in their best interest to handle this in a professional manner.
Joe Carrigan: Yeah. And that's my next point. It's a psychological event, whatever it is. And being professional helps when you're talking with these guys. You take the wrong approach with these people and it can be really detrimental to the process.
Dave Bittner: Yeah. It's interesting to me how - he pointed out that the ransomers seem to breathe a sigh of relief when they know they have a professional on the line, you know? Like - (laughter).
Joe Carrigan: Yeah, that was interesting as well because...
Dave Bittner: Right. Right
Joe Carrigan: ...Immediately they know they're going to get paid, right?
Dave Bittner: Right. Right.
Joe Carrigan: They're going to get paid.
Dave Bittner: And it's being taken seriously. Yeah.
Joe Carrigan: Yeah. And what is also interesting is that Kurtis can usually talk them down to a fraction of what they originally asked for in terms of negotiating. He negotiates them down to about 10%, he said.
Dave Bittner: Yeah.
Joe Carrigan: That's amazing.
Dave Bittner: Still a good payday. But...
Joe Carrigan: That - yeah. If you ask for a million dollars and you get off with $100,000, that's still pretty good.
Dave Bittner: Not a bad day. Yeah (laughter).
Joe Carrigan: Yeah. Yeah. It's - especially if you - that's a good day in America, I mean, where...
Dave Bittner: (Laughter) Right.
Joe Carrigan: ...Where we have a pretty high median income. It's...
Dave Bittner: Yeah.
Joe Carrigan: It's a really good day if you're in, like, Nigeria or something. Earlier I mentioned that there were large organizations and small organizations that get hit by ransomware. And then there are large organizations and smaller ones that are running these operations, right? When you're talking about a larger organization, that's a more defined, professional organization than the smaller organization even in the criminal world, right? So if you're talking to one guy, Kurtis may get farther in the negotiations with the one guy, with the sole proprietorship of the criminal ransomware (laughter) enterprise, than he will with a large conglomerate criminal (laughter) enterprise. I find that to be - that's an interesting observation. And Kurtis makes a good point here that civil penalties are not really significant when you're talking about the end of your business. If you're a small to medium-sized business and you're looking at, you know, having to pay $50,000 in ransom and somebody's going to slap another $5,000 fine on you for paying it, you'll pay the extra $5,000. It's OK because, otherwise, if you don't, your livelihood's gone.
Dave Bittner: Right.
Joe Carrigan: Now, there are other ways - we've talked about in the past and - we broached this subject. We said it's time to discuss this. And I haven't endorsed this or believed - or said definitively that this is what we should do. But if we outlawed the payment of ransomware, I think the problem might go away. But I'm not ready to wholeheartedly endorse that concept.
Dave Bittner: Yeah. There'd be a lot of pain in the in-between time, you know? And - (laughter).
Joe Carrigan: There would be. There would be significant pain. And some businesses would close. That would be the end of them.
Dave Bittner: Right. Absolutely. All right. Well, once again, our thanks to Kurtis Minder for joining us. Always a pleasure to talk to him, always interesting things that he shares, so we appreciate him taking the time. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
