Podcasts
Threat Vector
Ep 109
Threat Vector 3.19.26
Ep 109 | 3.19.26

Inside Ransomware Negotiations: Trust Criminals or Walk Away?

Show Notes
Transcript

David Moulton: Welcome to "Threat Vector," the Palo Alto Networks podcast where we're discussing pressing cybersecurity threats and resilience and uncover insights in the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.

Jeremy D. Brown: Well, if you were ever in the situation where you get attacked by a ransomware group or a threat actor that has exfiltrated your data and/or encrypted your environment, bring in the professionals guys. Do not contact a threat actor on your own. Do not talk nasty to them. Adverse things will happen. Engage a professional negotiator that has done this many times, because we are going to walk you through the dos and don'ts of how to handle this situation and scenario. [ Music ]

David Moulton: Today, I'm joined by Jeremy D. Brown, Consulting Director of Palo Alto Networks, with nearly 7 years in that role and prior experience as Principal Consultant at Crypsis, Jeremy brings deep expertise and incident response, consulting and strategic threat negotiation. Today, we're going to talk about threat actor negotiation; why it's vital; how it works; and what security teams need to know to get it right. A quick note to listeners, this podcast took everything; reschedulings; multiple crashes during the recording; and Jeremy's insanely cute dachshunds trying to join us during the conversation. Stick with us. It's worth it and apologies for any rough bits that we can't edit out. [ Music ] Jeremy, welcome to "Threat Vector." I'm excited to finally be able to have you on the show. I know we've been trying to get you in to talk about threat actor negotiation, but every time we have it scheduled, you were called for service. I appreciate that you're not busy today and you're able to make it on the show.

Jeremy D. Brown: Appreciate that David. Glad to be here finally and just looking forward to the conversation.

David Moulton: Can you talk to me when you first became focused on threat actor negotiation; that's a very particular skillset and maybe there was like this defining moment or a case that really pulled you in?

Jeremy D. Brown: Yeah, absolutely. So, I came from the public sector always working as a contractor on the side of the government, in which we would never negotiate with a threat actor, right, no matter what the incident was. So, when I came to Crypsis, at first I just started working lots and lots of ransomware engagements and learning the ropes and it always intrigued me to talk to these cybercriminals. So, basically from the onset of beginning working in the private sector, knowing that we can speak to these threat actors, it was something I always wanted to do and I learned from one of the best at the time and basically I've never looked back since.

David Moulton: And maybe before we get in to this details of threat actor negotiation, what is it that really drew you into incident response and this industry in general?

Jeremy D. Brown: Yeah, I mean, incident response as whole is a niche field right? Every single matter that we work it's different, even if it's against the same ransomware group or threat actor organization guys. You know, again, it keeps you on your toes. You always have to learn something new. You have to keep up with these threat actor's TTPs, IOCs, things of that nature and you always have to learn something new every day. I try to learn something new every single day. So, again, you know, with that type of fire and passion under my belt, it just helps me, you know, keep on going and working these different cases year after year.

David Moulton: Well, I'd imagine that between the threat actor negotiations, learning new TTPs, keeping up with all the different tactics to what's going on in the overall landscape, you're never really that bored and your mind is always just on fire.

Jeremy D. Brown: Absolutely, never bored. I think that's the key, right? It's not stagnant. It's not the same every single day, day in and day out and every day is a different day for what we do here.

David Moulton: Well, let's get into the basics. What is threat actor negotiation and, you know, how does that typically play out during that ransomware incident?

Jeremy D. Brown: Yeah, so, you know, when you are attacked by a ransomware group organization, typically they're going to leave a note behind saying, "Hey, we did this. We did that. This is who we are. Contacts-contact us within x amount of time." A lot of times that's 72 hours. There is a difference between threat actor communications versus threat actor negotiations. We do encourage clients; most counsel does as well, to engage with the threat actor. We learn information from them. We tend to get, you know, good forensic information out of them, so we can pinpoint analysis, right? Get files and file tree listings from the threat actor to provide to the victim entity so we can identify and understand the data at risk or data in play. Where the negotiation piece comes into it is when a victim entity or company that got hit with ransomware, actually wants to negotiate the price with the threat actor to possibly make a payment.

David Moulton: So, I'm going to step away from our usual script, what you just said reminded me of this great movie. It's called "The Incredibles." I don't know if you've seen it. It's a Pixar film. And, you know, you caught me monologuing. It sounds like sometimes the more you end up talking to a threat actor, the more they give away a key detail even if they didn't mean to. Is that maybe their monologuing gives away some sort of clue or insight that helps you out?

Jeremy D. Brown: Yeah. It absolutely does, again, it helps the forensic entity, Unit 42, kind of track and walk back the data exfiltration, right? How did they take the data? Where did the data-came from, right? Did it come from a server? Did it come from a shared folder or a drive? You know, where did the data come from?

David Moulton: So, Jeremy, are there common phases or like is there a threat actor playbook that you've noticed that these threat actors tend to follow when they're trying to engage with a victim to get that ransom?

Jeremy D. Brown: Yeah, absolutely. And now it really depends on the group or the ransomware as a service gang that we, you know, negotiate with or reach out to. Some of these guys are very aggressive in nature. They're very nasty in tone. They're very aggressive in getting your attention if you don't reach out immediately. They will email employees. They will email C-suite executives to get your attention. We know those cybercriminals that do that versus the ones that do not. So, they all do tend to follow a certain playbook. One example is the Akira ransomware group. We've been working against them for 3 years and basically, it's the same basic, you know, responses every single time. So, we kind of know what we're going to get with them. Now, there are wildcard threat actor groups out there that operate different each and every time. These cybercriminal rings, they operate as a business. They actually think of themselves as a business entity where they have the hackers, the bosses, and then the operators who are actually the ones communicating with someone like me on the other side.

David Moulton: Jeremy, how do the defenders or instance responders like yourself prepare for entering into those negotiations with a ransomware group, especially when you said some were really aggressive, maybe some are not as responsive, it seems like there's got to be a lot of things that you're prepared for when you walk into that conversation?

Jeremy D. Brown: Yeah. I think it's the executive advisor or case leader, like some of them like myself that lays out kind of what's going to happen in a threat actor communication negotiation for the customer, right? This is their worst day. They don't understand this. They don't do this for a living like we do. So, kind of walking them through the process and what we can expect from threat actor x, y, or z is very critical for the executive leadership team in these organizations. Transparency is key, kind of letting them know that "Hey, look. We want to reach out to prevent this or we want to reach out to understand why," you know? Again, just preparing the legal teams whether it's outside counsel, inside counsel, and the executive leadership team is critical before we start a negotiation.

David Moulton: Do you ever work with organizations during a tabletop on this specific thing? It seems like walking into a negotiation and you've got to trust that Jeremy understands exactly what's going on would be better than not having you there, but overall, not having gone through this fortunately a bunch of times, and then having your first time be a live fire exercise, seems terrifying.

Jeremy D. Brown: It is. We do offer those services, tabletop exercises for a, you know, faux threat actor negotiation is a thing. And we recommend things like that for large organizations or any organization really, from a proactive standpoint if that makes sense?

David Moulton: Yeah, it really does. I was recently able to take part in driving a supercar and that's not my usual-my usual M.O., but I had a passenger seat driver or coach right there with me walking me through the whole thing and caught some great speed and had a lot of fun. No way! No way, I would have been able to drive that fast without somebody right there by my side and that's what I'm picturing is like, you're right there with them going through something new and a little scary, but maybe it's better to do it on the safety of a track than in a real race; I don't know, I'm mixing my analogies here. But it's just what you're making me picture as we're talking about this. Who else involved in this negotiation process internally? I mean, you've mentioned a couple of the parties, but I'm wondering; how big does that group get when you're really involved in a negotiation?

Jeremy D. Brown: Yeah, I mean, that's a great question. So, typically when you're running a large-scale incidence response against a ransomware case or ransomware group, there is many plates that you're spinning, right? The forensic analysis, data collection, remediation, eradication, again, you know, containment, and then negotiations, so in a negotiation and communication, but really actually gets whittled down to a smaller audience, because you want to keep that information really tight in a tight circle, so typically it's going to be CEO, VPs, ELT, the Executive Leadership Team. You will have outside counsel, who's representing the victim organization, then you'll also have a lot of times internal counsel, right, or we call it general counsel. So, you don't typically have the whole IT team there, you know, all the key players that are doing analysis from our side, or you don't have the client team there as much that's on the IT side of things. So, you do reduce the audience to keep it, you know, more of a tighter circle if that makes sense?

David Moulton: It really does. I'm wondering what types of misconception clients have had, you know, Hollywood and different movies do a really great job of showing negotiators and those sorts of things, and it seems really intense and, you know, down to building a human connection, but I would imagine some of those things don't really payoff in the experiences that you've had with an actual threat actor.

Jeremy D. Brown: Yeah. I think the number one misconception and I've heard it ever since I've been doing this is, "But, if we contact them, we have to pay," right? That is not the case. So, that's the biggest misconception that I typically run up against. Just because we reach out to these threat actors, does not mean you're making a payment. So, we just educate the client in terms of, "This is going to prevent number one; them posting you on their leak site, them contacting employees; contacting executives. We're going to get information out of them to help understand where the data came from. It's also going to help you understand the data in play or the data at risk. So, we can, you know, basically let you make the smartest decision on notification obligations." [ Music ]

David Moulton: So, you've been doing this for quite some time and I'm wondering if you can talk to me about how the landscape of negotiation has really changed with things like the rise in double extortion and then you just mentioned leak sites; how do those things impact your work?

Jeremy D. Brown: Yeah. That's a great question. You know, 7 years ago, 6 years ago, 5 years ago, really kind of pre-COVID, it was a lot of single extortion, right, David? What do I mean by that? So, there was not much data theft or exfiltration, it was just the encryption of that. So, these threat actors would come in and get out, we call it "smash and grab ransomware." One of them that rings a bell is Phobos, you know, a longtime ago, where they just came in, they didn't take data, but they encrypted. So, the double extortion really began to rise, you know, right around the COVID time. And what we mean by double extortion is, the threat actors come in, not only do they encrypt your environment or your organization, and your systems, and servers; they're taking large amounts of data, right? And they're looking for, you know, anything with PII or PHI in it, PCI sometimes, anything with sensitive information to them holds a lot of value. But the rise in double extortion is something that we've seen increase over the years, you know, interestingly enough, we're starting to see more single extortion again. So, where there is a lot of data exfiltration without the encryption event. Now, that varies, you know, based on whatever threat actor it is, but again, these tactics change all the time, so we always have to be on our toes.

David Moulton: And do those tactics affect the urgency or the strategy of the negotiation?

Jeremy D. Brown: No, it doesn't. I mean, there's organizations where they don't have any valuable data, right? We'll get a file tree listing; they'll look at it and say, "This doesn't cause me heartburn. This isn't a pain point. There's nothing in here that we would know to notify on." So, again, you know, that basically means we're going to walk away, right? So, what we do is we kick the can down the road so to speak. These negotiations go one of two ways, Number One: We're either going to try to buy as much time as possible so we don't get the victim entity post on a leak site, or we're going to go into a real negotiation and try to get the amount down as much as we can to, you know, go ahead and make that payment. So, every one of these are different and I mean, different no matter who the threat actor is, even if it's the same threat actor that we're dealing with. You know, it's really on the client's shoulders of, you know, is this data valuable? Is it not? Are we able to recover with backups? Do we even have good backups, or do we need an encryption key? So, every step of the way, we're guiding the victim entity and the client in what the best decision may be along with outside counsel.

David Moulton: So, are there any redlines that defenders should never, never cross during a negotiation?

Jeremy D. Brown: Yeah, absolutely. You never want to seem very desperate to get that key right away, because you're leverage is not there, right? The price won't go down much. You're not going to get a good amount off. And then the other redline is, do not talk to these guys nasty. Do not speak to them mean. Yes, we'd like to, not only us, but the client, counsel, we would like to, you know, give them our piece of mind, but at the end of the day, we get more out of these threat actors in the negotiations and communications by being empathetic, sympathetic, and apologetic, and very polite.

David Moulton: Jeremy, let's talk about timing. When does negotiation begin and when should an organization just walk away?

Jeremy D. Brown: So, typically the negotiations are going to begin within that 3 to 5-day range. And it really depends on the note from a threat actor, a lot of times they are going to put in there, contact us within x, y, or z days or hours. We never want to contact them right away though or immediately, unless we're in a situation where the client team does not have good backups. I've seen it where threat actors were able to get the backups and delete them, so they just cannot operate or recover. When that's the case, we have to reach out right away, but typically, it's in that 3 to 5-day range David.

David Moulton: And is there ever a situation where you want to refuse negotiation because you know that's going to lead to a better outcome?

Jeremy D. Brown: Typically no, but there are situations where that happens, again, we want to get information out of the threat actor, right? You know, show us the data you took. Give us a file listing. You know, work with us to understand the data in play, it's really important to our executive leadership team. There are cases where the client has a really good backup environment and they have backups from the night before or the day before. They don't need a key. They don't have sensitive information and data in their environment. So, they will elect not to reach out to the threat actor, but that's very, very, it's a very low percent of times that we come across that.

David Moulton: So, you're dealing with criminals and their motives are generally, you know, get as much money as fast as possible. How do you-how do you evaluate the credibility of this other person that you're negotiating with who has already proven themselves to have a say, thrown their morals and ethics out the window, right? They're stealing and trying to harm a business, and now you're trying to negotiate with them in good faith, you know? Can you ever trust that they'll honor their promises when you enter into these negotiations?

Jeremy D. Brown: Yeah, and that's a great question. I mean, we're asked that a lot by the client organization or the victim entity at hand, right? How can we trust them? So, this sounds like a crazy answer and I've had threat actors say the most amazing things to me over the years, things I've forgot. Some funny things, right? Like "Hey, can you hire me? I will work for you free for 2 months." But, at the end of the day, most of these cybercriminal rings we deal with, they do live up to the negotiations, right? They do live up to the agreement, because they know, if they don't live up to it, right, they don't provide decrypter, they don't provide all the data back, or they don't give you the full listing, or they don't tell you how they got it. Nobody's going to pay them in this industry, right? So, it's all monetary-based and looking for a payment. If they do things like that, people won't pay, right? If they leak your data down the road, people are going to know that and they're not going to pay. There are groups that we know that I will not recommend to pay. [inaudible 00:20:09] is one of them, right? You know, WastedLocker is another, they're a sanctioned entity. There's a few sanctioned entities out there that you can't pay. Do not pay them, because you're going to go, you know, into litigation over that with three-letter agencies here in the states. So, at the end of the day, you know, these threat actors do tend to live up to their promises. There's only a sliver or a few that do not David.

David Moulton: And so, you mentioned a couple of things which sound like they're experienced or they're very public. You should negotiate here, because three-letter agency will come and have a conversation with you or more. But are there tools or are there indicators that Unit 42 uses to assess a threat actor's behavior to understand, you know, how much can you trust them? How much can you believe them when they say that they're going to pay or they're going to behave in a certain way?

Jeremy D. Brown: Not necessarily a tool out there. I think we use metrics, you know, that not only we keep, but outside cancel-a counsel keeps sorry, and other you know payment vendors out there keep. So, before a payment is even ever made, we'll get the Bitcoin wallet and there are AML checks which are anti-money laundering checks, and OFAC checks against these Bitcoin wallets, because if they show up on the sanctions list, cannot pay them. We will not pay them and we do not recommend to pay them. But other than that, it's a lot of just experience, right? The negotiator; how long has that negotiator sat in the seat? How much experience do they have? I'm very seasoned in this. I've done this a lot and I mean hundreds of them over the years easily. And basically, I kind of know who we're dealing with right away guys.

David Moulton: So, Jeremy, you mentioned some 3 letter agencies come knocking. That might be one consideration, but are there ethical or other legal considerations that companies need to think about before they start a negotiation or specifically, before they pay a ransom?

Jeremy D. Brown: Yeah, I mean, we can address ethical right, as well as the legal considerations. So, the ethical, you know, consideration is always "Do we want to pay a cybercriminal?" Why would we want to pay them? We're just rewarding these cybercriminals. So, there is ethical, you know, considerations there. You know, if we make a payment and it goes public, does that, you know, does that look bad on our organization or company, right? So, there is that side of it. There's also legal considerations too, because you know, a lot of times if there is a class action lawsuit, they might say something like "Well, why didn't you pay the threat actor to suppress our data from being released," right? So, there is definitely-there's both sides of the fence on that. So, you know, when you work with good outside counsel firms, we're really good at walking the customer through each of those considerations so they can make the best educated decision on their end.

David Moulton: And can you talk to us quickly about how sanctions lists and some of those legal compliances impact your decisions?

Jeremy D. Brown: Yeah, I mean absolutely. So, again, we use what is called an MSB to make the payment, a money service broker. Once we give them the indicators the compromise that we have from the investigation, once we give them the threat actor's Bitcoin wallet, email handles, anything that can identify these individuals, they're running these through the sanctions checks and the AML checks, to make certain that we are not paying a sanction entity. SamSam ransomware group, they're Iranians, cannot pay them. WastedLocker, Russians, cannot pay them. So, at the end of the day, these money service brokers are really digging into anything that can identify who the threat actor is in order to make the best decision possible to either pay or not pay David.

David Moulton: So, I want to spend the last question here asking you about how organizations and, you know, leaders that are listening to this podcast, can improve their readiness for a potential negotiation scenario, you know, it's better to be ready before it happens. Walk us through maybe, you know, the top three things that you think a leader could do or an organization can do today to make sure that they're ready for that conversation.

Jeremy D. Brown: Yeah, I think you need to understand your data, right? What is your business as an overall, you know, whole or contained that would be sensitive in nature that would give reason to even enter a negotiation with a threat actor. The next thing that I would do is, who will be the key players involved in the threat actor negotiation and decisions if that time ever came? Is it your CEO? Is it your VP? Is it your general counsel? Is it all three? Is there somebody else that we're going to loop in here? But knowing the key players that would be involved in this is also critical. And then number three, going through a tabletop exercise, you know, just simulating a negotiation with a forensic firm like Unit 42, just so you kind of have, you know, you get your toes wet a little bit in case it ever happens so you're not, you know, deer in the headlights, what do we do? Oh, no. What are we going to do? So, I think those are some critical things that you can do to prepare yourself, you know, in case this ever happens to your corporation.

David Moulton: Jeremy, thanks for coming on Threat Vector. I know that you're busy and you had to set outside some time in your busy schedule to come on and talk to me about threat actor negotiations and, you know, I learned quite a bit and I hope that our audiences have as well.

Jeremy D. Brown: I appreciate it David. It was my pleasure and I'm glad we got caught up finally.

David Moulton: For our listeners out there that want to learn more about threat actor negotiations or even just to read some of your work or connect, where can they reach you on the Internet?

Jeremy D. Brown: Yeah, I mean I've got a few blogs out there from Unit 42, LinkedIn as well, so if anybody has any questions you can absolutely get ahold of me. [ Music ]

David Moulton: That's it for today. If you've liked what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your reviews and feedback really do help me understand what you want to hear about. If you want to reach me directly about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer Michael Heller; our content and production teams which include: Kenne Miller, Joe Bettencourt, and Virginia Tran. Original music and mix by Elliott Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Threat Vector
Podcast Info
HOST(S):
David Moulton

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector