A growing swarm of ransomware attacks has created a cottage industry of tech whizzes willing to do what companies and law enforcement won’t: negotiate with the cybercriminals taking systems and data hostage.
The FBI’s stated policy is that it does not negotiate with cyberattackers, the same way it does not negotiate with terrorists. That policy has helped open a market for private cybersecurity professionals who specialize in interacting with attackers on behalf of victims who decide to pay rather than wait for the government to solve their cases.
The increase in ransomware attacks has created plenty of work. The FBI is investigating about 100 variants responsible for dozens to hundreds of attacks, said Tonya Ugoretz, FBI Cyber Division deputy assistant director. She said the agency found only a handful of highly impactful variants a year or two ago.
GroupSense, a cybersecurity company in Arlington, Virginia, handled its first ransomware negotiation case last year, founder Kurtis Minder said. Afterward, law firms and a cybersecurity insurance company involved in the case referred a surplus of work his way.
Mr. Minder received even more requests for his services after a law firm persuaded him to add ransomware negotiation to the offerings on the GroupSense website. Most of the requests were from those who could not afford costly attorneys or insurance policies to cover the digital setbacks.
Mr. Minder, however, was not a trained negotiator. He hurriedly got up to speed by reading books and taking online classes, particularly the MasterClass videos of Chris Voss, a former hostage negotiator with the FBI. He also leaned on his connections with federal officials.
“I called in a lot of favors. Like I just called in people I knew that were trained negotiators and asked them questions,” Mr. Minder said. “I gave them specific scenarios that I was going through while I was going through them and saying, ‘What would you do?’ And so I kind of learned on the job. I like to say I built the bicycle while I was riding it.”
Now, Mr. Minder’s ransomware team has three main negotiators and several analysts who speak more than a dozen languages. The negotiators focus on interaction with the victim and crafting the messaging for the cybercriminals. The analysts handle technical aspects of the conversation on the darknet and do the forensic work needed to understand the adversary.
GroupSense collects information such as attribution to the attacker’s identity, the amount of money it will take to reach a ransom settlement and transactions the attacker has recently completed. The information goes into a portal, where the client can review the data in real time and see detailed notes of the team’s proposed strategies.
“Before we send any message, it doesn’t matter if it’s ‘hello’ or if it’s the actual offer, we get approval from the client. Every single message,” Mr. Minder said. “And some clients like to get involved, like it’s spy versus spy for them.”
He said the adversaries often speak English as a second language and his team does not have the benefit of eye contact or changing vocal intonation while negotiating in cyberspace. As a result, the cadence of the digital messages, language choices and other details such as when, if ever, to use capital letters can prove crucial.
Mr. Minder said he urges his clients to alert law enforcement and the FBI in hopes that the government is taking inventory of the cases, including details about which ransoms are paid.
Asked whether FBI agents are trained to interact or negotiate with cyberattackers, Ms. Ugoretz said the FBI has experts in crisis negotiation. She declined to provide details about agents’ training to counter cyberattacks.
The FBI has advocated against paying ransom but wants victims to contact the agency regardless of their decision.
“If, in the case of ransomware, we’re made aware that an entity is in a negotiation with a ransomware actor or thinking about paying a ransom, the earlier we are brought in, the more likely we are to be able to help,” Ms. Ugoretz said.
In the ransomware attack on major fuel supplier Colonial Pipeline, the company brought in the FBI before paying the attacker. The bureau ultimately helped recover about $2.3 million in cryptocurrency — a majority of the ransom.
Federal agencies say ransomware payments may encourage attackers and violate government sanctions. In October, the Treasury Department’s office of foreign assets control warned that making or enabling payments to attackers under government sanctions could result in civil penalties. Knowing violations of the office’s rules and related laws could bring criminal liability, according to an analysis from the law firm Jones Day.
Still, figuring out whether an attack is tied to a U.S.-sanctioned entity can be difficult. The DarkSide enterprise that attacked Colonial Pipeline used a ransomware-as-a-service model, in which developers of malicious software and affiliates deploying it share the ransom payments.
President Biden has linked the DarkSide group to Russia, and DarkSide announced plans last year to use servers in Iran, the tech publication Bleeping Computer reported.
Whether the attackers were sanctioned or not, DarkSide’s intended use of infrastructure in Iran dissuaded ransomware negotiation firm Coveware from facilitating payments given the sanctions against Tehran, Bleeping Computer reported.
Colonial Pipeline CEO Joseph Blount told a Senate committee that his company had no direct contact with the attackers but hired negotiators and legal personnel, who repeatedly checked to ensure his company’s payment would not violate federal rules.
Attorneys for the pipeline company brought in the Mandiant division of cybersecurity firm FireEye before the company paid the ransom, according to House testimony from Charles Carmakal, FireEye Mandiant senior vice president and chief technology officer.
Mr. Carmakal declined to provide details to The Washington Times about the advice he gave Colonial Pipeline on whether to pay the ransom.
“One thing that we don’t do is we will not negotiate with threat actors. We won’t communicate with them. We don’t get involved in the payment at all of threat actors,” Mr. Carmakal said. “Now, one thing that we do do sometimes with organizations that ask for it is, we will help them think through the process of potentially engaging a threat actor in a communication or potentially paying them. So we’ll kind of walk them through these certain decision criteria.”
The decision then is left to the victim.
To help avoid falling victim to a ransomware attack, Ms. Ugoretz had some suggestions: use multifactor authentication and patch common vulnerabilities to block initial access points that attackers use to breach systems.
Mr. Minder said initial access brokers shop their breaches to ransomware gangs in underground markets. The technical sophistication required to launch an attack, he said, is “almost nothing.”
“This is totally preventable. It’s a cyberhygiene problem,” Mr. Minder said. “I mean, but I think the main thing is some people just assume that these bad guys have these really sophisticated cybertools. They don’t, and they don’t have to. It’s super easy.”
Mr. Minder said he urges victims not to search Google for ransomware negotiators lest they fall victim to scammers posing as negotiators. He suggested consulting a law firm to connect with appropriate help.
He said his team does not view ransomware negotiation as a profit-driver — he has charged an hourly rate with a cap — but uses the service to find leads for clients that likely need his company’s other cybersecurity products, too.