Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage
We can't deny people are paying up left, right, and centre...
Interview Many people outside of IT believe computers will do away with jobs, but the current ransomware plague shows that new and more curious kinds of jobs are created at least as fast. So what sort of background sets you up to talk to people holding your data for ransom?
To find out, The Reg talked to Nick Shah of STORM Guidance, who says he acts as a conduit between victims and the extortionists.
Nick Shah got his OBE in 2019. He has dealt with many serious criminals, and has the instinctive blunt circumspection of a 30-year veteran cop about his past work, having worked on more than a thousand kidnap and extortion cases in his career with the National Crime Agency (NCA) and assorted organisations in Africa. He has been a part of investigations tackling criminals and terrorist groups that were intent on causing fear, harm, and in many cases death – somewhat more intimidating than the passive aggressive emails we get from HR.
NCA's director general said of Shah's work: "Whilst the detail cannot be given here, I can say with confidence that the UK public has been protected as a result. I am delighted that his service is now being formally recognised."
Shah's first advice is that: "A negotiator should never reveal that they are a 'trained negotiator'. Ideally we purport to just be another member of staff.
"It is important to indicate to the attackers that you (the negotiator) are not a senior member of staff that can make decisions," reducing their ability to put pressure on you whilst you "purport to be administrative level staff and need to refer upwards for decisions."
He added: "Should the incident require longer term negotiations, we could at some point – to keep the attacker's interest – suggest we have escalated it to a manager. Again this manager would not be senior. In reality, it could just be the same negotiator, using a different name and conversation style."
Negotiation is not about getting the lowest figure possible, it is mainly about getting information and time
Although the attack vectors repeat, he says, the gangs seem to fission often enough that Shah and his team don't recognise the same actors in multiple attacks, so the "relationship" must be built up each time.
This is partly necessary because of the stress the victims are under.
"I have seen many CEOs and senior managers be badly affected by the emotional pressures of dealing with a ransomware incident. As well as some feelings of guilt for causing or at least failing to stop criminals from getting into systems, they also carry the burden of worry of what impact this could have on the business and its staff."
To get some idea of just how stressful this is, STORM has found it sometimes needs a team of confidential counsellors to get staff through it, since even if they are at fault, they are also part of putting it back together and as Shah says: "There is no time or benefit from pointing the finger of blame. It is a rescue mission." But that, of course, doesn't stop it from happening.
Shah sees his role as a conduit for the business to talk to the attackers, rather than a middleman, which means first he has to establish that the Storm team doesn't get involved with working out who was at fault. They are going to be working with these people to clean up while he starts the negotiation process. His experience is that most people are very reluctant to talk to serious criminals themselves.
Often he finds that the ransomware gang's negotiating skills are quite weak. So part of his role is to make sure that the ransomware-flingers – or their henchpersons – don't learn anything more during the negotiations than they already do about the company they've attacked and the data they've encrypted and/or stolen.
Who are you talking to?
Shah spoke to us about his process, in which he forms a model of the sort of people he's dealing with. He said that even over encrypted chat, there’s a lot you can learn. This starts with the time of day they respond, as well as the variant of English used, even though a large chunk of the responses are cut and paste.
He also told us that in general he doesn't expect to be dealing with the developers of the attack but rather a subset of staff within the criminal organisation that are basically the "Help Desk from Hell".
The more amateur operations use email to communicate with their "marks," which creates gaps that allow stalling whilst remediation efforts are being carried out. That is part of the balancing act the negotiator needs to maintain: making sure the criminals keep in contact, and are talking towards some sort of solution while the in-house IT professionals and his firm work to try to get things back on track.
Storm's technical team need time to try to disarm the ransomware and, if possible, resolve the issue without payment, Shah tells us, adding: "Negotiation is not about getting the lowest figure possible, it is mainly about getting information and time. My job is to get them time without the attackers becoming aware of the tactic."
But be clear when data is leaked, it stays leaked.
Shah explains: "The attackers will increase the pressure as time goes on. They are focused on getting payment as soon as possible and as such will make attempts to rush matters along.
"Storm experts and the negotiator's role is to support the clients with knowledge and experience to assist them in making the appropriate business decisions in a timely manner. We will be able to assess the validity of threats and give advice on the likelihood of the threat being carried out."
Part of the reason for using a negotiator is that not being personally affected or blamed, Shah and his team will not sound so panicked, and will be much less vulnerable to high demands. An axiom of this work is "to not let them know what your bottom line is going to be – if they know that, you will pay more, they will demand it."
"The skill of a negotiator is not to make offers, but to get the attackers to 'bring an offer'," he tells us. "When discussing their offer we could use tactics to indicate that the demands are unaffordable, unrealistic or [that] acceding to such demands would take some time. These conversation styles generate further debate, either providing us with additional information, delays or a lower demand price. We can then potentially repeat the cycle, until we achieve our objectives."
His experience with these criminals has not left him very impressed, he says.
Firstly, the former NCA man says, they waste too much time on unrealistic demands and would make more money by asking for a number that can be put down as a cost of business then moving on.
Speaking about them personally, he adds: "It is important to note also that ransomware attackers are criminals – just like kidnappers. In most cases, they generally have the same incentives of financial gain, and as such a good negotiator will use the same skills in building a relationship and maintaining discussions to seek a resolution.
Unlike a kidnap, where you cannot put a price on a hostage's life, in ransomware cases, you know the value of the data relatively well
"The obvious difference is that in a kidnap, the negotiator's primary objective is the safe release of the hostage, and in a ransomware incident, it's to protect or retrieve data. Suitably trained and experienced kidnap negotiators will have the appropriate skills in their 'tool kit' to manage ransomware attackers."
Since their escalation includes releasing partial data sets, selling it to other criminals and aggressive messages on screens and DMs – and in some cases getting printers endlessly outputting threats – you can see need for STORM's counsellors to help to stop the client folding or melting down.
Shah says that "the threatening manner and pressures imposed by attackers have similarities to kidnap situations, but unlike a kidnap, where you cannot put a price on a hostage's life, in ransomware cases, you know the value of the data relatively well."
Gangs vary a lot in how much they know about you and that includes complete ignorance, so keeping it that way is important. According to Shah, the amount they demand is "more of a function of the policy of the gang, rather than any analysis of what the victim can or will pay."
Talk to me
To get their money, extortionists are often more than willing to answer questions during the process, and part of Shah's work is to get samples of what the attackers have exfiltrated to prove they are telling the truth about it (apparently some criminals lie) and/or to get them to decrypt some data, since there is little point in paying them if they cannot do this. Whether they will or not is another matter. In this way, the negotiations are a lot more stepwise than the binary state of a hostage release.
Shah's experience is different to most others this writer has talked to in that he doesn't see repeat attacks, "mainly due to the fact [that], post-incident, the company strengthens their cyber security protocols."
He adds: "I have not seen any reporting or evidence to indicate that by paying a demand [this] leads to an increase in vulnerability, however, like any negotiations, it is important to not make yourself an easy target by giving an impression that you will accede to initial or any demands."
- 'Work pressure' sees Maze ransomware gang demand payoff from wrong company
- UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organised' DDoS attacks on UK VoIP companies
- Fired credit union employee admits: I wiped 21GB of files from company's shared drive in retaliation
- Blackbaud – firm that paid off crooks after 2020 ransomware attack – fails to get California privacy law claim dropped
Opinions vary widely, but David Jemmett of Cerberus tell us: "The first thing we tell the customer is, 'do not pay it'. Because they're going to still have a copy of it, and they can come back any time."
So the trick is not to be seen as such a soft target that they will come back again – or you can choose to believe their assurance that this is just a one-off crisis.
Shah finds there is an element of grim humour in all this. "From experience, during discussions they offer, at an extra charge, follow-on services to provide cyber security services, which [sometimes] includes information on how they originally got access.
"They are criminals and most likely to continue their criminality against you."
While you or I might see that as funny, they wouldn't do it if some were not foolish to take them up on it. And if your org does happen to pay the ransom, it's certainly worth checking whether you're correct about the way you believe they got in.
The bad news is that, despite having had the highest security clearance, Shah and his team get very little intelligence from the police or any other part of law enforcement, finding that the flow of information is very much one way. Shah says: "We have seen (or rather not seen), the authorities make almost no tangible progress or assistance in dealing with the gangs around the Black Sea and unless you're critical to national security, the bottom line is: you're on your own here." ®