Ransomware negotiator weighs in on the extortion payment debate with El Reg
As gang tactics get nastier while attacks hit all-time highs
Interview Ransomware hit an all-time high last year, with more than 60 criminal gangs listing at least 4,500 victims – and these infections don't show any signs of slowing.
Drew Schmitt is a professional ransomware negotiator and practice lead for the GuidePoint Research and Intelligence Team or GRIT — that's the team that compiled the above-mentioned 2023 figures.
In this role, Schmitt has interacted with all of the major ransomware crews. The Register recently caught up with him to discuss the criminal gangs' evolving ransomware tactics, the role he plays in companies' incident response when they have suffered an infection or intrusion, and the larger question of whether ransomware payments should be completely banned. You can watch the full interview below.
In addition to the debate over a total payment ban, there's also some controversy surrounding negotiators themselves, and whether they should be regulated. The official advice from the Feds is that victims should not pay ransom demands, nor should they negotiate with criminals.
"When we're talking about these types of situations on my team, we're talking about threat actor communications rather than negotiations, because there is so much more that goes into what we do other than just making a payment," Schmitt said. "We are there to advise on risk. We are there to have conversations with threat actors, focused on recovery, rather than moving towards a payment."
As GRIT has watched ransomware gangs use "more coercive tactics" to put pressure on victims to pay — this includes releasing sensitive data and even contacting companies' customers and business partners — law enforcement is also turning up the heat via coordinated takedown efforts.
These have seen varying degrees of success, and while it's still too early to declare victory, "it proved some of the biggest names in ransomware are not untouchable," Schmitt said. "In some cases more of a short-term impact," he added, citing LockBit in this category. "ALPHV, has gone through something that's a little more permanent it seems."
Of course, only time will tell if the gangs rebrand, or their affiliates join other crime gangs, so the jury is still out on the long-term nature of these disruptions.
While the increase in size and scope of ransomware attacks has led some to call for a complete ban on ransom payments, Schmitt said the problem is too complex to be solved with a silver bullet like a ban. That might be part of the solution, several years down the road, he opined, but the reality is that eliminating ransomware will take a multi-pronged approach.
"The one piece that really sticks out to me is the incentivizing of improving security," he said. "Whether that's through things like cyber insurance, or it's going to be having the federal government provide some tooling that can help small- and medium-sized businesses, really it's gonna be providing that incentive to want to be more proactive about cybersecurity." ®