Negotiating with ransomware criminals creates new business for security professionals

The rise in ransomware attacks has spawned a high-tech with family industry that is willing to do what companies and law enforcement agencies do not do. Negotiate with cyber criminals who are holding systems and data hostage.

The FBI’s stated policy is not to negotiate with cyber attackers, just as it does not negotiate with terrorists. The refusal opens the market for private cybersecurity professionals who specialize in interacting with attackers on behalf of victims who make the difficult decision to pay, rather than waiting for the government to resolve the case. Was helpful.

Increasing attacks on victims with payment incentives have created many potential jobs that did not exist a few years ago. The FBI says it is investigating “about 100 different variants” of ransomware that are responsible for dozens to hundreds of attacks. Tonya Ugolets, Deputy Director of the FBI Cyber ​​Division. She He said a year or two ago there were probably a handful of such highly influential varieties.

Cybersecurity firm GroupSense handled the first ransomware negotiation case last year, the founder said. Curtis Minder.. he Arlington, Virginia, said the company’s initial negotiations encouraged law firms helping victims and cyber insurers involved in the case to introduce surplus labor. his How to do it.

Mr. Minder negotiates ransomware his Company website at law firm Proding, he Said he Received more requests his Especially services from people who couldn’t afford expensive lawyers and insurance policies to cover digital setbacks.

Mr. MinderBut he was not a trained negotiator. he I hurried to speed up by reading books, taking online classes, and especially watching the Master Class video of former FBI hostage negotiator Chris Voss. He also relied on his connection between federal authorities.

“I got a lot of support, as I called and asked someone I knew was a trained negotiator,” Minder said. “I gave them the specific scenario I experienced while going through them and saying,’What are you doing?’ So I’m riding a bike because I learned at work. I want to say that I made a bicycle in the meantime. “

Currently, Mr. Minder’s ransomware negotiation team has three key negotiators and several analysts who speak more than 12 languages. Negotiators focus on interacting with victims and composing messages for cybercriminals, while analysts handle the technical aspects of dark web conversations and perform the forensic work necessary to understand the enemy. ..

Information such as the attacker’s identity attribution, the amount of ransom that the attacker frequently resolves, and the transactions that the attacker recently completed is collected and placed on a portal where GroupSense customers can view the data in real time. Minder’s team also has writers take detailed notes about their strategies so that clients can see them on the portal.

“Before sending a message, it doesn’t matter if it’s” hello “or if it’s an actual offer. Get approval from the client. All the messages, “Minder said. “And some clients like to get involved, like spy vs. spy for them.”

He said adversaries often speak English as a second language and his team does not have the advantage of using eye contact or changing voice intonation when negotiating in cyberspace. As a result, detailed details such as the rhythm of digital messages, language choices, and when to use uppercase letters can be important.

Mr Minder said he would ask clients to warn law enforcement agencies and the FBI in the hope that the government would catalog the case, including details of which ransom was paid, and collect other information.

I was asked if FBI agents were trained to interact with or negotiate with cyber attackers. Ugolets He said the FBI had crisis negotiation experts but did not provide additional details on agent cyber training.

The FBI advocates opposition to ransom payments, but requires victims to pay ransoms regardless of whether they choose to pay digital attackers.

“In the case of ransomware, if you find that an entity is negotiating with a ransomware actor or considering paying a ransom, the sooner we are brought in, the more likely we can help. It will be. “MS. Ugolets Said.

In the case of a ransomware attack on a major U.S. fuel The supplier’s colonial pipeline was brought in by the FBI before the company decided to pay the attackers, and the agency eventually helped recover about $ 2.3 million in cryptocurrencies. This is the majority of payments made by pipeline companies.

Paying ransomware attackers frustrates other federal agencies because it encourages future attacks and can violate sanctions imposed by the US government. Last October, the Office of Foreign Assets Control (OFAC) of the Treasury warned that companies that pay or enable attackers authorized by the U.S. government are at risk of violating laws that result in civil penalties. Did. According to an analysis by law firm Jones Day, knowing a breach of OFAC rules and related laws can result in criminal liability.

However, it can be difficult to determine if an individual attack is tied to an entity authorized by the US government. For example, DarkSide Enterprise, which is attacking the Colonial Pipeline, is using the ransomware model as a service where malicious software developers and affiliates deploying it share part of their victims’ payments. I did.

According to the technical publication Bleeping Computer, President Biden has linked the DarkSide group to Russia, which announced plans to use the server in Iran last year.

Whether or not an attacker using DarkSide’s services is subject to sanctions, Bleeping Computer is a ransomware negotiator that considers the use of DarkSide’s infrastructure in Iran, given existing sanctions on Iran. He reported urging Coveware to stop promoting payments to DarkSide.

Colonial Pipeline CEO Joseph Bronde repeatedly checked the Senate Committee to ensure that his company was not in direct contact with the attackers, but his company’s payments did not violate OFAC rules. He said he hired a negotiator and a legal officer.

According to House Commission testimony by Charles Carmakal, Senior Vice President and Chief Technology Officer of FireEye Mandiant, pipeline company lawyers brought in the Mandiant division of cybersecurity company FireEye before the company decided to pay the stake. I did.

When asked what advice he had given the Colonial Pipeline on how to assess whether to pay the ransom, Karmakar refused to provide details to the Washington Times.

“One of the things we don’t do is not negotiate with threat actors. We don’t contact them. We don’t get involved in paying all threat actors,” Carmakal said. Said. “Now, one of the things we sometimes do to organizations that demand it is to help them think through the process of potentially involving threat actors in communication or potentially paying them. So I explain that these are specific criteria. “

The decision is then left to the victim.

To avoid being the victim of a ransomware attack, Mr. Ugolets We proposed using multi-factor authentication and patching common vulnerabilities to block the initial access points that attackers use to compromise the system.

Mr. Minder said early access brokers have warned that they could breach underground market ransomware gangs and become many attackers on potential targets. He said the technical sophistication needed to launch an attack was “almost nothing.”

“This is a completely preventable and cyber-hygiene problem,” says Minder. “That is, importantly, I think some people think that these bad guys have these really sophisticated cyber tools. They don’t, and they don’t have to. Very easy. is.”

Mr. Minder also said he would ask Google not to search for ransomware negotiators so that victims would not be victims of scammers disguised as negotiators. He instead advocated consulting a law firm to connect the victim with appropriate help.

His team does not see ransomware negotiations as a driving force for profits and has capped hourly wages, but may use this service to require their other cybersecurity products. I’m also finding client leads.

Sign up for our daily newsletter

Negotiating with ransomware criminals creates new business for security professionals

Source link Negotiating with ransomware criminals creates new business for security professionals

Back to top button