back to article Hi, I'll be your ransomware negotiator today – but don't tell the crooks that

The first rule of being a ransomware negotiator is that you don't admit you're a ransomware negotiator — at least not to LockBit or another cybercrime gang.  Instead, these negotiators portray themselves as simply company representatives, said Drew Schmitt, a professional ransomware negotiator and principal threat analyst at …

  1. b0llchit Silver badge
    Joke

    When AI and Ransomware merge

    Hello,

    I am your ransomware for the day. I have encrypted half of your storage to get us started. Please have a seat and lets talk it through.

    ...

    Must be a difficult job to get that one sorted out. We'd probably need a lot of therapists and asylums to handle this. Not sure for whom, the negotiators or the AIs.

    1. Anonymous Coward
      Coat

      Re: When AI and Ransomware merge

      What makes you think negotiators can't be replaced too?

      Hello,

      I am your ransomware for the day. I have encrypted half of your storage to get us started. Please have a seat and lets talk it through.

      Hello, ransomware,

      Talking is good. Let me start by asking what the word 'ransomware' means to you? Why do you associate it with yourself? Do you associate it with anything else?

      1. b0llchit Silver badge
        Coat

        Re: When AI and Ransomware merge

        ...

        Talking is good. Let me start by asking what the word 'ransomware' means to you? Why do you associate it with yourself? Do you associate it with anything else?

        The answer could, maybe, be something like this:

        Fsck you.#¤%&/((/&%¤#%&/&%¤#""¤%&/[AI encrypted itself, all data lost]

        Could be... could be.

  2. VoiceOfTruth

    He would say that, wouldn't he?

    -> The biggest reason is because most ransomware groups specifically and explicitly say: 'We don't want to work with a negotiator...

    Says ransomware negotiator. A slight case of conflict of interest in that statement. You need new tyres, says car tyre salesman.

    I accept that advice from those who know what they are doing is usually useful. I wouldn't want to do any negotiating with a ransomware group. But to me a ransomware negotiator is a sign of failure somewhere along the line, and "outsourcing" this aspect doesn't fix the problem.

    -> Schmitt said he has, on two occasions, negotiated ransoms down to zero dollars. ... Healthcare...

    I wonder if Schmitt negotiated his fee down to zero dollars, because it is not clear from this report.

    -> The negotiation process itself involves bringing all the key business units to the table: C-suite executives, cybersecurity analysts, lawyers, HR, and PR representatives.

    But not law enforcement? Just negotiate with your friendly protection racket henchman and keep it quiet.

    -> how is this going to impact our brand if we're exposed on a ransomware leak site?

    So not "how is this going to impact our brand when it come to public attention that our data (usually meaning customers' data) has been compromised?" What happens if it is revealed later that the data has been purloined? I don't mean the data being made public, but read it like this: customers read in the newspapers that Acme Corporation's customer data was purloined by cybercrims, and their data is now in the hands of these people. Yet Acme Corporation did not report it.

    -> there's just not a lot of discussion of kind of where the funds go after the fact

    What those protection racket henchman do with the payoff is not my problem. My shop windows are still intact.

    I imagine that ransomware is not an easy thing to deal with, and it's easy for those with unlimited pockets (i.e. governments) to say "don't pay". But needing a ransomware negotiator sounds like a systemic failure.

    1. doublelayer Silver badge

      Re: He would say that, wouldn't he?

      -> The biggest reason is because most ransomware groups specifically and explicitly say: 'We don't want to work with a negotiator...

      Says ransomware negotiator. A slight case of conflict of interest in that statement. You need new tyres, says car tyre salesman.

      No, you've got it wrong. It would be that if he said that employing a ransom negotiator always gave better results. As it stands, he just said that the criminals themselves don't want you to use one. This is at least sometimes true, and probably because they know a negotiator who has experience with ransomware will do things like checking whether their encryption has been cracked already or whether they're the type who asks for money and then vanishes. Whether you have a negotiator or not, which he didn't recommend in this statement, don't admit you have one.

  3. amanfromMars 1 Silver badge

    Another wrinkle to consider actively deployed to plausibly deny self-employed.

    One thought that Schmitt said doesn't usually come up in the discussion — unless the criminal gang has been sanctioned by the US Treasury or a similar body, in which case it's illegal to pay a ransom to them — is the ethics of paying a ransom that, in turn, finances additional illicit activities and potentially oppressive regimes that back or orchestrate ransomware campaigns.

    Another thought that doesn't usually come up in discussion, for who would want to admit it is true, is when a criminal gang has been authorised by the US Treasury or a similar body to accept a ransom to be paid to them.

    Tell us that cannot happen and every silent downvote cast here and then would surely quite clearly register one's anonymous disagreement.

    1. druck Silver badge

      Re: Another wrinkle to consider actively deployed to plausibly deny self-employed.

      The down votes are due to your routine output of gibberish, and shouldn't be interpreted as any sort of poll result.

    2. amanfromMars 1 Silver badge

      More GBIrish to Input for Output and Try to Avoid being Classed More Epic Eponymous BullShit.

      Although this next question/these next questions are UKGBNI specific, they are equally applicable and valid in any other national/international jurisdiction/virtual space place on Earth bordered with a thin line on a map.

      Who sanctions/authorises the UK Treasury [Indebted to the tune of £2,365.4 billion/£2.3654 trillion/£2,365,400,000,000 at the end of March 2002 and nursing a current account deficit of £15.8 billion/£15,800,000,000 in Quarter 1 of 2022 [an excess of government spending over income] ..... and it should come as no surprise to you that more up to date figures for the UK Treasury at the end of Quarter 2 (June 2022) are not planned for release until 28 October 2022 9:30am, but be assured they are bound to be horrendously worse than was ever expected or experienced before in the lifetime of existence ..... and the Bank of England [a similar unelected body] the payments to a handful of Conservative party members, [some of whom are admitted criminals] being admirably shown every day now to be totally unworthy of any great wise further support for products and projects they neither own nor command and control but with which they practically hold the population to ransom with, with tales of jam tomorrow and the catastrophic crippling debt burdens of today to be kicked down the road and passed on to future generations of your children, and their childrens' children the great white hope aired on the rocky hustings road to riches and plenty to head off too much present forensic introspection of the Grand Deceit and Universal Ponzi of the Failing and Ailing Magic Money Tree Program?

      And what shared there is not accurate and true and gibberish?

      1. nintendoeats Silver badge

        Re: More GBIrish to Input for Output and Try to Avoid being Classed More Epic Eponymous BullShit.

        - "And what shared there is not accurate and true and gibberish?"

        The long paragraph that was a single run-on sentence. Additionally, even the sentence I have quoted doesn't make sense. I think you mean "And what shared there is not accurate and true, and therefore is gibberish?"

        I am however upgrading your status from "chatbot" to "the worst writer to ever correctly use a word longer than two syllables".

  4. Anonymous Coward
    Anonymous Coward

    It's time to end this.

    Make paying ransom a crime. Corp pays ransomware gang, CEO gets to spend a year in prison.

    1. Throatwarbler Mangrove Silver badge
      Thumb Down

      Re: It's time to end this.

      You have no concept of the law of unintended consequences, do you?

    2. Oglethorpe

      Re: It's time to end this.

      Great idea; hand the criminal an opportunity for continuing blackmail.

    3. VoiceOfTruth

      Re: It's time to end this.

      Your simple statement betrays your simple mind, so let me give you an emotive scenario.

      A hospital's IT system is compromised and a load of important data is encrypted. The henchmen demand a measly £10,000 or $. Let's say among this now-encrypted data is something which is essential right now, as it will save somebody's life. The CEO is willing to pay, to save this life, even though he disagrees with it.

      It is a dilemma, and I would not wish to encourage paying off extortionists. However, in this case what would YOU do? Would you let the person die, or send the CEO to prison if he pays? It's an interesting question which has no doubt been asked countless times in the days of physical extortion (this certainly still goes on), and is now a thing in today's IT world. It's very easy to say "don't pay" when you are not the one affected.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's time to end this.

        Sometimes the simplest solution is the best solution. This is one of those times.

        And you treat that idiotic scenario just exactly the same way you treat a fire in the medical records warehouse, you clean up the mess and move on, and you treat the patient with the best care you've got available, because your "patient will die unless the data is recovered" is complete idiocy, it's not something that exists in the real world.

        And even if your case exists as a potential thing today (it doesn't, but let's go on your idiotic flight of fantasy) then you have to keep in mind that a law criminalizing paying ransom and imprisoning CEOs who pay is going to take time to implement, and can even have a built-in year delay before it takes effect. A bit of warning that it's coming and medical CEOs can take steps to airgap life-critical systems.

        The point of a "paying is a crime" law is to make ransomware utterly unprofitable. No profits = no ransomware, these people aren't doing it for the fun of it, they're doing it to make money.

        1. David Nash Silver badge

          Re: It's time to end this.

          So, blame the victim for trying to minimise the pain.

          How about "pay me a ransom for your own life, or I will shoot/knife you".

          Should paying that kind of ransom be illegal?

          It's not so different from "pay me a ransom or I will do X"

          And legal definitions are sometimes notoriously tricky to confine to one intended scenario.

    4. Anonymous Coward
      Anonymous Coward

      Re: It's time to end this.

      If it could be done, the initial pain would be dwarfed by the rewards.

      Also, if cryptocurrency could be banned, that too would be very effective.

      Neither are going to happen soon.

      In the long run though, I think they will both happen.

      1. katrinab Silver badge
        Megaphone

        Re: It's time to end this.

        Banning cryptocurrency would stop legitimate companies from buying it.

        Try this thought experiment. If the ransomware people asked the company to pay the ransom in kgs of cocaine, how many people do you think would pay it?

        1. doublelayer Silver badge

          Re: It's time to end this.

          I can see some companies finding a subcontractor whose contract says they'll negotiate with the ransomware people but whose real purpose is to pay them in whatever illegal way is needed without requiring anyone at the company to know what happened to the cash that was sent over. It certainly wouldn't be as many companies as do so now when the stuff requested is legal, but I wouldn't expect it to be zero.

          It's also worth considering that, without cryptocurrency, there will still be people who have successfully ransomed data for millions, and those people can pivot to a different payment method. Those who ask for tiny ransoms may well change focus if cryptocurrency becomes unavailable, but if you can successfully get $3M in cryptocurrency, you can also get $2.95M and budget $50k for the company to get that value to you in something else, such as gold. Sadly, they've already decided ransomware is a business model that works, so not all of them will just move on if part of the old structure becomes undesirable.

          1. druck Silver badge

            Re: It's time to end this.

            Have you tried transferring gold over the internet?

            1. doublelayer Silver badge

              Re: It's time to end this.

              "Have you tried transferring gold over the internet?"

              I didn't say "over the internet" now did I? That's why I budgeted $50k for the payment logistics. That's enough to transfer it in person to a place the criminals can take it more safely, with security for the pickup, and some padding for occasional bribes. Maybe it's not, but even if they made it $250k for that and $2.75M in profit, there are people willing to do it. Criminals used to work in the offline world, and they still do.

        2. druck Silver badge

          Re: It's time to end this.

          Banning cryptocurrency would stop legitimate companies from buying it.

          What legitimate companies?

          1. katrinab Silver badge
            Meh

            Re: It's time to end this.

            Colonial Pipeline Company for example?

  5. Anonymous Coward
    Joke

    Where does the money go?

    > "If I'm being totally honest, there's just not a lot of discussion of kind of where the funds go after the fact," he admitted.

    Drugs, hookers, yachts - no different than if it were in the CEO's bonus package.

    1. amanfromMars 1 Silver badge
      Pirate

      Re: Where does the money go?

      Drugs, hookers, yachts - no different than if it were in the CEO's bonus package. ... 2+2=5

      How very nice it is to know none of it is wasted, 2+2=5

      [I was looking for Paris Hilton but that icon is gone so Prepare for boarding, me young buckaroos it is]

  6. Kinetic

    Get more creative

    Allow ransoms to be paid, but it must be paid personally by the C suite, with no subsequent out of norm renumeration allowed for 10 years.

    Also, make it vigilante season by offering 50% of all funds recovered split between the finders as long as 50% of the gang is successfully procecuted. Also, non destructive hacking of suspected malware teams infrastructure be de criminalised.

    Couple this with really harsh sentences like having to work for a year in an Amazon warehouse, on standard pay and conditions.

    That should help

    1. doublelayer Silver badge

      Re: Get more creative

      "Also, non destructive hacking of suspected malware teams infrastructure be de criminalised."

      That won't happen because, if you suspect something to be malware that's not, the people who owned it are not going to take "I thought you were a malware gang" as an excuse for why it was acceptable. If you're correct and end up hacking the real operators, it will already be effectively allowed because the criminals are unlikely to report your activities to the police, knowing that they too can be convicted based on the data you have and they'll face larger penalties than you would. Not to mention that, in a democracy, I think most juries would cheerfully nullify the charges if you somehow got them for successfully targeting a malware organization without causing external damage.

  7. Paul Hovnanian Silver badge

    Communications

    "Back in the day, circa 2019, these negotiations happened via email. But since then, ransomware gangs have matured and evolved business operations to include instant messaging with victims to figure out deals"

    I suspect that the ransomware gangs have leveraged social media's preoccupation with tracking and real identities. I can generate numerous e-mail accounts that belong to no human, a negotiating group or possibly law enforcement. I don't know where IM fits into this scheme. I don't use it and have it blocked at my end. It's e-mail or some other method on my terms. Ideally meet me at the end of a dark, lonely road. Come alone. Pay no attention to the snipers hidden along the route.

  8. Anonymous Coward
    Anonymous Coward

    That $2000 job

    I presume that must have been less than his own fee. I wonder how come he got called in anyway?

    1. The Mole

      Re: That $2000 job

      My guess is somebody asking for a quote.

      If assume it's only an hour's work, or perhaps even no fee to confirm if there is a free encryptor to decrypt the files.

    2. stungebag

      Re: That $2000 job

      Appointed by the insurers?

  9. Anonymous Coward
    Anonymous Coward

    Eventually…

    …you're going to come across the same people again. I don't know if they use voice comms but must be pretty awkward when someone goes Oh, hello Peter! Weren't you working for an agricultural company in Ohio last Monday? What are you doing now in a bank in the city?

    1. doublelayer Silver badge

      Re: Eventually…

      I think they probably stick to text comms when they can because this allows them to use people without having those voices recognized and tracked. That also helps if the language they're using to converse isn't their native one. If they did use a voice system, there are a few programs for distorting a voice that don't make it obvious that's happened, especially through a bad laptop mic.

  10. andy the pessimist

    stupid question

    Can companies put file(s) with known text/number sequences. Once the file is encrypted you have the known and encrypted data. That can be used to break the encryption. Am I missing something.

    There is another comment which doesn't seem to have got through.

    1. AVR

      Re: stupid question

      Modern encryption can be smarter than that. The encryption algorithm doesn't need to apply the key in a simple Caesar cipher, and having some known bits won't tell you everything. Take a look at how AES works and try to figure out how you'd reverse it - it's not easy, by design.

      https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

      1. Oglethorpe

        Re: stupid question

        An interesting example of where this failed was in early versions of Zoom. Since a given pixel value always encrypted the same way, you just had to wait for a B frame (when the whole image refreshes) to come along and spit the data out into an image. It wouldn't yield true colours or luminance but the mere clusters of the same value could be processed into something that gave you an idea of the original image:

        https://www.theregister.com/2020/04/03/dont_use_zoom_if_privacy/

    2. Tom66

      Re: stupid question

      Fortunately (though not for ransomware cases), encryption algorithms are not usually vulnerable to what you describe as a "known plaintext" attack.

      As an example for why this would be really bad for any serious use, think about encrypting a filesystem. If it's a Windows system, you can probably take a guess that it's NTFS, and try to break the algorithm based on likely locations for header structures and the like, or common document formats (docx, jpg, zip) or known executable images (ntoskrnl.exe, kernel32.dll might be good things to go hunting for.)

      It's only particularly broken algorithms where known plaintext attacks work, and even then it usually only gives you a few bits more information that you don't have to crack (known plaintext was one of the attacks used against Enigma.)

    3. Anonymous Coward
      Anonymous Coward

      Re: stupid question

      > Am I missing something.

      Yes, step 2. The one between 1. idea and 3. profit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like