Hi, I'll be your ransomware negotiator today – but don't tell the crooks that The first rule of being a ransomware negotiator is that you don't admit you're a ransomware negotiator — at least not to LockBit or another cybercrime gang. Instead, these negotiators portray themselves as simply company representatives, said Drew Schmitt, a professional ransomware negotiator and principal threat analyst at …
Hello,
I am your ransomware for the day. I have encrypted half of your storage to get us started. Please have a seat and lets talk it through.
...
Must be a difficult job to get that one sorted out. We'd probably need a lot of therapists and asylums to handle this. Not sure for whom, the negotiators or the AIs.
What makes you think negotiators can't be replaced too?
Hello,
I am your ransomware for the day. I have encrypted half of your storage to get us started. Please have a seat and lets talk it through.
Hello, ransomware,
Talking is good. Let me start by asking what the word 'ransomware' means to you? Why do you associate it with yourself? Do you associate it with anything else?
...
Talking is good. Let me start by asking what the word 'ransomware' means to you? Why do you associate it with yourself? Do you associate it with anything else?
The answer could, maybe, be something like this:
Fsck you.#¤%&/((/&%¤#%&/&%¤#""¤%&/[AI encrypted itself, all data lost]
Could be... could be.
-> The biggest reason is because most ransomware groups specifically and explicitly say: 'We don't want to work with a negotiator...
Says ransomware negotiator. A slight case of conflict of interest in that statement. You need new tyres, says car tyre salesman.
I accept that advice from those who know what they are doing is usually useful. I wouldn't want to do any negotiating with a ransomware group. But to me a ransomware negotiator is a sign of failure somewhere along the line, and "outsourcing" this aspect doesn't fix the problem.
-> Schmitt said he has, on two occasions, negotiated ransoms down to zero dollars. ... Healthcare...
I wonder if Schmitt negotiated his fee down to zero dollars, because it is not clear from this report.
-> The negotiation process itself involves bringing all the key business units to the table: C-suite executives, cybersecurity analysts, lawyers, HR, and PR representatives.
But not law enforcement? Just negotiate with your friendly protection racket henchman and keep it quiet.
-> how is this going to impact our brand if we're exposed on a ransomware leak site?
So not "how is this going to impact our brand when it come to public attention that our data (usually meaning customers' data) has been compromised?" What happens if it is revealed later that the data has been purloined? I don't mean the data being made public, but read it like this: customers read in the newspapers that Acme Corporation's customer data was purloined by cybercrims, and their data is now in the hands of these people. Yet Acme Corporation did not report it.
-> there's just not a lot of discussion of kind of where the funds go after the fact
What those protection racket henchman do with the payoff is not my problem. My shop windows are still intact.
I imagine that ransomware is not an easy thing to deal with, and it's easy for those with unlimited pockets (i.e. governments) to say "don't pay". But needing a ransomware negotiator sounds like a systemic failure.
-> The biggest reason is because most ransomware groups specifically and explicitly say: 'We don't want to work with a negotiator...
Says ransomware negotiator. A slight case of conflict of interest in that statement. You need new tyres, says car tyre salesman.
No, you've got it wrong. It would be that if he said that employing a ransom negotiator always gave better results. As it stands, he just said that the criminals themselves don't want you to use one. This is at least sometimes true, and probably because they know a negotiator who has experience with ransomware will do things like checking whether their encryption has been cracked already or whether they're the type who asks for money and then vanishes. Whether you have a negotiator or not, which he didn't recommend in this statement, don't admit you have one.
One thought that Schmitt said doesn't usually come up in the discussion — unless the criminal gang has been sanctioned by the US Treasury or a similar body, in which case it's illegal to pay a ransom to them — is the ethics of paying a ransom that, in turn, finances additional illicit activities and potentially oppressive regimes that back or orchestrate ransomware campaigns.
Another thought that doesn't usually come up in discussion, for who would want to admit it is true, is when a criminal gang has been authorised by the US Treasury or a similar body to accept a ransom to be paid to them.
Tell us that cannot happen and every silent downvote cast here and then would surely quite clearly register one's anonymous disagreement.
Although this next question/these next questions are UKGBNI specific, they are equally applicable and valid in any other national/international jurisdiction/virtual space place on Earth bordered with a thin line on a map.
Who sanctions/authorises the UK Treasury [Indebted to the tune of £2,365.4 billion/£2.3654 trillion/£2,365,400,000,000 at the end of March 2002 and nursing a current account deficit of £15.8 billion/£15,800,000,000 in Quarter 1 of 2022 [an excess of government spending over income] ..... and it should come as no surprise to you that more up to date figures for the UK Treasury at the end of Quarter 2 (June 2022) are not planned for release until 28 October 2022 9:30am, but be assured they are bound to be horrendously worse than was ever expected or experienced before in the lifetime of existence ..... and the Bank of England [a similar unelected body] the payments to a handful of Conservative party members, [some of whom are admitted criminals] being admirably shown every day now to be totally unworthy of any great wise further support for products and projects they neither own nor command and control but with which they practically hold the population to ransom with, with tales of jam tomorrow and the catastrophic crippling debt burdens of today to be kicked down the road and passed on to future generations of your children, and their childrens' children the great white hope aired on the rocky hustings road to riches and plenty to head off too much present forensic introspection of the Grand Deceit and Universal Ponzi of the Failing and Ailing Magic Money Tree Program?
And what shared there is not accurate and true and gibberish?
- "And what shared there is not accurate and true and gibberish?"
The long paragraph that was a single run-on sentence. Additionally, even the sentence I have quoted doesn't make sense. I think you mean "And what shared there is not accurate and true, and therefore is gibberish?"
I am however upgrading your status from "chatbot" to "the worst writer to ever correctly use a word longer than two syllables".
Your simple statement betrays your simple mind, so let me give you an emotive scenario.
A hospital's IT system is compromised and a load of important data is encrypted. The henchmen demand a measly £10,000 or $. Let's say among this now-encrypted data is something which is essential right now, as it will save somebody's life. The CEO is willing to pay, to save this life, even though he disagrees with it.
It is a dilemma, and I would not wish to encourage paying off extortionists. However, in this case what would YOU do? Would you let the person die, or send the CEO to prison if he pays? It's an interesting question which has no doubt been asked countless times in the days of physical extortion (this certainly still goes on), and is now a thing in today's IT world. It's very easy to say "don't pay" when you are not the one affected.
Sometimes the simplest solution is the best solution. This is one of those times.
And you treat that idiotic scenario just exactly the same way you treat a fire in the medical records warehouse, you clean up the mess and move on, and you treat the patient with the best care you've got available, because your "patient will die unless the data is recovered" is complete idiocy, it's not something that exists in the real world.
And even if your case exists as a potential thing today (it doesn't, but let's go on your idiotic flight of fantasy) then you have to keep in mind that a law criminalizing paying ransom and imprisoning CEOs who pay is going to take time to implement, and can even have a built-in year delay before it takes effect. A bit of warning that it's coming and medical CEOs can take steps to airgap life-critical systems.
The point of a "paying is a crime" law is to make ransomware utterly unprofitable. No profits = no ransomware, these people aren't doing it for the fun of it, they're doing it to make money.
So, blame the victim for trying to minimise the pain.
How about "pay me a ransom for your own life, or I will shoot/knife you".
Should paying that kind of ransom be illegal?
It's not so different from "pay me a ransom or I will do X"
And legal definitions are sometimes notoriously tricky to confine to one intended scenario.
I can see some companies finding a subcontractor whose contract says they'll negotiate with the ransomware people but whose real purpose is to pay them in whatever illegal way is needed without requiring anyone at the company to know what happened to the cash that was sent over. It certainly wouldn't be as many companies as do so now when the stuff requested is legal, but I wouldn't expect it to be zero.
It's also worth considering that, without cryptocurrency, there will still be people who have successfully ransomed data for millions, and those people can pivot to a different payment method. Those who ask for tiny ransoms may well change focus if cryptocurrency becomes unavailable, but if you can successfully get $3M in cryptocurrency, you can also get $2.95M and budget $50k for the company to get that value to you in something else, such as gold. Sadly, they've already decided ransomware is a business model that works, so not all of them will just move on if part of the old structure becomes undesirable.
"Have you tried transferring gold over the internet?"
I didn't say "over the internet" now did I? That's why I budgeted $50k for the payment logistics. That's enough to transfer it in person to a place the criminals can take it more safely, with security for the pickup, and some padding for occasional bribes. Maybe it's not, but even if they made it $250k for that and $2.75M in profit, there are people willing to do it. Criminals used to work in the offline world, and they still do.
Allow ransoms to be paid, but it must be paid personally by the C suite, with no subsequent out of norm renumeration allowed for 10 years.
Also, make it vigilante season by offering 50% of all funds recovered split between the finders as long as 50% of the gang is successfully procecuted. Also, non destructive hacking of suspected malware teams infrastructure be de criminalised.
Couple this with really harsh sentences like having to work for a year in an Amazon warehouse, on standard pay and conditions.
That should help
"Also, non destructive hacking of suspected malware teams infrastructure be de criminalised."
That won't happen because, if you suspect something to be malware that's not, the people who owned it are not going to take "I thought you were a malware gang" as an excuse for why it was acceptable. If you're correct and end up hacking the real operators, it will already be effectively allowed because the criminals are unlikely to report your activities to the police, knowing that they too can be convicted based on the data you have and they'll face larger penalties than you would. Not to mention that, in a democracy, I think most juries would cheerfully nullify the charges if you somehow got them for successfully targeting a malware organization without causing external damage.
"Back in the day, circa 2019, these negotiations happened via email. But since then, ransomware gangs have matured and evolved business operations to include instant messaging with victims to figure out deals"
I suspect that the ransomware gangs have leveraged social media's preoccupation with tracking and real identities. I can generate numerous e-mail accounts that belong to no human, a negotiating group or possibly law enforcement. I don't know where IM fits into this scheme. I don't use it and have it blocked at my end. It's e-mail or some other method on my terms. Ideally meet me at the end of a dark, lonely road. Come alone. Pay no attention to the snipers hidden along the route.
I think they probably stick to text comms when they can because this allows them to use people without having those voices recognized and tracked. That also helps if the language they're using to converse isn't their native one. If they did use a voice system, there are a few programs for distorting a voice that don't make it obvious that's happened, especially through a bad laptop mic.
Modern encryption can be smarter than that. The encryption algorithm doesn't need to apply the key in a simple Caesar cipher, and having some known bits won't tell you everything. Take a look at how AES works and try to figure out how you'd reverse it - it's not easy, by design.
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
An interesting example of where this failed was in early versions of Zoom. Since a given pixel value always encrypted the same way, you just had to wait for a B frame (when the whole image refreshes) to come along and spit the data out into an image. It wouldn't yield true colours or luminance but the mere clusters of the same value could be processed into something that gave you an idea of the original image:
https://www.theregister.com/2020/04/03/dont_use_zoom_if_privacy/
Fortunately (though not for ransomware cases), encryption algorithms are not usually vulnerable to what you describe as a "known plaintext" attack.
As an example for why this would be really bad for any serious use, think about encrypting a filesystem. If it's a Windows system, you can probably take a guess that it's NTFS, and try to break the algorithm based on likely locations for header structures and the like, or common document formats (docx, jpg, zip) or known executable images (ntoskrnl.exe, kernel32.dll might be good things to go hunting for.)
It's only particularly broken algorithms where known plaintext attacks work, and even then it usually only gives you a few bits more information that you don't have to crack (known plaintext was one of the attacks used against Enigma.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
