The Gately Report: GuidePoint Security On Do's, Don'ts of Ransomware Negotiation
Avertium was partially successful in using ChatGPT to write a ransomware encryptor.
Shutterstock
Channel Futures: Are there negotiation tactics that used to work, but not anymore?
GuidePoint’s Mark Lance: I do think that we’ve recently seen where the threat actors would be less willing to walk away from certain monetary gains. And we have seen specific incidents where once they go into an environment, we talk about them trying to find what they believe to be sensitive information so that they can then try to monetize that. We’ve actually seen where they not only go in and look for things that are secret and confidential, but they are doing queries and looking for cyber insurance. Their motivations are monetary, so they’ll leverage what information they have access to to try to get a higher payment or whatever payment they can.
So we’ve had instances where there have been negotiations and they say, “We want this amount; we want $10 million.” And then you go in and say, “I’m sorry, we don’t believe anything you have is worth that value; the most we would be able to do is $500,000.” And they come back and they’ll have your insurance documentation, and they’ll say, “Actually you’ve got insurance coverage up to this much, so we know you can afford it.”
I do think more recently, too, we’re seeing where in ransom negotiations they’re willing to take less money because they believe that they can potentially go monetize that information elsewhere, whether that’s selling it out on the dark web or doing something else with it. So I do think that typically where we used to be able to get more from negotiations, they’re more steadfast in what they want in their ransom demands now.
CF: New Fortinet research shows a high number of organizations are paying ransoms. Should they not be doing that?
ML: I think that there are a lot of different reasons that people might pay a ransom. And I think a lot of customers will feel like they’re highly justified to do so based on their business requirements. So you have a lot of people paying ransoms. You’ve got a lot of people now who aren’t paying ransoms as well. They’ve actually adjusted their approach and said, we won’t do it.
A change we’ve seen as well is that historically when you had an incident, [you] don’t talk about it. Don’t mention you’ve ever had an incident; don’t talk about it to anybody else. Now it’s almost become normal. It’s everybody from the mom-and-pop pizza shop to the Fortune 50 being impacted by this. So there used to be a stigma associated with, “Oh, you had an incident. And now it’s almost like, “Hey, this happens to everybody.”
What you do is you learn from it and you progress from it, and you develop a strategy so it doesn’t happen again. But again, I just don’t think there’s that same stigma associated with it now. So I think that, again, in certain situations people are less inclined to make a ransom payment now.
CF: As a negotiator, what’s your goal? What’s the optimum outcome?
ML: One of the first things that we’re doing when we’re working with clients to actually perform the threat actor negotiations is to help them determine what their strategy is. The strategy is going to be determined by the client and what they’re trying to get out of it. Now, that being said, once we determine what that is, there are the additional steps that we’re going to take. Like we want to make sure that we’re doing proof of decryption. We’ve got to be able to make sure that if they’re going to make a ransom payment, you’re going to be able to successfully decrypt the files.
You can also negotiate sometimes on whether they’re going to provide you with some sort of summary of how they got into the environment. Once they got into the environment, what did they touch? What did they steal? Are they going to provide what they say is proof of deletion and videos of them actually deleting files? So there are certain steps and things that we’re going to do as part of that negotiation. But really, the overall strategy depends on the client’s needs and whether they have any intent on paying a ransom, delaying, and just trying to gather and get information. There are a wide variety of reasons that somebody might do that.
CF: Are there do’s and don’ts in ransomware negotiations? Can one mistake make the situation worse?
ML: There are a lot of differing opinions. Generally, in ransomware negotiations you don’t want to go in too hard. We’ve got a lot of clients who are angry and they’re upset about the fact that they’ve been impacted, as they should be. And they almost have a tendency to handle things emotionally. And it’s partially our responsibility to come in there as consultants, people who do this on a daily basis, and say, “OK, you’re not necessarily going to have major gains by going in there and yelling at the threat actor and telling them how stupid they are or how angry you are at them.” Maintaining focus on what the end goal is will help you develop the strategy and work with it from there. And so I think the biggest consideration is to try to take some of the emotion out of your response actions, and approach it very logically and scientifically. Similarly, there’s going to be an investigation as well. So you’ve got to think about it logically and not go with knee-jerk reactions or emotional reactions versus fulfilling the strategic objective.
CF: With the high number of attacks, are you really busy?
ML: So interestingly enough, you brought up Russia-Ukraine. Last year throughout 2022 as an industry, ransomware was still continuous. In the industry, we all agree that there was a just overall less volume of ransomware that we were seeing. It just appeared to be maybe a little slower last year. What I can tell you is we’ve seen a serious uptick within 2023. I would say the volume and the number of attacks that are occurring, we’re seeing posts on a daily basis. We track all of the different ransomware threat actors, their name-and-shame sites where they go and publish information if somebody doesn’t make a ransom payment, and so we track them and how frequently they’re posting types of industries that are being impacted and those types of things. And to your point, even though there was a bit of a lull last year, it by no means ever stopped. It was still very persistent and perpetual. And this year, though, we’ve seen a significant increase.
CF: Do you expect that increase to continue this quarter and beyond?
ML: I will say that while we saw the slowdown last year, it’s been persistent and again, kind of perpetual since then. I wouldn’t expect ransomware attacks to decrease at this point in time. If they have an opportunity to make money and they’re making a lot of it, nobody’s going to say, “No, I’ve got too much money; please don’t give me any more.”
CF: Are particular types of industries, sectors or companies more attractive targets?
ML: We do see where certain threat groups like to target different industries or verticals. We’ve also got some threat groups that, based on their affiliate programs and ransomware-as-a-service (RaaS) requirements, don’t want you targeting specific verticals or industries. And they will kick you out of their affiliate program if they see you do so. I do feel like it’s hitting the health care vertical, as an example. They’ve generally got a necessity to recover operations very quickly because by operations being down, it could be causing issues or risking human lives, or the inability to provide services in some ways. And so because they realize that it’s going to be high impact and they have a necessity to recover so quickly, they might specifically target those industries.
But then you’ve got other ransomware groups who say, “N o, that’s immoral and unethical; even though we’re a threat group, we won’t specifically target them or we won’t target education systems or we won’t target people.” During COVID-19, they were saying, “We won’t target hospitals or people who are working on vaccines.” But then again, you’ve got others who very much will because they’re going to pull any lever or flip any switch they can in order to try to make money.
In other cybersecurity news …
The U.S. Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued public notifications regarding security vulnerabilities in Illumina medical devices.
An unauthorized user could exploit the vulnerability by:
Taking control remotely.
Altering settings, configurations, software or data on the instrument or a customer’s network.
Impacting genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results or a potential data breach.
At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited.
llumina developed a software patch to protect against exploitation of this vulnerability. The FDA wants health care providers and laboratory personnel to be aware of the required actions to mitigate these cybersecurity risks.
“Attacks and vulnerabilities against medical devices have been a problem for decades,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “In the past, getting a medical device approved took years, if not over a decade, and even fixing a vulnerability could take years, putting more people at risk than necessary. That’s changing. The medical device regulatory space has significantly improved regulations and processes so that devices can be more up to date when they go to market, and be fixed more easily and faster when vulnerabilities are found. It’s not perfect, but it’s tons better than it used to be just a few short years ago.”
Avertium’s Cyber Response Unit (CRU) was curious to see if two of their members with no programming skills could manipulate ChatGPT into writing ransomware encryptors.
The CRU wanted to test the limits of ChatGPT’s capabilities, pushing the boundaries of what the chatbot could do. To their surprise, the two CRU members were able to successfully instruct ChatGPT to write ransomware code, proving the potential of the artificial intelligence (AI) platform.
After the first two unsuccessful attempts, CRU assigned one of its more experienced developers to work with ChatGPT to create a functional encryptor. The outcome of this attempt was partially successful, as they were able to create an encryptor that worked, but only if the entire contents of each file were encrypted. While this approach could be effective, it is extremely slow. That’s why most modern ransomware encryptors only encrypt the beginning of larger files.
“As we explore the capabilities of AI in the tech world, we must consider the potential risks associated with such powerful technology,” Avertium said. “We have recently started to see examples of how AI can be used maliciously, from hacking into computer systems to manipulating data. It’s clear that if used maliciously, AI could have devastating consequences. While ChatGPT has some protections about abuse built in, it was trivially easy for two non-experienced individuals to circumvent them and produce malicious code.”
This Thursday marks World Password Day, creating awareness about the importance of strong passwords, and why everyone should change their passwords once every few weeks.
Dan Conrad, One Identity‘s Active Directory (AD) security and management team lead, said World Password Day has been an “overdue reminder for longer than any of us in security thought necessary.”
“It can seem obvious to some, but many businesses are still dealing with the most basic of breaches because they aren’t using best practices,” he said. “Organizations need to be accountable for having – or not having – password and identity security practices that secure their critical assets. If critical assets aren’t explicitly protected by multifactor authentication (MFA) and admin privileges aren’t protected in the same way, or if someone can get data by typing in ‘Password1,’ that’s a serious oversight, and an unacceptable risk to the business.”
While passwordless technology continues to mature, Conrad provided a few tips for implementing modern password strategies:
Just get MFA and ideally implement it via an authenticator app.
Avoid basic keyboard patterns, or adding just one character to your password. Those are easier to crack.
Move on from periodic password rotation. It’s been shown to have little to no impact on security. Instead, use randomized phrases and characters that people can manage and remember in combination with MFA for a better bet.
Protect usernames as diligently as you do passwords to prevent password spray attacks. If an attacker can get a list of known usernames for your organization and authentication does not require MFA, these attacks can be very effective.”
This Thursday marks World Password Day, creating awareness about the importance of strong passwords, and why everyone should change their passwords once every few weeks.
Dan Conrad, One Identity‘s Active Directory (AD) security and management team lead, said World Password Day has been an “overdue reminder for longer than any of us in security thought necessary.”
“It can seem obvious to some, but many businesses are still dealing with the most basic of breaches because they aren’t using best practices,” he said. “Organizations need to be accountable for having – or not having – password and identity security practices that secure their critical assets. If critical assets aren’t explicitly protected by multifactor authentication (MFA) and admin privileges aren’t protected in the same way, or if someone can get data by typing in ‘Password1,’ that’s a serious oversight, and an unacceptable risk to the business.”
While passwordless technology continues to mature, Conrad provided a few tips for implementing modern password strategies:
Just get MFA and ideally implement it via an authenticator app.
Avoid basic keyboard patterns, or adding just one character to your password. Those are easier to crack.
Move on from periodic password rotation. It’s been shown to have little to no impact on security. Instead, use randomized phrases and characters that people can manage and remember in combination with MFA for a better bet.
Protect usernames as diligently as you do passwords to prevent password spray attacks. If an attacker can get a list of known usernames for your organization and authentication does not require MFA, these attacks can be very effective.”
Ransomware negotiation is a tricky job as ransomware gangs continuously shift their tactics to get as much money as quickly as possible from victims.
Mark Lance, GuidePoint Security‘s vice president of digital forensics and incident response (DIFR) and threat intelligence, specializes in ransomware negotiation. We caught up with him at last week’s RSAC 2023.
A new GuidePoint Security report based on publicly available resources shows a 25% increase in ransomware victims in the first quarter from the fourth quarter, and a 27% increase compared to the first quarter of last year. The report tracked 849 total publicly posted ransomware victims claimed by 29 different threat groups in the first quarter.
Manufacturing, technology, education, banking and finance, and health care organizations continue to represent the majority of publicly posted ransomware victims. LockBit remains the most prolific ransomware threat group, but the widespread exploitation of a file-sharing application vulnerability has brought Clop into a leading position.
Ins and Outs of Ransomware Negotiation
We spoke with Lance about the ins and outs of ransomware negotiation amid this increase in attacks.
Channel Futures: Have ransomware gangs been changing their tactics amid the Ukraine crisis?
Guidepoint Security’s Mark Lance
Mark Lance: If you look at the evolution of the threat, initially it started out very largely about the encryption and operational impacts. Then a couple of years ago, we saw them start doing the double extortion method where they’re stealing information from the environment prior to performing the encryption and even if you’re able to recover, they’re still going to try to get payment through the extortion of the data that they stole by saying that they won’t release the information if you pay them. With the Russia-Ukraine incident, I wouldn’t say it has changed the methods that we’ve seen. I think we’ve seen some unique impact where the methods they’re using right now are working, they’re effective and they’re making a ton of money.
See our slideshow above for the rest of our Q&A with GuidePoint Security and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like