Kurtis Minder: Ransomware Negotiations [ML B-Side]

Transcription edited by @hakinadey

[Kurtis] If we have objectively decided that we are going to pay something, then I tell the threat actors that. We intend to pay you.
And then every message after that, I remind them of that fact.

[Ran] Hi and welcome to Sabirizan’s malicious life B-sides, I’m Ran Levi.
Well it finally happened. The threat you were worried about materialized, the shit has hit the fan, things went south, all hell broke loose.
I’m actually out of cliches. Your organization was hit by ransomware and it is now time to reach out to the hackers and negotiate the terms of a deal that will bring back your data and hopefully won’t leave the company’s coffers empty.
But before you sit down in front of your computer and fire off a message to the hackers, stop. Are you sure that you know what you’re doing? Are you certain that you won’t screw up the negotiations and do more harm than good?
Kurtis Minder is an experienced ransomware negotiator and he has plenty of examples of clients who took their ransom negotiation into their own hands and blundered it. Badly.
In the following conversation with Nate Nelson, our senior producer, Kurtis talks about the various negotiation techniques he and his colleagues at Groupsense, a digital risk protection services company, founded and employed when negotiating a deal with the bad guys.
Why shouldn’t you lie to the hackers? How does one decide what’s a reasonable amount to pay and why sometimes working with clients is as difficult as dealing with the hackers?
It’s an utterly fascinating peek into the mind of a ransomware negotiator. Enjoy the interview.

[Nate] Who’s usually on the other end of the line?
Is it the cybercriminals themselves or like low-level employees of larger ransomware groups?

[Kurtis] It does depend on the group. There are individual actors. There are affiliates, which are basically leveraging the ransomware as a service platforms. There are the ransomware groups that we know from the news like Conti, Black Matter, etc. The groups, having worked with them for years now, have fairly complex organizations. We saw that from the Conti leaks when we saw their chats.
Usually, generally speaking, if you’re dealing with a ransomware group, the first person you’re interacting with is a very low level, like you use the word employee of that organization. They have basically a script that they’re working off of and they have certain boundaries as to what they can and cannot do, say, or offer you.

[Nate] By the way, do you identify yourself as a ransomware negotiator in order to create the space where they can know that you’re going to do a business deal or do you pretend to speak as the victims that the attackers don’t know that your client has hired someone like you?

[Kurtis] We used to because there’s an advantage to being a third party from a foil perspective if you’re familiar with the concept, where I can convey things like, oh, man, what you’re saying, I understand, but I don’t think my client’s going to go for this and use a client as a foil. There’s advantages to being a third party.
However, over the course of the last year, it was probably a little over a year ago, many of the threat actors have recognized that professional negotiators were being brought in and they were probably not seeing the results that they had intended and it was lengthening the process and making it more complex. So they blogged about this and attached a bunch of threats to it like, if we find out you’re dealing with a professional negotiator, we will just dump all your data and delete the decrypter and you’ll never get your files back.
I don’t think that’s ever happened or at least in our case, it’s never happened, but when we saw that, we decided to back up and just play the role of the victim whenever possible.

[Nate] So is there a consistent tone that you always try to strike in these conversations or do you sort of feel it out based on the kinds of messages that you’re getting from them?

[Kurtis] No, no, it should be consistent.
Our policy around how to interact with these threat actors is to be respectful, be slightly different, and then treat it like a business transaction, try to keep the emotion out of it, which is one of the advantages of using a firm like us versus the victim handling it themselves.
It’s very hard for the victim to put themselves in an impartial role and so approaching it as a business transaction, taking the emotion out of it and being polite and slightly different is consistent across whichever group we’re dealing with.

[Nate] Are there any little tricks that you can share about what typically makes these negotiations go well and what helps you get to lower numbers?

[Kurtis] I wouldn’t call it a trick actually.
I mean, I do think that it’s sometimes counterintuitive, but being fairly transparent about the situation from your side, often we find that the threat actors are using things like basically common business intelligence tools like Zoom info, et cetera, or sometimes they’re just Googling the company and that’s where they get their information about the size of the business, potentially how much revenue they have, how many employees, et cetera, and somewhat subjectively setting a price.

[Nate] But why can’t you just tell them that the Google data isn’t accurate?

[Kurtis] You cannot lie in most cases because as you know, most of the threat actors are taking a copy of your data before they do this, before they lock your files, and in that data they often have your financials.
Now they may not have taken the time to really look through them or understand them, but they have them. So lying is kind of a bad strategy there.

[Nate] So what happens if the hackers see a big valuation on Google, they think they could get a lot of money out of you, they send you a number, and they’re not willing to negotiate on it?

[Kurtis] If you read the ransom notes of many of the groups, they actually say the words in the note, “contact us so we can make a deal.”
So they’re saying on the front end of this is that you should not pay the price on the window. Right?
We don’t intend for you to do that. And so understanding that going in that they’ve buffered on their side, you’re going to buffer on yours and have a business discussion is where you get to a reasonable number.

[Nate] Okay. How do you determine what’s reasonable for your client?

[Kurtis] There’s a whole bunch of stuff you have to do on the front end to get to the point where you understand what a number that makes sense is.
And then everything flows from there. All of that sort of flows down to a set of bullets that describe the impact of the business and objectively explain why you can’t pay what they’re asking and as quantitatively as possible and effectively making a business case for a different number that you’ve decided on as a business.

[Nate] You make it sound so simple. Are there any stories of when coming up with a number wasn’t so easy to do?

[Kurtis] I got a couple of stories. One is when we were doing this business impact assessment for a large manufacturer and we were going through our list of things to consider and things to try to put a number or a label on priority wise. As part of that discussion, the CISO, the Chief Information Security Officer says to me, we are one of the number one manufacturers of this particular product in the world. We’ve been doing this for a hundred years. We have specific trade secrets and intellectual property that makes us better at this than everyone else in the world. It’s like the recipe for Coke.
The guy goes, I’m concerned that these threat actors took a copy of that intellectual property. While at the end of this, we may agree that they delete it. If it should get in the hands of, for example, my largest Asian competitor in five years, I have a much larger business problem to address. To put a label on that or the value of that or the impact of that is quite hard.
That had not occurred to me. We’ve now built that into our model about what data have they taken and how could that impact you long-term? That happened about a year ago and it really rocked me when we had that discussion.

[Nate] And On the other end of the spectrum, do you ever work with smaller mid-size businesses and then is your process similar for them?

[Kurtis] That’s a very different discussion and frankly, I’ll be honest with you, it’s a little bit emotional a lot of times for even for me or my team because we’re not talking about a boardroom full of people anymore. We’re talking about Mary and Mary built an accounting practice over the last 18 years working hard. She’s got 12 employees. She’s going to have to lay off on Wednesday if we don’t solve this.

[Nate] Take us back into the room. What general negotiation tactics apply to ransomware and what about ransomware is unique from any other kind of negotiation scenario?

[Kurtis] Frankly, the tools of the trade, if you will, are not too different and often when we do get let’s say a logjam in a negotiation or something like that, I will refer to those frameworks to say, okay, well, how can we break that logjam and we use a lot of the same tools that you would use in a boardroom or buying a car or in the case of Chris Voss negotiating over a hostage situation.
We use a lot of the same tools and sometimes I’ll even text Chris Voss and say, hey, dude, I used this and here’s what it did.

[Nate] Are you able to tell us what tools you and Chris use in these situations?

[Kurtis] I’ll give you one example. I don’t want to give away all of the trade tricks but most of the time it comes down to simple human behavior and when we get stuck sometimes a lot of the negotiation books will refer to tools like asking your opponent to solve the problem for you and surprisingly that works a lot of times.
Just saying ‘how’, here’s my situation. Tell me how we can come to it. Tell me how we can solve this, please and being kind and for some reason humans like to solve your problems, even your opponents and they will come back with a suggestion and it might not be exactly right but it breaks a logjam and we’re able to move forward with the discussion. It’s fascinating.

[Nate] Interesting. So are there any other publicly known not so secret tactics that you can share with us here?

[Kurtis] One of the tools that we use, I call it plant the seed and water the seed which is if we have objectively decided from a victim and our perspective that we are going to pay something then I tell the threat actors that in the beginning. We intend to pay you and then every message after that I remind them of that fact.
Now if I’m doing this right, I’m going to put myself in this category where they’re like these guys are kind of a pain and it’s taking a long time.
Let’s just take what we can get and some threat actors will do that and then they’ll move on because they’ve got a volume of victims, they’ve got a pipeline of which they might be doing 30, 40 of these at a time and when you become high maintenance, low value, they’ll just take what’s on the table and go. That’s part of the strategy.

[Ad] Today’s complex ransomware operations or ransom ops have evolved to include sensitive data exfiltration for double extortion, rendering past execution defense approaches and data backups largely ineffective.
So why are so many security providers still pushing alert-centric tools that only focus on the tail end of the attack, the ransomware payload?
The best strategy for organizations to avoid becoming a victim of ransomware is to prevent the attack from being successful in the first place.
Cybereason remains undefeated in the fight against ransomware because it moved beyond alerting to deliver an operation-centric approach that detects and prevents ransomware attacks at the earliest stages of initial ingress and lateral movement.
The Cybereason predictive response capability disrupts ransomware attacks prior to data exfiltration and long before the ransomware payload can be delivered. Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere, including today’s complex ransom ops attacks.
Visit cybereason.com to learn more about predictive ransomware protection and how your organization can realize both increased efficiency and efficacy through an operation-centric approach to security operations.

[Nate] All right so now that we have some idea of the kinds of tools and methods that you use to make these conversations go a little bit better.
On the other side of the spectrum, what should victims and negotiators never do?

[Kurtis] We often, I won’t say often, we’ve been pulled into a number of situations mid-flight.
One of the things we say internally is negotiations end well when they start well. There’s a momentum that is built that is really hard to reverse in these, because the bad guy doesn’t care that you switched operators. They don’t care that you switched negotiators. They don’t care that you hired a firm.
Some of them actually do care that they don’t want you to hire a firm, but me versus the victim versus some other, it’s hard to hit a reset button. Because we got pulled into a number of these in the middle, we’ve seen transcripts that are not good.

[Nate Nelson] Not good such as?

[Kurtis] Generally, it’s the opposite of what I’ve said so far. It is don’t be antagonistic. Don’t lie. Negotiate in good faith. Don’t play tricks.
Keep in mind, some of these groups do hundreds of these a month, or if not thousands. There’s no tricks that they have not seen. In the beginning, maybe you could do it, but they’ve iterated. They’re not stupid. Don’t treat them like they’re stupid, or it’s going to get you in trouble.

[Nate] Yeah. In your experience, what are the biggest one or two mistakes that you’ve ever seen a client make?

[Kurtis] One time, we got pulled into a case, it was a large service provider had been hit. They called us up and they said, hey, look, we were referred to you. We had started engaging with the threat actor already and it’s not going well.
I said, okay, so we start at the beginning. I walk them through our process and we say, okay, I’ll take a look at the transcript, but we need to go back to the starting block and decide. We need to all agree on what the business impact is, et cetera.
I take them through our process, but when we were looking at the transcripts, the first person that sat down at the keyboard said, hi, we got your note and how do we solve this or something like that? I’m paraphrasing.
The bad guy said, we are Conti and we have taken your files and blah, blah, blah. They give you a laundry list of all the leverage they have.
At the end, they said, identify yourself. The person said, I’m changing the name to protect the innocent, but they use the real name. I’m Jim Smith. I work at this company. This is my email address. This is my phone number.

[Nate] Yeah. That doesn’t seem like a good idea.

[Kurtis] When I’m reading the transcript, I turned to one of the owners of the company, one of the partners of the company. I was like, your IT person just doxed themselves to a cyber criminal on command. Why did they do that?
The next thing the bad guy says is, well, we want $1.4 million. The victim who’s at the keyboard says, well, we’ve only got 50,000 to offer you.
He gives no reason. He doesn’t explain their financial situation. He doesn’t do it. He just says, we’ve only got 50,000. I’m paraphrasing a little bit for simplicity, but basically the threat actors come back and say BS and they use strong language and they say, we have a copy of your finances. We know how much money you made. This is not a credible offer.
He came back immediately and said, okay, you know what? We can afford $125,000. This goes back and forth and eventually he just keeps coming back with a higher number. By the time that they called us and they took the keyboard away from this person, he had offered them 250,000.
When I was explaining to the partner of the firm the situation that we were in and how it was going to be difficult for me to reverse, for example, you used round numbers. It ended in a zero, which signals that there’s no specific reason.

[Nate] Wait, why is that?

[Kurtis] If you would come back to me and said, I can afford $52,347.26, that signals like there’s some kind of math involved other than me coming up with an arbitrary number. You didn’t do that. You used round numbers.
The other thing you did is you came up with $200,000 in 15 minutes that you didn’t have before, which told me that every number you’ve given me so far is arbitrary and that there’s more money to be had.
One last thing I’ll say is another mistake that other folks make is keep in mind that the first person that you’re interacting with in most cases probably doesn’t speak English at all. That means what they’re pasting into the chat window is some script. When you respond to that person, they’re taking what you typed and putting it into Google Translator, Babel Fish or whatever. What’s important about understanding that situation is that the language you use is going to be translated into their native language probably poorly and understanding the tone and context of the words you use in that language is important. That’s such a nuanced thing, but it is extremely important to understand and a lot of people don’t think about things like that when they’re interacting with these folks.

[Nate] How does that affect how you talk to ransomware actors? Is it just that you know to use simpler and more direct language?

[Kurtis] Certainly, yes. Simple is important, but also we do have on staff native language speakers, 15 plus language is including the most common languages that the threat actors are using. We natively understand what these words mean and what words are sort of different in tone versus antagonistic in tone and things like that. We’re careful about it and we’re educated about it and we are talking about people’s livelihoods here and other people’s money, so we don’t take it lightly.

[Nate] Between all of the discussion that we’ve just had about the kind of tactics that you are able to use, the kind of mistakes that clients tend to make, these little sort of nuances, taken as a whole it seems like victims generally speaking will be out of their depth when negotiating with their own attackers.
When they call you in, do they play any role in your process, your clients, or do they just sit off to the side while you do your thing?

[Kurtis] This probably varies from firm to firm, but when we started doing this at the beginning, we recognized that this is a very gray area.
If we were, for example, to take a case where we said, okay, well, what can you afford and they said $50 or get it to close to zero as possible or whatever and then we said, okay, we’ll be back, we’ll let you know how it goes and we disappear into the dark web and have our negotiation and then we come back with a number, which is, by the way, how some firms operate, that is so opaque and rife for the accusation of fraud that it’s just a dangerous way to operate.
From the very beginning, in addition to the business impact, which is a role they play, that discussion, that sort of gaming out what this is worth to them through the entire process, they play a role in the actual negotiation, 100% transparency. No message is sent to the threat actors without the approval of the client. We occasionally refuse to send a message that they suggest.
Sometimes clients get upset and they’ll start insisting we use foul language or something and we won’t do that, but for the most part, we will educate the client as to what we’re doing, what the plan is, why we’re saying what we’re saying, what that means and what the expected outcome is.
If they disagree and they want us to say something else, we will.

[Nate] What’s an example of a bad request that you’ve gotten from a client?

[Kurtis] I have one where we were doing a case and we had suggested a message and there’s some tactics around timing, delay and the time that a message is sent. That’s part of this.
We say, okay, what we’ve decided on collectively, the client and us, we decided on our next step and that message is going to go out at 8.52 p.m. Eastern or something like that. At 7 p.m., I get a call from one of the partners at the firm and they say, hey, I’m looking back at this message that we agreed on and I was going to make a change suggestion. I said, well, lay it on me.
He says, I’d like to change this word to onerous and I was like, well, Pete, I frankly don’t know how onerous translates in Ukrainian and I don’t think that’s a good idea, but I will do it if you like. He said, oh, no, no, that’s a good point.

[Nate] Yeah, I’m trying to step into your shoes here and I can imagine if you have a client who’s a little bit confident, maybe they could start stepping on your toes and suddenly you’re not just negotiating with ransomware attackers, you’re negotiating with your own client as the best way to handle it.

[Kurtis] That’s a good way to put it. I mean, it is bidirectional. You’re simultaneously educating, sometimes depending on the size of client acting as a therapist.
We’ve had some funny ones where there was a construction company, this is going to sound like I’m making this up, but it’s totally true. There was a construction company, it was three brothers and they told us that what happened, we walked through the business impact, whatever, and one of the brothers at the very end of the initial discussion about the engagement said, hey, where are these guys at in a very thick accent and I said, well, this particular group operates primarily out of Russia. There’s a few members, I believe in Belarus, but for the most part out of Russia and he goes, well, can we get to them? I said, I don’t think that’s a great idea.
Also, we had one for a software company that did a lot of AI work and they asked for some of our intelligence data so that they could attack the threat actors and or attempt to decrypt and a few other things on their own. That was new.
Of course, I don’t advocate hack back necessarily for a lot of reasons, but they are a client so we gave them the data and let them go to town.

[Nate] Okay. I won’t comment on that.
In general, how do you know when you’re done with a negotiation? Is it when you reach the target number that you’ve decided on with your client at the beginning of the process or do you ever hit that number and then think maybe I could keep going and continue negotiating with the attackers from there?

[Kurtis] Yeah. I mean, keep in mind that we’re paying foreign adversaries.
I did this piece for Inc Magazine where I talked about how cyber hygiene and personal responsibility around cyber hygiene is patriotism because if you think about who these perpetrators are, where they are, and what they potentially do with the data and money, it’s really not a good idea to pay them a penny more than you have to.
We have a personal responsibility to like if we see there’s room to reduce, we do. Now we’ll follow the clients directly and say, hey, look, we’re good. There have been cases where that’s been true where we said, look, I can get this person. We got them from seven figures to low, six figures, and I’m relatively confident we can get it to five and their cyber insurance company says, nope, let’s pay it and move on.
While that’s frustrating, that’s a business decision and that’s up to them, but yeah, if we see room to continue to go, we will, or if we feel like we’ve hit a wall and it’s only going to get worse from here and we didn’t quite make the number, we will communicate that.
We’ll leave it up to the client, of course, on whether to proceed or not, but a lot of it’s by feel.

[Nate] A moment here, if you want to brag, what’s the most amount of money that you’ve ever saved a single client in a negotiation?

[Kurtis] I mean, millions. I don’t know if I can say eight figures necessarily, maybe close, millions. We’ve had cases on the smaller end where the threat actors have asked for millions and we’ve paid 5,000.

[Nate] On the other side of things, do you ever fail a ransomware negotiation either by not quite getting as much money back as your client wanted, or maybe a negotiation just goes all to hell and you don’t get anything out of it?

[Kurtis] Of course.

[Nate] What are the factors that lead to failure?

[Kurtis] It depends on the group. A lot of these threat actors have a script. When they go off script, sometimes it’s disruptive, or if we’ve misinterpreted the technical situation, that can be tricky. There’s a lot of those string alongs.
The customer is not technically adept enough to recognize this and did not communicate it on the front end, but the threat actor has encrypted batches of files with multiple decryptors, or encryptors. You would need more than one decrypter to undo the damage. Not knowing this, you can negotiate a number and then say, okay, here’s one decrypter. Now you owe us more.
The other thing is when they go off script, or for example, they do examine the financial data a lot or carefully, and they’re smart enough to understand what the client can actually pay. The client’s going to set a number much lower than that naturally, and the client’s insistence on sticking to that lower number when the objective financial facts state otherwise can cause a situation where I would consider not just we fail, but we collectively fail with the client.

[Nate] Lastly, with everything we’ve learned today, can anybody who’s now heard this conversation go out into the world and negotiate with their own ransomware attackers?

[Kurtis] No, I wouldn’t recommend it.
Think of it as an investment in paying a response firm to help you with this. It isn’t just the negotiation tactics, which anybody can read the books that I talked about. Anybody can take a Harvard online class on negotiation and become quite good at negotiation, but what you’re missing is some of those nuanced factors that we talked about, like understanding the language, understanding the technical components.
Our core business is digital risk, so there’s an intelligence component, understanding the threat actors, actual technical capabilities, whether they honor the ransoms traditionally, how long it usually takes, what they normally ask for and what they normally settle for.
All this stuff is you can’t just learn overnight. You have to do a lot of these to be really, really good at it.