Interviews 21.09.2023

On the Record with a Ransomware Negotiator: An Unfetted All-Access Interview

If you had one hour to ask a ransomware negotiator anything at all, what would you ask?

Meet Tony Cook. He negotiates ransoms for a living, making deals with the cyber devil to restore systems, regain data, and resume the status quo. Eleanor Dallaway reports

Tony and his team work on the ransomware frontline, often the first to run into battle. It’s a high-intensity, always-on, arguably divisive job. At Black Hat Las Vegas, Eleanor Dallaway jumped at the opportunity to ask Tony what actually happens when a company is held to cyber ransom.

To learn more about Tony and how his team supports organisations with incident response, check out his bio at the bottom of the page; he has one hell of a résumé. But for now, allow Assured Intelligence to ask all the questions you’ve always wanted to know regarding the cybersecurity industry’s most talked about foe, ransomware.

Let’s start at the beginning. How quickly are you ‘in the room’ once an organisation has been hit by ransomware?

Our ideal tactic is to start immediately and be the first to talk to the ransom actors. The sooner we can begin that correspondence, the better. The first step is to see what the impact is. Is it critical? Can we restore it? Then we work to slow up the process, ensure the information isn’t released and string the threat actor along while the client decides whether or not to pay the ransom. During this time, we’ll assess which systems the client has access to and what data the ransom actors have (if it’s HIPAA or PII data, they’ll likely pay regardless). I think the longest we strung a threat actor along for was 45 days.

Tony Cook

What’s the benefit of stalling for time?

Controlling the flow of information and ensuring the client enters negotiations, whether or not they intend to pay. In an ideal world, the client can get back up and running and operational during this time. It’s also a way to stall dealing with media and all the PR stuff that goes with that. We will use this time to ask for proof of the ransom actors’ data and files so we know they’re not joking around.

Do you pretend to be the client? Or do you make it known that you’re a negotiator working on behalf of the client?

We act as if we’re the client. They have rules on their side, for example, what clients and verticals they’re allowed to hit, and most of them state that they will not work with an incident response firm. They insist on dealing directly with the client, so we act as the client.

Do they reveal who they are?

About 90% of the time, they do. Sometimes, there are ephemeral, flash-in-the-pan type groups. Other times, there will be a note, “We are LockBit” or “We are Alpha”. Even without that [declaration], one look at the compromised site will often show us exactly who is behind it.  Some lesser-known groups don’t want you to know who they are. That requires an entirely different – harder – negotiation tactic. Sometimes, they don’t even care about getting paid; they just want the recognition that they did these things.

Geographically, where are most of these ransomware groups?

A lot are in Eastern Europe, but we’re seeing a lot of new groups spinning out of South America and Africa. Geography isn’t always obvious, and in those cases, we might have to work 100 cases or more to determine exactly where they are. We’ll share this information in an IC3 ticket with the FBI and then turn over all the pertinent information to the client.

How much does price come into your negotiations? 

We always work to get the price down. We use time pressures and try to strike deals. For example, we might say, “It’s the weekend, and banks aren’t open. If we pay right now at half the price, can you get us the stuff back?”

The more mature ransomware groups have specific roles for members, one of which is to set the correct ransom price.

“It’s a Mafia-type mentality, but it’s set up like a Fortune 500 business”

In many ways, they operate like legitimate businesses, right?

Absolutely. With the more sophisticated actors like LockBit, if an organisation pays the ransom, they’ll be presented with an in-depth report from the ransom group about how they broke into the environment, what the attack map looked like, and where the security holes were. They see it as part of the service and want to be viewed favourably by future victims, increasing the chance of another payday. It’s a Mafia-type mentality, but it’s set up like a Fortune 500 business. They aim to be credible. They even have a helpdesk!

The less mature groups, however, are more amateur operations and won’t even have their own dark website for shaming.

Talk to me about sanction lists.

If a ransom group is on a sanction list, we cannot pay them. There are a few lists, including the OFAC sanction list. We do due diligence on the threat actors we negotiate with because many rebrand [to try and evade sanction]. The Evil Group, for example, has rebranded five or six times. If you pay a group listed on a sanction list, you get fined by the government.

Do you have to declare it when you do pay a ransom?

In the past, no, but there’s increasing legislation for a reporting requirement. Just recently, the FTC said that public trading companies have to report major cyber incidents, including details of whether a ransom was paid. In the critical infrastructure space, a report has to be made within 72 hours, including the decision on the ransom.

Speaking of ransom decisions. Do you often get a ‘hung jury’ situation, where leadership disagree on whether or not to pay?

Oh God yeah. It’s common, given the stigma around paying a ransom. It’s our job to give them all the information and all the context. It’s always a conversation piece back and forth and will often cause internal conflict. There’s usually one person on the Board who will say: “I was told never to pay, the FBI said not to.”

“If your business is down, you’re losing millions of dollars a day, and the ransom payment is one million dollars, it’s a no-brainer, right?”

Do you advise on whether they should pay?

We do. I don’t think organisations should always pay, but it’s situation-dependent. If your business is down, you’re losing millions of dollars a day, and the ransom payment is one million dollars, it’s a no-brainer, right? We make our recommendation based on the business impact analysis we do.

How often does the ransom get paid?

I can give you the Guidepoint Security stats. So far this quarter, about 80% of victims have paid. Many State Governments, like Tennessee, are trying to pass a law that bans organisations from paying ransoms.

Are you witnessing any trends in the cost of a ransom demand?

They’re definitely going up. Ransomware actors are getting better at pricing ransoms. We’ll offer a reduced payment, and they’ll give lengthy and well-researched reasoning for why they believe their pricing is fair. We educate our retainer clients about the dangers of storing sensitive financial information, risk assessments and insurance policy documents on their network. They could get into the ransomware actors’ hands if it’s breached.

You mention retainer clients. Are your clients mostly retainer?

 We try very hard to do retainer work so we can build relationships, become a trusted advisor, and run exercises and tabletop simulations with clients. Don’t get me wrong, they’ll still get hit; it’s almost inevitable, but at least they’ll be prepared.

We also sit on a few cyber insurance panels and get drafted into those incidents. It’s almost impossible not to have cyber insurance these days, so we also do a lot of that [cyber insurance funded] incident response work.

Recent vendor ransomware reports have noted the trend of triple extortion ransomware. Do you concur?

Yes, we’re entering the realm of triple extortion. They’ve taken your data. They’ve held you to ransom. Now, they will DDoS you and hit your main website until you pay, releasing information to clients and your supply chain.

“One of our negotiators had to stay on the line with a guy while an ambulance was called”

What sort of emotional state do you typically find people in?

Highly stressed. One of our negotiators had to stay on the line with a guy while an ambulance was called because he had a panic attack. Our job is to be the calm, cool head in the conversation and deter rash action. You can tell if it’s a CISO or executive who has been through it before; they have a ‘not my first rodeo’ vibe.

The ransomware discovery often happens at night, early in the morning or at the weekend, which can enhance stress. We have an ‘always on’ mentality, taking calls around the clock. We definitely get burnt out.

Finally, can you pick out one memorable case you’ve worked on that has stayed with you?

It was a supply chain attack on a manufacturing company that got hit on a Monday. They weren’t on a retainer with us, but we got in immediately, the first ones in, and everything in their environment was down. They couldn’t even send an email out. The ransom demand was insanely high. The CEO said, “We will never pay,” but on the confirmation that a lot of data had been exfiltrated, they had to. They were losing all kinds of business and money. For three days straight, their people couldn’t even come to work. They were losing millions of dollars while complaining about a ransom that was less than a million dollars.

We knew the threat actors were more advanced as they’d grabbed very specific things. After three days, we negotiated them down enough to pay them and got the decryptor. Many believe that everything will be fine once you have the decryptor, but it took 21 days to become operational again.

Afterwards, we did a tabletop exercise with them to debrief and determine ongoing issues. Budget challenges mean that some weaknesses can’t be resolved, but we’re still working with them to try and improve their security posture and preparedness.

About Tony Cook

Tony Cook is the head of threat intelligence on GuidePoint Security’s consulting team, where he manages digital forensics and incident response engagements on behalf of the company’s customers. His career background includes high-level national security activities in cybersecurity operations for several clients over various verticals.

Tony was the cybersecurity operations architect and IR director at the network security operations center of the Space and Naval Warfare Systems Center (SPAWAR), and a malware analysis and digital forensics officer at the Naval Cyber Defense Operations Command.

Tony has also managed forensics and incident response at the U.S. Joint Forces Command and has worked as a security engineer for Raytheon at NASA’s Langley Research Center. He began his career with the Navy, where he served as lead system administrator on the USS Enterprise. He holds a bachelor’s degree in information security from Colorado Technical University, as well as a broad range of certifications in IT security.





Latest articles

Be an insider. Sign up now!