Interviews 20.02.2025

Five Minutes With: A Ransomware Negotiator

Jason Baker is a lead analyst with the GuidePoint Research and Intelligence Team

Former US Marine Corps operative Jason Baker explains how he helps clients get the better of their online extorters.

What was your route into cybersecurity?

I started my career proper while serving in the United States Marine Corps, where I worked in intelligence. After college, I moved on to a federal civilian position covering intelligence analysis of counterintelligence and cyber threats for the Department of Defense, where I first got exposed to the subject matter. When it came time to make a move into the private sector, cyber-threat intelligence (CTI) gave me an opportunity to apply my subject matter expertise that I couldn’t pass up.

If you could retrain for a dream job, what would it be?

Like most folks in CTI it would probably end up being something incredibly research and writing-focused. The subject matter might shift with time, but to the extent I get to read, analyse, think and write all day – I’ve already got a lot of aspects of my dream job in my current role. Retraining for a dream job would just be a greedier version of that.

What has been your most challenging role to date?

I’d probably say my current role. Consulting brings such a diverse slate of challenges that you never really get the chance to get comfortable. But I love that. With that comes a diverse client base, with personalities and needs that range from simple to complex. Getting to help folks in responding to incidents and improving their capabilities is the ultimate test of your real, no-kidding understanding of the subject matter.

What’s the biggest misconception about cybersecurity?

Unfortunately, it is what the community has propagated so far as “ease of entry” into the field. There are a lot of training and boot camps out there which market to folks looking to make a career change, and I do think it can be a great second career – I’m proof of that. But making that move is almost never a one-and-done thing.

Best and worst thing about being a ransomware negotiator?

The worst part is dealing with criminal threat actors. These are often objectively bad people that are willing to attack and disrupt hospitals, schools, non-profits, you name it. Beneath the surface, the personalities are often bigoted, offensive and immature. This doesn’t often surface in negotiations, but it’s a subtext we keep in mind when messaging these guys.

Conversely, those same victims – hospitals, schools, non-profits – are some of the partners we get to help in negotiations, sometimes saving millions of dollars from making it into the adversary’s hands. In many cases, we provide a means to restoration that may have been impossible without our involvement. We often get asked by laypersons how we are “okay” with engaging with threat actors. My answer is that once you switch from looking at it as “enabling” a criminal and towards containing, restricting, and hampering the threat actor with every resource you have available – it becomes a lot easier.

How has the ransomware ‘industry’ changed over recent years?

Primarily by reducing barriers to entry and increasing distributed operations (i.e., ransomware-as-a-service). This opens the opportunity up to more actors; particularly as it is advertised as an easy way to earn a living.

Is the primary purpose of a ransomware negotiator to haggle with threat actors or is there more to it?

From my perspective, the main purpose is to help the victim navigate the unknown. Sometimes this means negotiating down the ransom demand, sometimes it does not. Most of the time our focus is on: informing the victim of next steps; what is likely to happen vs. what is less likely to happen; what options are on the table; and the risks vs. benefits of different options.

“I don’t think we’ve found a way to impose sufficient costs on criminal enterprises at scale yet..”

For most victims, this is their first time going through a ransomware incident, and the only thing making matters worse is the degree of uncertainty involved. As negotiators and intelligence professionals, our role is reducing uncertainty while providing assessments even with incomplete information, so that the victim can recover and move on.

What advice would you give to industry n00bies?

Ask questions. Words have meaning, so don’t be careless in the words you choose. Find what interests you the most and lean into it, while also seeking out opportunities to shore up your weaknesses.

What’s the biggest as-yet-unsolved problem in cybersecurity?

In cybercrime, I think it’s how to impose sufficient costs on distributed criminal enterprises. Our conventional approach from a defensive and law enforcement approach has been to tackle shared resources, leadership, infrastructure, etc. And while this approach has some level of impact, you still have a huge volume of affiliates that can simply realign elsewhere. I don’t think we’ve found a way to combat this approach at scale yet.

Tell us a guilty secret

Because I didn’t “come up” in IT or security originally, I still often mispronounce certain acronyms – either spelling them out or pronouncing it as a word when the opposite is the standard. I get a healthy ribbing about this each time from my colleagues.

Latest articles

Be an insider. Sign up now!