Ransomware Negotiators Stay Busy as Attacks Escalate

After getting a ransomware payment from a company, the cybercriminal may return for more.

Edward Gately, Senior News Editor

October 2, 2020

11 Min Read
Cybersecurity Roundup, security roundup

It’s a busy time for ransomware negotiators with cybercriminals targeting more businesses and demanding bigger payments.

Ransomware attacks and ransom payments are on the rise, with ransoms now more likely to exceed $1 million, according to recent research by Barracuda. There’s been a significant increase in ransom payments in the past year. And many ransomware victims have not prepared enough, so they end up paying the ransom.

On Thursday, the U.S. Treasury Department published guidelines for special circumstances where a ransomware payment may break U.S. sanctions. The guidelines apply when an individual or company has had its data encrypted by a ransomware gang that is either sanctioned or has affiliations with a cybercrime group sanctioned by the Treasury Department in years past.

So, how do ransomware negotiators work? Should organizations always try to negotiate?


Cytelligence’s Ed Dubrovsky

To find out more, we spoke with Ed Dubrovsky, COO and managing partner of Cytelligence. The company handled ransomware negotiations until Aon acquired it earlier this year. It now works with third parties and helps them handle negotiations.

Channel Futures: When do ransomware negotiators step in?

Ed Dubrovsky: Threat actors come in and they impact as many systems as they can to cause a very big impact on an organization. With a small organization they will … encrypt all systems. And with a large organization, they will deploy an automatic means to encrypt all the data. And then you basically have to go and talk to them because your ability to do anything else is diminished. Even larger organizations with backups may still be compelled to negotiate with these threat actors because the amount of time to recover and the cost to the business to be down for that duration could actually be higher than making a payment to the threat actors, and then both recovering from your backups … and decrypting files.

CF: Are many cybercriminals willing to work with ransomware negotiators? Will they accept a lesser amount?

ED: It’s very difficult to negotiate with certain threat actors because of perhaps language or they’re set in their ways in terms of, “We believe you’re making that much money and hence we want that much money, and we’re not going to negotiate.” But it’s not just about the initial demand and the final demand, and whether you need a negotiator to decrease that number.

You could potentially negotiate with them and say, “You give me the data and I’ll pay you for it.” Or you could basically say, “We’re not paying you; go ahead and publish.” That costs zero to the client and then the bad guys go and publish. Yes, it’s in the public domain. But the client didn’t really care because the data did not contain any personally identifiable information about individuals. So it was not secret information. But what was more important was getting back to business. So every case is a little different.

The majority is always about how can we minimize the final demand. But it’s also about how fast we can get to that final demand. It’s costing money, and potentially loss of business and reputation and so on. So it’s definitely a time-sensitive process.

CF: What happens once cybercriminals and ransomware negotiators agree on an amount?

ED: The threat actors will …

… provide a wallet and there will be a payment that’s going to be made to that wallet in bitcoins. So the client would go purchase bitcoin and initiate a wire transfer, essentially, but on the blockchain network to transfer that amount to the wallet of the threat actor. Once the criminals see the transaction and that transaction has been confirmed on the network, they than would typically proceed with next steps, depending on the ransomware variant.

CF: Are there dos and don’ts in the process for ransomware negotiators?

ED: I would say to let the professionals negotiate, but understand the interest and motivation of the professionals as well. Let’s say the bad guys are asking for $1 million, and I know very well that I can reduce that demand to $100,000, just for example. However, if I settle on $100,000, I make 2% because I’m facilitating the payment as well. In that case, my interest is obviously to not minimize the demand and basically give the bad guys the $1 million they’re asking for because 2% on $1 million is much greater than 2% on $100,000.

CF: Should organizations ever try to negotiate without ransomware negotiators?

EG: Experience is so critical in this business. Certain threat actors misbehave. They would say, “I want $50,000,” and once a payment is made, they would say, “OK, I want another $50,000.” We typically know who these threat actors are because we’ve handled so many cases in the past. So we know if a particular variant is untrustworthy. The risk is higher or they could demand additional payment, or they get very, very slow. Time is money in this business.

So instead of losing nine days, you may end up losing three days. It’s not just the ransom demand. So absolutely don’t negotiate yourself. Get professionals to do it. And make sure that the company is actually legitimate. Unfortunately, there are many of what we call scammers in this industry. They could be associated with the threat actors as well. I would highly recommend that the victim organization deals with a company in their geolocation. That just minimizes the risk as well.

CF:  Is it common for organizations that go through a ransomware attack to be hit again?

ED: It’s not rare and it’s not very frequent. I would say somewhere in the middle. And it kind of alternates depending on how the organization responded to the attack to begin with. Many threat actors would say we’re not going to attack you again ever, or we’re not going to attack you for the next 30 days and so on. But 30 days goes by very quickly.

Our threat intelligence tell us that many threat actors, once they get paid, actually sell information about the organization to other groups. So they may not necessarily be the ones attacking, but they would certainly be the ones selling the information to another group, telling them that there’s a potential to monetize this information.

CF: Should organizations ever pay what’s demanded?

ED: I would say you should definitely negotiate because …

… it’s not just about getting the decryption. It’s how and how fast, and if they could provide additional information about how the attack happened. And that may give you clues on which door to lock to make sure that it doesn’t happen again. So there should always be some sort of a negotiation. And it’s not always about the amount itself.

CF: Is the process getting trickier or more difficult for ransomware negotiators?

ED: It is. But we typically separate the the motivation. Threat actors motivated to get paid is one form of attack. The attacks on intellectual property or to impact a competitor are driven by different things. So if there are any negotiations, depending on the scenario, it takes a different form. I would say that anybody negotiating really needs to understand what I call the threat actor mindset in the particular situation.

TPx Brings MDR to Managed Security Services Portfolio

TPx has added enterprise-class managed detection and response (MDR) to its MSx Firewall and MSx Endpoint services.

Its MDR offering includes a team of specialized security analysts. They’re based in several georedundant security operations centers (SOCs). And they perform advanced threat hunting and mitigation to reduce response times and minimize the damage caused by cyberattacks.

TPx is No. 2 on the 2020 MSP 501 list.

Jared Martin is vice president of MSx managed services at TPx.

Martin-Jared_TPx.jpeg“MDR services are one of the fastest-growing segments in the cybersecurity market,” he said. “So it is a growing revenue opportunity for our partners to sell more monthly recurring revenue (MRR) and receive larger commissions.”

With TPx MDR, partners can differentiate themselves from others who cannot offer this level of security service, Martin said. They can also establish greater trust with their customers.

“This, in turn, can create more opportunities to upsell services,” he said. “Once a business trusts partners to manage their security, it is much easier for them to trust partners to manage other services.”

The MDR can also create stickier customers as it’s not simple to move from one MDR provider to another, Martin said.

By overlaying MDR services on its MSx Firewall and MSx Endpoint solutions, TPx provides end-to-end security service to SMBs that don’t have in-house resources. And it brings a cost-effective option to larger enterprises that want to offload labor-intensive monitoring responsibilities.

In addition to MDR, TPx MSx Firewall and Endpoint services include additional features to enhance customer security risk profiles.

“The TPx MDR solution addresses threats our partners’ customers are facing,” Martin said. “Regardless of size, organizations are under constant threat of attack and disruption from security breaches.”

Malicious hackers are smart and financially motivated, he said. And they’ll find ways around traditional defenses.

“Threats are increasing in number and sophistication with the expansion of remote working and employee susceptibility to nuanced social-engineering tactics,” Martin said.

Barracuda: New Malware Targeting IoT devices

Barracuda‘s latest threat spotlight examines the impact of the new …

… InterPlanetary Storm malware variant targeting IoT devices.

The company’s researchers have discovered this new variant of InterPlanetary Storm malware is now targeting Mac and Android devices. It also targets Windows and Linux machines.

The malware is building a botnet, which researchers estimate includes roughly 13,500 infected machines located in 84 different countries globally. And that number continues to grow.

Erez Turjeman is a software security engineer at Barracuda.


Barracuda’s Erez Turjeman

“As many IoT devices still use leaked credentials, those devices are an easy target for this malware,” he said. “As seen before, this kind of malware can be used for DDoS attacks and cryptomining.”

Cybercriminals also use it for lateral movement within internal networks, credential stealing, and compromising services running on the infected machine.

The malware uses a primitive attack vector and it iterates over known usernames and passwords. However, it’s unlikely a patch will keep it from spreading, Turjeman said.

Taking down the campaign stops the malware from spreading, he added.

MSSPs can help protect their clients by properly configuring networks, and reducing exposure of services and devices to the minimum required, Turjeman said.

There are multiple actions that can help minimize the threat:

  • On-demand network scans or periodic network scans. Those uncover any new system or system changes.

  • Eliminate anything unnecessary.

  • Use infrastructure configuration auditing tools for cloud-based deployments. This can also prevent unwanted access to various machines and services in cloud environments.

  • Network segmentation to isolate service networks from corporate networks, which will reduce the risked posed by infected devices.

CrowdStrike Invests in Sixgill

CrowdStrike has made a strategic investment in Israel-based Sixgill, a threat intelligence provider, through the CrowdStrike Falcon Fund.

The CrowdStrike Falcon Fund is an early stage investment fund. CrowdStrike formed it in partnership with Accel Partners. It invests in companies that develop applications that could contribute to CrowdStrike and its platform.

In addition to the investment, the two companies will pursue initiatives to offer joint customers enhanced threat intelligence capabilities.

Sharon Wagner is Sixgill’s CEO.


Sixgill’s Sharon Wagner

“The funding will be used to further develop our cyber threat intelligence offerings — upholding our commitment to deliver intelligence solutions that are more accurate, more useful, more contextual and the most comprehensive collection on the market today.” he said. “By offering joint threat intel offerings with our partners, we help enterprises navigate and protect themselves in an increasingly complex and hostile cyber environment. We do this by providing robust, automated security solutions that minimize cyber risk and amplify incident response in real-time. It removes silos between departments by creating a sense ecosystem in the organization.”

In addition to Crowdstrike, Sixgill has joint offerings with Palo Alto Networks, IBM, ServiceNow and Splunk.

Sixgill’s advanced collection and threat intelligence products and services fuel real-time incident response, data-driven investigations and threat analysis. That helps companies accelerate security operations amid the escalation in cyberattacks.

“Partnering with leading cybersecurity vendors such as CrowdStrike allows us to increase the avenues that organizations can use to consume our unique intelligence solutions for maximum security readiness, at any given time,” said Ron Shamir, Sixgill’s vice president of products and technology alliances.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like