Ransomware Negotiation Tactics

In the ever-evolving landscape of cybersecurity threats, ransomware attacks stand out for their insidious nature and widespread impact. Within this article we will take you into the shadowy world of ransomware negotiations, revealing the intricate dance between hackers and cybersecurity experts. At the heart of this investigation is Guidepoint Security‘s Drew Schmitt, who offers a rare glimpse into the high-stakes game played with cyber syndicates, where every click can lead to chaos.

The frequency of cyberattacks is on the rise, with healthcare systems becoming a prime target. Capital Health in New Jersey fell victim to a cyberattack.

Such breaches often occur due to user mistakes, typically when an employee inadvertently clicks on a phishing email, leading to the unintentional download of malware.

However, this is merely the beginning of a ransomware scenario – what follows are complex negotiations with the attackers.

Annually, ransomware groups are raking in billions of dollars,” observed Drew Schmitt from Guidepoint Security.

Schmitt, whose role involves dialogues with cybercriminal collectives known by monikers like Akira, BlackBasta, Lockbit, and the Lazarus Group, notes the global spread of these threat actors.

According to Schmitt, with just a simple click, these cybercriminals can seize control of entire networks.

Recent victims in 2023 include healthcare facilities in Delaware County, municipal systems in Philadelphia, and a water authority in Pennsylvania.

Schmitt elaborates, “These cyber-threat organizations have advanced to the point where they operate almost like legitimate businesses, complete with real-time chat applications for swift communication.

Schmitt gave an insight into the operations at Guidepoint Security, a cybersecurity firm known for handling negotiations for a third of Fortune 500 companies and over half of the US government’s cabinet-level agencies.

He explains that post-attack, victims receive a link. They are then directed to input their company credentials, marking the start of the negotiation process.

“The typical first message is, ‘I’ve been advised to contact you regarding this ransomware. How can we recover our files?'” Schmitt shares about the initial interactions.

In a specific case of a ransomware attack, Schmitt disclosed that BlackBasta demanded $1 million. Failure to comply, they threatened, would result in the sensitive data being published on a news board or leaked on the dark web, making it accessible to other malicious entities.

“That’s their tactic for public shaming and data exposure,” Schmitt added.

He also mentioned that he usually asks for verification to confirm the cybercriminals actually possess the files they claim to hold.

“This is what we refer to as ‘proof of life’,” explained Schmitt. “We need to verify that the attackers truly possess what they claim and can actually decrypt the files they’ve encrypted in our network.”

According to Schmitt, response times can vary from mere seconds to hours, and the entire back-and-forth typically spans several days.

He added, “Cybercriminals often unearth your insurance policy details, knowing exactly how much coverage you have for such incidents.”

In their discussions with BlackBasta, Schmitt revealed that the attackers even appeared to have insights into the company’s bank account details — critical leverage in ransom negotiations.

Schmitt noted that 65% of their clients end up paying the ransom, with the average amount being in the lower hundred thousand dollar range.

“The payment is usually made in cryptocurrency, predominantly Bitcoin,” he said.

Cybersecurity experts also point out that many small and medium-sized businesses, unable to afford the ransom, may face dire consequences, including staff layoffs or complete shutdown.

Schmitt noted that dismantling these networks is challenging, as they frequently operate within countries that don’t collaborate with U.S. investigative efforts.

As we navigate the complexities of cyber warfare, the battle against ransomware groups like BlackBasta continues to pose significant challenges. The experiences of Guidepoint Security underscore the critical need for robust cybersecurity measures and international cooperation. While the fight to bring down these elusive networks is fraught with difficulties, understanding their methods offers a crucial step in bolstering our defenses and mitigating the risks posed by these digital threats.