What’s it really like to negotiate with ransomware gangs?

Bob Sullivan

It might be the worst-kept secret in all of cybersecurity: the FBI says don’t pay ransomware gangs. But corporations do it all the time, sending millions every year in Bitcoin to recover data that’s been taken “hostage.” Sometimes, federal agents even help victims find experienced virtual ransom negotiators.

That’s what Art Ehuan does.   During a career that has spanned the FBI, the U.S. Air Force, Cisco, USAA, and now the Crypsis Group, he’s found himself on the other side of numerous tricky negotiations.

And he’s only getting busier. According to Sophos, roughly half of U.S. corporations report being attacked by ransomware last year.  The gangs are becoming more organized, and the attacks are getting more vicious. The days where victims could simply pay ransom for an encryption key, unscramble their data, and move on are ending. Now that some companies have managed to avoid paying ransom by restoring from backup, the gangs have upped their game. Their new trick is to extract precious company data before encrypting it, so the attacks pack a one-two punch — they threaten embarrassing data breaches on top of crippling data destruction.

Ransomware gangs also attack companies when they are at their most vulnerable  — during Covid-19, they have stepped up their attacks on health care firms, for example, adding a real life-or-death component to an already stressful situation.  By the time Ehuan gets involved, victims just want to put their computers and their lives back together as quickly as possible.  That often means engaging the gang that’s involved, reaching a compromise, making a payment, and trusting the promise of a criminal.

It can sound strange, but during a recent lecture at Duke University, Ehuan said there were “good” cybercriminals — gangs that have a reputation for keeping those promises. After all, it’s their business. If they were to take the Bitcoin and run, security firms would stop making payments.  On the other hand, you can’t trust every criminal — only the “good” ones.

This is the murky world where Ehuan works. During his lecture, Ehuan talked in broad strokes about the major issues facing companies trying to stay safe in an increasingly dangerous digital world.

After the lecture, I asked him to share more about what it’s like to deal with a ransomware gang (as part of my new In Conversation at Duke University series — read the series here). Who makes the first move? Are you sending emails? Talking on the phone? How do you know which criminals to “trust?” How do you gain their trust? Do they ever accuse you of being law enforcement?  Here’s his response:

Art Ehuan

“When the malware is deployed there is also information provided on how to contact (the crime gang) to pay the fee that they are looking for and receive the key to unencrypt the data.

“Our firm, and others like it, will then have a discussion with the client and counsel to decide if they will pay and how much they are willing to pay. Once authorized by counsel/client, contact is made with the TA (gang) on the dark web to advise them that systems are impacted and we would like to discuss getting our data back, or data not being released to public sites, etc.  We provide them with a known encrypted file to make sure they are able to unencrypt and provide us back the known file to ensure that actually have the decryptor.  We have a discussion with the TA over the dark web to lower price due to funds the client has available, etc.,

“There is good success in negotiating a fee lower than what was initially asked by these groups.  Once the fee is agreed and payment made, most often than not by bitcoin, TA sends the decryptor that is then tested in an isolated environment to make sure that it does what it is supposed to do and not potentially introduce other malware into the environment.  Once evaluated, it is provided to the client for decryption of their data.  If the negotiation is for them not to release the data, they will provide proof of the files being deleted on their end (we have to take their word for it that they haven’t kept other copies).  Sometimes this takes several days due to the time difference between U.S. and Eastern Europe when communicating.

“Even with the decryptor, unencrypting the data is a painful and costly experience for a company.  My continuous message to clients is to secure and segment their infrastructure so these attacks are not as successful. That is cheaper than the response efforts that occur with a breach.

“Hopefully, this provides at a high-level process that is taking place.”

(Read the full conversation here.) 


Leave a Reply

Your email address will not be published. Required fields are marked *