A

You're listening to the Cyberwire Network, powered by N2K. Welcome to Threat Vector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, senior director of thought leadership for unit 42.

B

If you were ever in this situation where you get attacked by a ransomware group or a threat that has exfiltrated your data and or encrypted your environment, bring in the professionals, guys. Do not contact a threat actor on your own. Do not talk nasty to them. Adverse things will happen. Engage a professional negotiator that has done this many times because we are going to walk you through the do's and don'ts of how to handle this situation and scenario.

A

Today I'm joined by Jeremy D. Brown, consulting director at Palo Alto Networks. With nearly seven years in that role and prior experience as principal consultant at Crpsis, Jeremy brings deep expertise in incident response consulting and strategic threat negotiation. Today we're going to talk about threat actor negotiation, why it's vital, how it works, and what security teams need to know to get it right. A quick note to listeners, this podcast took everything. Reschedulings, multiple crashes during the recording, and Jeremy's insanely cute dachshunds trying to join us during the conversation. Stick with us. It's worth it. And apologies for any rough bits that we can't edit out.

B

Foreign.

A

Jeremy, welcome to Threat Vector. I'm excited to finally be able to have you on the show. I know we've been trying to get you in to talk about threat actor negotiation, but every time we had it scheduled, you were called for service. I appreciate that you're not busy today and you're able to make it on the show.

B

Appreciate that. David, glad to be here finally, and just looking forward to the conversation.

A

Can you talk to me? When you first became focused on threat actor negotiation, that's a very particular skill set. And maybe there was like this defining moment or a case that really pulled you in.

B

Yeah, absolutely. So I came from the public sector, always working as a contractor inside of the government in which we would never negotiate with a threat actor. Right. No matter what the incident was. So when I came to Crypsis, at first, I just started working lots and lots of ransomware, engagement and learning the ropes, and it always intrigued me to talk to these cyber criminals. So basically, from the onset of beginning working in the private sector and knowing that we could speak to these threat actors, it was something I always wanted to do and I learned from one of the best at the time, and basically I've never looked back since.

A

And maybe before we get into the details of threat actor negotiation, what is it that really drew you into incident response and this industry in general?

B

Yeah, I mean, instant response as a whole is a niche field. Right. Every single matter that we work, it's different, even if it's against the same ransomware group or threat actor organization. Guys, again, it keeps you on your toes. You always have to learn something new. You have to keep up with These threat actors, TTPs, IOCs, things of that nature, and you always have to learn something new every day. I try to learn something new every single day. So, again, with that type of fire and passion under my belt, it just helps me, you know, keep on going and working these different cases year after year.

A

Well, I'd imagine that between the threat actor negotiations, learning new ttps, keeping up with all the different tactics, what's going on in the overall landscape, you're never really that bored and your, your mind's always just on fire.

B

Absolutely. Never bored. I think that's the key. Right? It's not stagnant. It's not the same every single day, day in and day out. And every day is a different day for what we do here.

A

Well, let's get into the basics. What is threat actor negotiation? And, you know, how does that typically play out during that ransomware incident?

B

Yeah, so, you know, when you are attacked by a ransomware group or organization, typically they're going to leave a note behind saying, hey, we did this, we did that. This is who we are. Contacts contact us within X amount of time. A lot of times, that's 72 hours. There is a difference between threat actor communications versus threat actor negotiations. We do encourage clients, and most council does as well, to engage with the threat actor. We learn information from them. We tend to get, you know, good forensic information out of them so we can pinpoint analysis. Right. Get files and file tree listings from the threat actor to provide to the victim entity so we can identify and understand the data at risk or data in play. Where the negotiation piece comes into it is when a victim entity or company that got hit with ransomware actually wants to negotiate the price with the threat actor to possibly make a payment.

A

So I'm gonna step away from our usual script. What you just said reminded me of this great movie. It's called the Incredibles. I don't know if you've seen it. It's a Pixar film and you caught me monologuing it sounds like sometimes the more you end up talking to a threat actor, the more they give away a key detail. Even if they didn't, maybe their monologuing gives away some sort of clue or insight that helps you out.

B

Yeah, it absolutely does. Again, it helps the forensic entity unit 42 kind of track and walk back the data exfiltration. Right. How do they take the data? Where did the data came from? Right. Did it come from a server? Did it come from a shared folder or drive? Where did the data come from?

A

So, Jeremy, are there common phases or like, is there a threat actor playbook that you've noticed that these threat actors tend to follow when they're trying to engage with a victim to get that ransom?

B

Yeah, absolutely. And now it really depends on the group or the ransomware. As a service gang that we negotiate with or reach out to. Some of these guys are very aggressive in nature. They're very nasty in tone. They're very aggressive than getting your attention. If you don't reach out immediately, they will email employees, they will email C suite executives to get your attention. We know those cybercriminals that do that versus the ones that do not. So they all do tend to follow a certain playbook. One example is the Akira ransomware group. We've been working against them for three years and basically it's the same basic, you know, responses every single time. So we kind of know what we're going to get with them. Now there are wild card threat actor groups out there that operate different each and every time. These cyber criminal rings, they operate as a business. They actually think of themselves as a business entity where they have the hackers, the bosses, and then the operators who are actually the ones communicating with someone like me on the other side.

A

Jeremy, how do defenders or incident responders like yourself prepare for entering into those negotiations with a ransomware group? Especially. Especially when you said some were really aggressive, maybe some are not as responsive. It seems like there's gotta be a lot of things that you're prepared for when you walk into that conversation.

B

Yeah, I think it's the executive advisor caselead. Right. Someone like myself that lays out kind of what's gonna happen in a threat actor communication negotiation for the customer. Right. This is their worst day. They don't understand this. They don't do this for a living like we do. So kind of walking them through the. And what we can expect from threat actor X, Y or Z is very critical. For the executive leadership team in these organizations, transparency is key, kind of letting them know that hey, look, we want to reach out to prevent this or we want to reach out to understand why. You know, again, just preparing the legal teams, whether it's outside counsel, inside counsel, and the executive leadership team is critical before we start a negotiation.

A

Do you ever work with organizations during a tabletop on this specific thing? It seems like walking into a negotiation and you've got to trust that Jeremy understands exactly what's going on would be better than not having you there. But overall, not having gone through this, fortunately a bunch of times and then having your first time be a live fire exercise seems terrifying. It is.

B

We do offer those services, tabletop exercises for a FOAP threat actor. Negotiation is a thing and we recommend things like that for large organizations or any organization, really, from a proactive standpoint, if that makes sense.

A

Yeah, it really does. I was recently able to take part in driving a supercar. And that's not my usual MO but I had a passenger seat driver or coach right there with me walking through the whole thing and caught some great speed and had a lot of fun. No way. No way I would have been able to drive that fast without somebody right there by my side. And that's what I'm picturing is like you're right there with them going through something new and a little bit scary. But maybe it's better to do it on the safety of a track than in a rail race. I don't know. I'm mixing my analogies here, but it's just what you're, what you're, what you're making me picture as, as we're talking about this. Who else is involved in this negotiation process internally? I mean, you mentioned a couple of the parties, but I'm wondering how big does that group get when you're really involved in a negotiation?

B

Yeah, I mean, that's a great question. So typically when you're running a large scale incident response against the ransomware case or ransomware group, there's many plates that you're spinning, right? The forensic analysis, data collection, remediation, eradication, again, containment, and then negotiation. So in a negotiation and communication, it really actually gets whittled down to a smaller audience because you want to keep that information really tight in a tight circle. So typically it's going to be CEO, VPs, ELT, the executive leadership team. You'll have outside counsel who's representing the victim organization. Then you also have a lot of times in internal counsel, right. Or we call it general counsel. So you don't typically have the whole IT team there. You know, all the key players that are doing analysis from our side, or you don't have the client team there as much that's on the it side of things. So you do reduce that audience to keep it, you know, more of a tighter circle, if that makes sense.

A

It really does. I'm wondering what types of misconception clients have had. You know, Hollywood and different movies do a really great job of showing negotiators and those sorts of things. And it seems really intense and, you know, down to building a human connection. But I would imagine some of those things don't really pay off in the experiences that you've had with an actual threat actor.

B

Yeah, I think the number one misconception, and I've heard it ever since I've been doing this, is, but if we contact them, we have to pay, right? That is not the case. So that's the biggest misconception that I typically run up against. Just because we reach out to these threat actors does not mean you're making a payment. So we just educate the client in terms of this is going to prevent, number one, them posting on their leak site, them contacting employees, contacting executives. We're going to get information out of them to help understand where the data came from. It's also going to help you understand the data in play or the data at risk. So it can, you know, basically let you make the smartest decision on notification obligations. Sa.

A

So you've been doing this for quite some time, and I'm wondering if you can talk to me about how the landscape of negotiation has really changed with things like the rise in double extortion. And then you just mentioned leak sites. How do those things impact your work?

B

Yeah, then that's a great question. You know, seven years ago, six years ago, five years ago, really kind of pre Covid it was a lot of single extortion. Right. David, what do I mean by that? So there was not much data theft or exfiltration. It was just the encryption of that. So these threat actors would come in and get out. We call it smash and grab ransomware. One of them that rings a bell is Phobos. You know, a long time ago, where they just came in, they didn't take data, but they encrypted. So the double extortion really began to rise, you know, right around the COVID time. And what we mean by double extortion is the threat actors come in. Not only do they encrypt your environment or your organization and your systems and servers, they're taking large amounts of data Right. And they're looking for anything with pii or phi in it. Pci, sometimes anything with sensitive information to them holds a lot of value. But the rise in double extortion is something that we've seen increase over the years. Interestingly enough, we're starting to see more single extortion again. So where there's a lot of data exfiltration without the encryption event, now, that varies, you know, based on whatever threat actor it is. But again, these tactics change all the time, so we always have to be on our toes.

A

And do those tactics affect the urgency or the strategy of the negotiation?

B

No, it doesn't. I mean, there's organizations where they don't have any valuable data, right? We'll get a file tree listing. They'll look at it and say, this doesn't cause me heart burn. This isn't a pain point. There's nothing in here that we would know to notify on. So again, you know that, that. That basically means we're going to walk away. Right? So what we do is we kick the can down the road, so to speak. These negotiations go one of two ways. Number one, we're either going to try to buy as much time as possible so we don't get the victim entity posted on a leak site, or we're going to go into a real negotiation and try to get the amount down as much as we can to go ahead and make that payment. So every one of these are different, and I mean different. No matter who the threat actor is, even if it's the same threat actor that we're dealing with, it's really on the client's shoulders of, is this data valuable? Is it not? Are we able to recover with backups? Do we even have good backups, or do we need a decryption key? So every step of the way, we're guiding the victim entity and the client in what the best decision may be, along with outside counsel.

A

So are there any red lines that defenders should never, never cross during a negotiation?

B

Yeah, absolutely. You never want to seem very desperate to get that key right away because your leverage is not there. Right. The price won't go down much. You're not going to get a good amount off. And then the other red line is do not talk to these guys. Nasty. Do not speak to them. Mean, yes, we'd like to. Not only us, but the client council, we would like to, you know, give them our peace of mind. But at the end of the day, we get more out of these threat actors in the negotiations and communications by being Empathetic, sympathetic and apologetic and very polite.

A

Jeremy, let's talk about timing. When does negotiation begin and when should an organization just walk away?

B

So typically the negotiations are going to begin within that three to five day range and it really depends on the note from the threat actor. A lot of times they're going to put in their contact us within X, Y or Z days or hours. We never want to contact them right away though, or immediately unless we're in a situation where the client team does not have good backups. I've seen it where threat actors were able to get the backups and delete them. So they just cannot operate or recover. When that's the case, we have to reach out right away, but typically it's in that three to five day range.

A

David and is there ever a situation where you want to refuse negotiation because you know that's going to lead to a better outcome?

B

Typically, no, but there are situations where that happens. Again, we want to get information out of the threat actor, right? You know, show us the data you took, give us a file listing, you know, work with us to understand the data in play to really important to our executive leadership team. There are cases where the client has a really good backup environment and they have backups from the night before, the day before. They don't need a key, they don't have sensitive information and data in their environment. So they will elect not to reach out to the threat actor. But that's very, very, it's a very low percent of times that, that we come across that.

A

So you're dealing with criminals and their motives are generally get as much money as fast as possible. How do you evaluate the credibility of this other person that you're negotiating with who has already proven themselves to have, say, throwing their morals and ethics out the window. Right. They're stealing and trying to harm a business and now you're trying to negotiate with them in good faith. Can you ever trust that they'll honor their promises when you enter into these negotiations?

B

Yeah, and that's a great question. I mean we're asked that a lot by the client organization or the victim entity at hand, right? How can we trust them? So this sounds like a crazy answer. And I've had threat actors say the most amazing things to me over the years, things I forgot, some of some funny things, right? Like hey, can you hire me? I work for you for free for two months. But at the end of the day, most of these cyber criminal rings we deal with, they do live up to the negotiations, right? They do live up to the agreement because they know if they don't live up to it, right. They don't provide a working decryptor, they don't provide all the data back or they don't give you the full listing or they don't tell you how they got in. Nobody's going to pay them in this industry. Right. So it's all monetary based. They're looking for a payment. If they do things like that, people won't pay. Right. If they leak your data down the road, people are going to know that and they're not going to pay. There are groups that we know that I will not recommend to pay. Card is one of them. Right. You know, Wasted Locker is another. They're a sanctioned entity. There's a few sanctioned entities out there that you can't pay. Do not pay them because you're, you're, you're, you're going to go, you know, into litigation over that with three letter agencies here in the state. So at the end of the day, you know, these threat actors do tend to live up to their promises. There's only a sliver or a few that do not David it.

A

And so you mentioned a couple of things which sound like they're experience or they're very public. You shouldn't negotiate here because three letter agency will come and have a conversation with you or, or more. But are there tools or are there indicators that Unit 42 uses to assess a threat actor's behavior to understand, you know, how much can you trust them, how much can you believe them when they, they say that they're going to pay or they're going to behave in a certain way.

B

Not necessarily a tool out there. I think we use metrics, you know, that not only we keep but outside council keep, sorry and other, you know, payment vendors out there keep. So before payments even ever made, we'll get the bitcoin wallet and there are AML checks which are anti money laundering checks and OFAC checks against these bitcoin wallets because if they show up on the sanctions list, cannot pay them, we will not pay them and we do not recommend to pay them. But other than that, it's a lot of just experience. Right. The negotiator, how long has that negotiator sat in that in the seat? How much experience do they have? I'm very seasoned in this. I've done this a lot. I mean hundreds of them over the years easily. And basically I kind of know who we're dealing with right away, guys.

A

So Jeremy, you mentioned Some three letter agencies come knocking. That might be one consideration. But are there ethical or other legal considerations that companies need to think about before they start a negotiation or specifically before they pay a ransom?

B

Yeah, I mean, we can address ethical right as well as the legal considerations. So the ethical consideration is always, do we want to pay a cyber criminal? Why would we want to pay them? We're just rewarding these cyber criminals. So there is ethical considerations there. If we make a payment and it goes public, does that look bad on our organization or company? Right, so there is that side of it. There's also legal considerations though too, because a lot of times if there's a class action lawsuit, they might say something like, well, why didn't you pay the threat actor to suppress our data from being released? Right. So there's definitely. There's both sides of the fence on that. So, you know, when you work with good outside counsel firms, we're really good at walking the customer through each of those considerations so they can make the best educated decision on their end.

A

And can you talk to us quickly about how sanctions lists and some of those legal compliance impact your decisions?

B

Yeah, I mean, absolutely. So again, we use what is called an MSB to make the payment, a money service broker. Once we give them the indicators of compromise that we have from the investigation, once we give them the threat actors, Bitcoin wallet, email handles, anything that can identify these individuals. They're running these through the sanctions checks and the AML checks to make certain that we are not paying a sanctioned entity, the Samsam ransomware group. They're Iranians, cannot pay them. Waste a locker. Russians cannot pay them. So at the end of the day, these money service brokers are really digging into anything that can identify who the threat actor is in order to make the best decision possible to either pay or not pay. David it.

A

So I want to spend the last question here asking you about how organizations and, you know, leaders that are listening to this podcast can improve their readiness for a potential negotiation scenario. You know, it's better to be ready before it happens. Walk us through maybe, you know, the, the top three things that you think a leader could do or an organization could do today to make sure that they're ready for that conversation.

B

Yeah, I think you need to understand your data. Right. What is, what is your business as an overall, you know, hold or contain that would be sensitive in nature, that would give reason to even enter the negotiation with a threat actor. The next thing that I would do is who will be the key players involved in the Threat actor negotiation and decisions, if that time ever came. Is it your CEO? Is it your vp? Is it your general counsel? Is it all three? Is there somebody else that we're going to loop in here? But knowing the key players that would be involved in this is also critical. And then number three, going through a tabletop exercise, you know, just simulating a negotiation with a forensic firm like unit 42, just so you kind of have, you know, you get your toes wet a little bit in case it ever happens. So you're not, you know, deer in headlights. What do we do? Oh, no, Where? What are we going to do? So I think those are some critical things that you can do to prepare yourself, you know, in case this ever happens to your corporation.

A

Jeremy, thanks for coming on Threat Actor. I know that you're busy and you had to set aside some time in your busy schedule to come on and talk to me about threat actor negotiations. And I learned quite a bit and I hope that our audiences have as well.

B

I appreciate it, David. It was my pleasure and I'm glad we got to caught up finally.

A

For listeners out there that want to learn more about threat actor negotiations or even just to read some of your work or connect, where can they reach you on the Internet at?

B

Yeah, I mean, I've got a few blogs out there from unit 42, LinkedIn as well. So if anybody has any questions, you can absolutely get a hold of me.

A

That's it for today. If you've liked what you've heard, heard, please subscribe wherever you listen and leave us a review on Apple podcasts or Spotify. Your reviews and feedback really do help me understand what you want to hear about. If you want to reach me directly about the show, email me at threatvectorloaltonetworks.com I want to thank our executive producer, Michael Heller. Our content and production teams, which include Kenny Miller, Joe Benecourt and Virginia Tran. Original music and mix by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

B

Sam.