Perhaps the only consistency with managing ransomware negotiations is that every conversation is different, noted Nick Shah (pictured), whose role as a ransomware negotiator with STORM Guidance has given him a first-person perspective into the process of dealing with cyber criminals. Every conversation needs to be judged on several factors, he said, including the speed at which a response is required.
Shah who previously spent over 30 years in UK law enforcement, managing well over 1,000 kidnap and ransom scenarios, noted that in any negotiations, whether that’s ransomware or traditional kidnap and ransom, at the starting point the threat actor has all the aces in their hand. It’s his job as a negotiator, he said, to try and rebalance that to gain a bit of control.
“You have to judge and assess what they’re likely to do, what their patience level is, and what their capabilities are,” he said. “If we’ve got a particularly large client with a lot of sensitive information, which is going to be very damaging to their business, then we don’t want to poke them too hard at early doors. So, we’re judging [each discussion] very differently each time.
“The way I work is that I see negotiations like a path, and you don’t start off with certain things - you wouldn’t start off talking about money, for instance, because then the conversation is going to be cut very short. You have to be cautious about what stage in that path that you’re going to bring into subjects, and I’ve done quite a few of these where I’ve never actually even spoken about money because the whole purpose was that I was trying to get more information.”
It’s not an easy path to navigate, Shah said, and it is made even more complex by the fact that cyber negotiations tend to involve the written word rather than a verbal discussion. In hostage negotiations, you can talk to the threat actors involved, which makes it easier to pick up more information by identifying tones of voice or accents. However, he added that he is also trained in analysing sentence structures, which is a viable source of relevant information.
Even when the vocabulary and grammar of a cyber criminal is strong, the sentence structure can give away important clues about whether or not English is their first language. Individually, he said, a piece of information like that doesn’t have a great deal of impact but when it is pulled together with all the other data collected from STORM’s analytical processes, it gives a much stronger overall picture of what you’re dealing with.
“Things like what time of the day we get messages are important,” he said. “If we get messages in the UK at night and then we add on the structure of their sentences and everything else, we can say what part of the globe they’re potentially working from. That helps law enforcement to pinpoint the localities if the client wants us to share the information with them, but it also helps us. For instance, if we send a message first thing in the morning when they’re likely to be asleep then that gives us a few extra hours. It’s all about bringing all those elements together.”
Successful negotiations are about gaining and using every bit of advantage possible, Shah noted, and that includes trying to leverage any empathy that the cyber criminal may have. At the end of the day, they are still criminals, he said, but the STORM team have had some success in using incidents like the COVID crisis to show the human face of the impacted clients.
Read more: What’s the key to offsetting cyber risk?
“If there’s a soft spot that we can use, then we will try and use it and we have done that before,” he said. “For things like a charity, we can perhaps use the charitable nature of the organisation and the fact that they’re assisting the wider public. So, you can - but there’s an extent to how far that will go. We have had that success during the COVID situation where we were able to prove that [an attacked organisation] was providing assistance in the form of medical care to patients, so we got them a little bit of extra time.
“There’s also the fact that it’s not just big companies that are being attacked. We’re seeing small to medium-sized businesses, some family businesses going through this, and we have used the fact that they’re not one of the big corporates, and that the ransom will destroy them. And not all threat actors will listen to that, but we’ve had some success in telling them, ‘look, the figure you’re talking about is nowhere near achievable.’”