Inside Ransomware Negotiations: A Day in the Life of a Threat Actor Negotiator

All right. Um, well, traveled from Philadelphia to be here. So, very excited to get in a room and talk to everybody. My name is Matt Barnett and I am the CEO at 7X. We are a cyber security company based out of Philly. We operate mostly nationwide. We've been to 10 countries, four continents. Um, have a a pretty big footprint uh on the East Coast. So excited to kind of travel a little bit, get out here to see you guys. Uh, my day job is I run DFIR or digital forensics and incident response for 7X. So I tend to spend most of my day um taking intake calls, figuring out what's going on with our customers or

potential customers, how incidents happen, the good, the bad, and the ugly of all that. U been a certified forensic analyst since 2016. So, I've seen some Am I allowed to curse here or I've seen some [ __ ] right? I've also been a paramedic, a police officer, a firefighter, and and pretty much any other crisis inducing situation. I don't know if that's just an adrenaline junkie factor or if I just have an annoying inability to say no to everything. So, you guys ever see that movie Yes Man, Jim Carrey? Yeah, that was based on my life. I'm still waiting for the royalties, but when they get here, you know, great. But how about you guys? Uh, where are we coming in from?

Students couple. We're in an app place for that. How about people in IT in general? Call you guys the underpaid head. Nods of affirmation. There we go. How about dedicated cyber less than five years? We'll call you the undated. All right. My favorite group of people, cyber more than five years, the jaded ones. Right on. All right, perfect. Also, the unbothered, right? Anybody that's been in cyber more than five years knows. Don't panic. Hitchhiker's Guide to the Galaxy. How many uh how many vendors? Couple people selling stuff. All right. Right on. All right. What are we What are we selling? Nope. 7X does that. What else you got? Tell one other one. Nope. 7x does that. What else you got?

See what I did there? The roll reversal. That's awesome. Yes. I came up with that in a moment of spontaneity that nobody picked up on. Cool. All right. So, we're talking about paying threat actors, right? We are dealing with criminals across the internet. Sometimes known as the dark web, a very scary place where bad things happen, good things happen, and everything in between. How many people believe that paying ransoms is illegal? Okay. Okay. True. Sometimes it depends on the threat act, right? Some people can't be paid. Anybody familiar with the sanctioned entities list or the OFAC list? Yeah. pay somebody on that list and see who comes knocking at your door. So, myth number two, you don't always

get what you pay for. Rolling Stone said something. Um, there's a belief out there that you pay the ransom and then they either do the thing they said they weren't going to do or they don't give you your data back or you end up in a worse spot than you were. Sometimes that's true, but like all good business people, uh if you don't follow your own business practices, you won't be in business very long. So, we tend to see that um when you make a deal, it's upheld to the extent possible. We'll see. We'll see how that changes with uh with some defection a little bit. But there is a problem with negotiating in this world. Um

how many people here Well, we'll we'll lean on what we know, right? EMTs, firefighters, paramedics. Any of those in here? Really? I'm never zero. Okay. Um, CISSP. Who's got that? All right. Um, bachelor's degree, right? We'll call that a certification for lack of better. But there's a concrete thing in the world that says that you're qualified to do that. There's a body of knowledge out there that you have attested to and tested. You have subscribed to that you are good at this thing and now you can do that thing because this piece of paper on your wall that you pay way too much money for says you can do it. There's no such thing like that in threat actor

negotiation. So really uh the problem is that I'm no more qualified to do this than anybody else in this room that I am. Right. Um, so have you ever heard the uh you ever heard the expression that um good judgment comes from experience and a lot of that comes from bad judgment? Yeah, that's not how you want to learn to be a threat after negotiator by the way. Um, so I guess the moral of the story there is, uh, you know, don't try by doing. Um, as Jason statement said to his friend, but um, the other thing that I really like about this world is I hear often, why does this job exist? Should it

exist? Should you even be allowed to pay them? Right? We should just stop paying all the threat actors in the world wholesale, right? And then all of this ransomware goes away overnight. That's really easy to say until it's your business, right? It's your medical records, it's your family's business, uh, etc. that are all online and available, right? So, um, I promise you that like Iron Man, um, the day that this job is no longer needed, I will start building bricks and beams for baby hospitals. But until then, somebody has to do it, so anybody ever gotten a ransom note before? Anybody work at a company? If you can't say it, that's totally fine, too. Just raise

your other hand. Nobody's had to deal with this before. Has anybody ever seen a note that looks somewhat like this? That's a bad note. They put it in red, too. It's the worst time at like knife in the back. Um, yeah. So most times right the the negotiation and and we're gonna focus on ransomware for this because it's kind of the most prevalent and most most ubiquitous but I have negotiated ransoms for other things like stolen software for intellectual property theft for u well but by and large ransomware kind of follows a pretty defined track where we start out with an attacker getting access to the environment they encrypt the data They steal steal first, encrypt

second, send letter. Um, and it usually looks like this. What would you do? >> Yeah, you see that you just come into your email. You know, you got your coffee, Starbucks maybe, and then you see this

Little trust trust but verify. Yeah, that's probably a pretty good idea. Anybody else? Anybody else have a a first thought? You ever hear the expression don't panic? If you were you saw this, wouldn't you panic? Like if ever there was a time to pin. Yes sir. Corporate. Yep. Right. Yeah, that's a good start. Yeah, they probably know less than you, but um you know, at least you say you did something. Yeah. Um Okay, perfect. So, so bad people do bad things, right? And that's why some of us have um how many people remember how ransomware started? That guy in the basement, right? Ordering pizzas, mom yelling something about um this is what we used to think of when

we thought of hackers doing bad things to come. One guy operating all by himself, good, bad, or indifferent. Sometimes it was even a girl. So if that's not what you thought, then you're much closer where you should be. But if that's what you thought it is, very different. Our ecosystem for ransomware has evolved and threat actors have become exceedingly compartmentalized and divided up roles and responsibilities and treat it very much like an organization. So we have people deploying ransomware. We have people obtaining initial access to environment. We have people running customer support and help desk. This is a a full ecosystem. And so when I said earlier that sometimes your data is safe and sometimes not

based on infection, what I was talking about people move around not only within an organization different group. So if you look at something like that, those people had to go somewhere. This is the only skill set you have, right? You're going to find yourself a new job. Why not go where other people are? You end up with kind of, you know, the Akira branch. What if you work for Conti promised a company never hack them ever again? Now you are out of a job at end up at Aira. You remember how you got into that? And oh, by the way, that foret firewall. definitely been an IT. Yeah. All right. For cyber. So if you were available or if you had

the mindset and the export was still available, wouldn't you go after them a second time? It's not anymore. We're keeping our totally different. So that happened.

Oh, by the way, everybody in that chain is doing it for free, right? So, everybody gets paid. That's why when we facilitate payments to ransomware settlements, you'll watch the Bitcoin just disappear in all the down to $5. You know how many wallets you pay like$5?

Clever. >> What size shirt do you wear? You guys hear that? I think I have it. I'm just asking people random sizes.

Um, so it is kind of impressive watch. Anybody ever heard of the group analysis? fascinating company and not a lot of their stuff is public, but stuff that is is pretty cool. Can actually the analysis they on the block tracking figuring out are um contrary to popular belief, the blockchain not especially at the Bitcoin level. It's harder in some of the other altcoins like Monero, but for the most part,

so go from mom's basement to an organized crime ring. You think our strategy changes a little bit? Do you think what those threat actors are willing to accept as a payment changes a little bit? Think they got more firepower now? A lot of things change. Um, why would you use a threat actor negotiator? Why not just do it yourself?

>> All right. One at a time.

>> Right. Yeah. The common misconception I think is that like we're all good at everything, right? Or we tend to overestimate garbage. Um, I think I saw a statistic that was like 78% of people think they're above average. My math guy here knows impossible. Um, but you know, the inclination is, oh, I know how to buy cars all the time, but right like I can I can go in there and do it. Or what if I just want to pay it, right? They came in, they asked for 25 grand. I've budgeted 50 grand types of emergencies. No big deal, right? It's under budget.

Thoughts on

Yeah. The resources, right? AB: Absolutely. Access to resources, access to data that's not public. Um, and right what if it is 25, your budget's 50? What if I know I

Yeah, that's a big one, too, right? Um, what if the what if the uh negotiation goes sideways and they turn around and attack more? Now you now you have a denial of service tax and so now you have a business interruption out maybe that doesn't get paid. Yeah, they're all good answers and they're probably all here. All right. What's your size? >> Mother's maiden name. Mother's maiden name. All right, you up there. I'm going to try it. What size are you?

>> There's no shot this by the way, but I just think

appreciate you guys. Be here all week. Yeah. So, you got it right. Um, >> now that said, at the end of the day, I am going onto the dark web, widely regarded for its illegal activities, and then I'm going to go negotiate with people who have done criminal things. So, that gets dangerous, right? Because there are a few things that um there are personal boundaries that I have. Um, one of which is that uh I Oh, yeah. be honest. All right. I I will never lie to my client, but I will absolutely lie to But what lies I tell are very different. So, um I always go into a negotiation with a best effort. I'm gonna I'm gonna lock

you down as my client and have you understand that if I reach the negotiation point where their terms are acceptable, you're going to because I won't negotiate. Right? There's a lot of problems that happen when just go into a negotiation start to buy or trying draw it out or trying to figure out what they know. Um, I had a case one time where the client wanted me to stall. Um, they did not tell me that they didn't have any any intentions of not paying. And what ended up happening was we we stalled. They gave us a number. We I thought we were going to accept it, the client didn't. Then all of a sudden, pediatric social security number showed

up on Facebook. So moral boundaries are pretty important. Wish I

You guys remember Silicon Valley?

Go watch it. Do you remember the night before Tech Crunch disrupt? Not the middle out conversation, the other one. He goes in and he like rewrites code overnight. Got a better idea. That happens to me frequently. I did that today. So here we go. Um the other thing that negotiation the other thing that negotiators do is they help ensure that you're getting what so understanding what um what has been taken right whether the threat a script. I've seen cases where they've inadvertently lost the encryption. As a threat actor, I feel like your their only job is not so we were willing to the client was willing to pay. They couldn't prove that they could decrypt the files.

Um and this was back.

Um, I'll also introduce you to all of my friends at the FBI, right? If I figure out who you are as part of the negotiation, tend to think most actors criminals are international. There are still some that are domestic and sometimes they make silly mistakes like Bitcoin wallets that have been used in other silly mistakes like putting a personal email address right now. It's actually pretty cool. We tracked a guy one time selling weapons and and uh Cool, cool little nighttime cocktail. Um, both of them for Target assassin and his later accounts were all very um, very encrypted, very multihop, veryated, very non-disclosing. Fortunately, his early generation hacker, he was a little more careless, contributed to forums, said things

should have his original told you. Okay. So, I already told you I won't think I should tell you no intention dollar not even always like to set people up for success and I can't do that if I know that I'm going into this. Um I also will not charge a percentage. This kind of goes to that charge a flat service that I added. There's an inherent conflict of interest. I'm charging a percent of money right? So, it's a million dollars. I get you down to 750. Feels like a bad Some people will say that they'll charge a percentage of the money to save the client. I still feel like we're in a great area. So

I also don't do hack. I'll I'll let I'll let anybody ever

take it. Get it. Awesome. Yeah. You can basically do all of the illegal stuff and government they won't pro they don't condone but they don't um and then for the same reason uh as not charging a percentage I also will not and uh I think

right um so when it comes to negotiating um gentleman all the way at the top said having access to that most people don't, right? I also have access to just doing this for a long time. So, I know what credits are looking for, what they're trying to accomplish, and what they're willing to settle for kind of generally, right? What's the goal? Understanding the people that you're negotiating with on the other side of that room tells you a lot about where you're going to end up. So, if a client comes says, "Hey, this is Kira." I can tell you almost 90% of the time that we can do about an 80 right if it's killing I can tell you

that it's probably 50% that's kind of their hard scattered fighter or country you guys heard of Chinese I just picture like a bunch of kids in the Netherlands wearing some like ironic are the visions I have in my 2 o'clock in the morning. But knowing who you're dealing with is going to tell you what their goals are and if you can meet them where they're at, then hopefully you can um it's really, you know, it's funny because think, okay, well, will you take this? No. This? No. Take this? Yes. Done. Right. It's not really that simple. Um why you pay and what you could be very different, right? Um what if you keep the data back your recovery

business recovery paying for your files? Most backups kind of prevented crazy backup back. We really don't see this happen very often. But if you are, you're in a bad spot, right? Because business is down. You're going to pay quicker and pay quicker, pay more or less, other thing that we might pay for is suppression. So if you're suppressing, that's a different problem, right? That means I've already recovered the backup and I'm just really paying and I sit here and drag that out as long as I want. And the data shows us that the longer I drag this out, the less that's one of those cases where I'm not negotiating in bad faith. I'm just taking

We got a cool site. If we have some time at the end, I'll show it. Um, all I would ask is that you don't um a spin off of typically start around a million. You'll typically be able to negotiate about But it'll take so if you're not paying for recovery drag.

Here's the cool chart that shows it. It's opposite to what you might think. What that's actually showing is that the longer the time goes, the bigger the discount. So it's not the longer it goes, the more you pay, the longer it goes.

Kill's another one. You heard of killing? These guys love to blow through foret firewalls

on the ask. Again, most of the time it's a hard stop at 50% kind of where they want to be. Um, the reason that it's here at 66 is because a lot of us negotiators will do this funny thing where we'll tell the client or we'll tell the threat actor at the last that there's a transaction fee. that we're not going to pay and we'll say, "Oh, it's fine." This is like a last ditch effort to get an extra extra couple of bucks off like that. All right, but shiny hunters, these are the these are the ones. These guys come in with these ridiculous, right? There's no reason that an 80s tracks cost $2 million.

I'm just like, I'll buy you another Xbox, but I'm not. So, bigger discount 12 days, less data on them because most of the time, and that's because they don't they don't they aren't very good at justing

Okay. So, fun story and I I leave a lot of time for questions.

Okay. I worked I was overworked, underpaid and um I was kind of re I was working with this client. They were having a hard time getting approval from management. They were Everything was taking way longer, right? So threat actor was Black Bosa. When you log into their chat portal, the first thing

get a phone. We got down to about two days and uh left on the clock and I asked going into a weekend and they reset the clock to seven. Only needed a day, but So, of course, we ran that clock all the time like a day left. Um, and then I asked them to uh give us more time. So, they gave us another seven days. Um, at this point I was wondering if they cared about um and we were we got to the end of that one and they basically said if you don't pay this time we're done. We're gonna um release the data. We're going to come after time started to get ug. I told the client that they started

getting all the the payment stuff together and uh I was on a flight back from I came down I don't know if I got CO and flu like something happened like I got homeately um I don't remember those two days all that well but I remember waking up going holy [ __ ] I think that clock ran out. I log into the portal. It is like where are you? Are you there? Like this is like text from like not good. And then finally it was like you leave us no choice dot dot dot and the clock. Sorry I was sick. Seven days show like literally you can't make this stuff up. We ended up paying

bottom line is always have a backup because not everybody got somebody keeping an eye on that thing in case. Uh all right that's basically it. Um you do a couple of things at this point to show you what actual data looks like. You have any question top row

they don't um most of the time because FBI wants data from us rather than help right but they want to know information about the event they're not going to get in there and take over negotiations they if they have data about the threat actor they'll share it with us but it's rare that I already change our

so when I negotiate on I I do more personal risk or I have more exposure giving this talk than I do most of the time because I'm a lowle employee. So I spend a lot of my you know uh I spend a lot of my cover story building up that I'm from it and that does a couple of things. It lets me defer to management right so if ever I need to buy time sorry let me check I always get the Um, also if organizations are dealing with the threat actor realizes part of a negoti aggressive and starting a more hostile approach negotiators in general. It started with a company that uh came in they would

come into negotiation were really successful at first. They would come into like this $500,000 demand and say we'll give you 10 grand and then that's how they would and when your mom's basement right that doesn't cost that much money you take but when you got an entire network got a whole criminal enterprise you got to pay people need to get paid work 10 grand doesn't cut it anymore so that strategy has kind of fallen And now it's coming back different thread actors are just wasting time realize realize that the longer they have the same data we know if we drag it out we pay they know if they drag it out they get so they're trying to find ways

and one of the ways they're doing by familiar with play guys are really we can real time kind of what their average days are. But um yeah, they they'll give you 7 hours like there's nothing.

>> You kind of wonder, right? like am I have I ever talked to the same person twice? I do wonder that sometimes um prior to chat DPP it was always English as a second language for 90% of cases work and so sometimes you'll similar like abuses of the English language but I don't know that I've ever like definitively been able to that's

the well the propagation and some of the like the actual tactics find that are they're a lot faster. Um the English part like translation I think still um the gr the grammar is better but they still kind

of some of the same language barrier problem or they'll have um the negotiation.

Think about how cool it would be if you what if they were using a model, we were using a model, and the two of them just went in a room and figured it out. They're like, "This is the fairest option for both." No, I we don't, right? We kind of we use AI in like kind of analyzing other pieces of the data like we'll analyze file trees with will analyze blood hound results. We'll do other things on the forensics kind of pull the pieces together not on not on the question.

Yeah, right. There's no Yelp. So, what generally will happen is somebody will just come up and you know um right know it's hard to find this kind of stuff. So, a lot of times they'll m the list of we typically don't sit if it uh like any panel it's a race bottom like do sits on top right we will help a lot of our IR customerainer service red we give

haven't heard. Yeah.

Right. Yeah. Your data is never more valuable anybody else than literally. Um, now that said, sometimes the data and sometimes it's like the blueprint to so really the value of that data is what anybody's willing to pay for it. hopefully more for it process. But sometimes they just take what we call low probability. So if I exported if I exported Apple's customer, okay, that's cool. But how val address 100 million people that's already. So a lot of it comes down to what was the data taken that drives urgency.

Right. I would say so my other that I say all the time is you're never buying silence, you're buying, right? Because at any given moment that data once it leaves organiz

So, you kind of just have to go into it accepting that. And that changes the math for some people, right? Like they'll they'll spend $500,000 to delay it for a month, they wouldn't spend 10. So, success is really a measure of were you able to in the time that it took for that data to eventually, were you able to put enough safeguards, able to customer firewall replaced. It's not me. It's up with that. Yeah.

Um, it depends on if the company thinks that they can handle it. I had a client one time go And all the MSP did in that six days a bunch of that I need. Where's the domain controller? Well, we tried to restore it. What happened? Um, the trauma. Um, but my point is like sometimes like the client will call when they have the pain point or when company tell them, right? usually highly independent. No.

>> Yeah, that you see that a lot with um breaches that are the result of either social engineering or a technical where they didn't fix So we had a client put in that firewall um in November got pre-exloited in May because the third party manage the firewall would not deploy a tech to come out on site to stand by while the upgrade happened. It was against their policy push an update while uh nobody was so they left for a totally different. Yes.

Yeah, there's a couple of things, right? Um, solid state discourse a lot faster. The cost of the cost of backup has gone down. So, the speed to recover your RTO and your RPOS are coming down as you're threshold for um I saw something like the uh like like we kind of looked at earlier, right? The the more payments days are happening for fact. Has anybody heard of delete? Like this is one of the things that ransomware tends to do is it sets off a lot of bells and and as it rips your file system modifying files it ends up getting caught blocking itself before it's finished. But most organizations because they've solved the backup problem now dealing with data.

So the threat actors are coming in they're stealing the data. doing X and then they're just deleting because what's the difference between a delete file

and your recovery for that is going back. So if you can if you can restore faster right then the other thing is it's a math problem or So if your operating cost your revenue generator is only asking for a million dollars and a resource it's like the math almost kind of falls. So we do look at that. We do look at that and again you will you'll always find there's always a company out there goes we're not we'll figure it out. We'll to deal with the loss. It's a good observation though, but payments are turned. We're going towards

play is good. They're hard. They're hard to pin down because they'll do double entry, right? They'll come after you forion. They'll come after for extortion like closure and then they'll come back.

So we do we always validate right proof of life that's again right part of the part of the reason you want a negotiator is because we'll look at the data that they claim to have tie it back what you find that they're doing more is they're going to a previous data pulling that data out and then trying to say hey look what we just so I had one where they basically put a collage together of all these social security numbers, whatever the equivalent for that is, and all their like working papers, all that, and tried to say, "Hey, we hacked organization." Meanwhile, it's the HR system Panama that hacked months ago where all that data came from. They just assembled all

the client. That's what

No, but I've had them I've had them in a sense that we ask them like part of my negotiation is always like prove um prove that you deleted the data give us the description. Promise to never attack us and give us uh the um I want to know how you got it or how you think you got it. And so like on can't make this up. Um one time we got a report that said we exploited your Ford firewall but the company had it seems like just happens in Yes sir.

There's a sector that's excluded more than um there and they still get hit, right? And there are still people that come after the whole striker, but um there are certain ransomware groups if they inadvertently encrypt a hospital, they will give In terms of organizations that are hacked more often, a lot of times I the ones the most are that have the Windows running people that are in customer service also get hit a lot because they're just nice. They want to help. They want to give people what they're looking for. Oh, you're from that sir

cardio one. >> Yeah. No, I have a we have a full DFIR. Um so depending on the right sometimes we sometimes we need incident response sometimes we need digital forensics sometimes right or any combination um one depending on how busy we are we'll put two to three people on it just for because um the other thing that we'll do is remediate so through partners we can help rebuild environment but um incident response tends to be its own thing. You're help you're actively navigating how to respond and then meanwhile somebody else like triage of all of our so we have a triage pack we can do dead somebody's trying to put the narrative around what happened while somebody's

trying to do on

we used but we've become pretty efficient at doing so yeah and a lot of the things have gotten like remote acquisition a lot easier all of our triage packages now go straight so the only times you really see us go on site are like hard like they literally pulled the firewall out of the

Yeah, my career path mostly I started out in law enforcement. Been a pretty bad car accident. Ended up going school for it while I was laid up. That's why I wear holy um but then that company I was working for doing they ended up getting I did the hack back that was um turned out to be a university probably and uh wel this is when I like go

Yeah, you almost have to like go somewhere and like I went to I went to a security company, did all their physical security work, kind of worked my way up, ran their also did and I started 20. We ended up catching pretty.

Yes sir. Um not being reactive. Like one of the hardest things about negotiating for yourself, it's your company. One of the reasons we advocate for using because um it's hard to not be invested in something you built or the product you built to like not take it personally when somebody insults the thing, right? Um it's easier for us to come in because we care about you, but we're pretty disconnected from situations, so we're calm and respond in a more measured way. when when you might have been I would not negotiate my

>> um no we treat them all the same. Some are more aggressive than others. I don't like play and more so um thank you for coming to my TED talk. Um, you guys, um, I don't like, and you have three minutes. Um, I don't like dealing with hyperaggressive ones because there's an anxiety component for the client more so than for me. Like, I know kind of where this goes. The logical end is always going to be one or the other. But putting that kind of pressure on a client who's already having a bad day feels kind of punitive. Um, and then some of them are just you can't pay. And if you know that going in, it makes it

really hard. um one because you can't negotiate with at all, right? Like there are there are a few that have some ties to DPRK which definitely on that list. So the minute you find that out, it's kind of a non-starter.

Think it depends on how you define winning. I mean I always get paid for what I do, so I guess I always win. Um, but no, I mean seriously, it's, you know, if the client comes out of that in the best way possible, I always tell them it's like never let a crisis go to waste. You know, if you came out of a really crappy situation with a brand new Azure AD cloud-based everything, no more onrem change, no more, you know, OWA sitting at your public firewall that used to be a forinet is now a paloto, right? Like if you come out of this in a better way than you went into it, um then I call it a win.

>> So I will never confirm that as a as a function. It's usually done by the people facilitating. But what I do collect is IOC. So I know IP addresses. We'll reverse engineer malware. We'll pull bits out of code. We'll look at tradecraftraft. We'll look at lateral movement techniques. We'll look at it's all in the data. And very rarely rarely do we get brought in as the threat actor negotiator and not it's usually we're brought in as the IR firm then we end up needing negotiator

I can I'm happy to show anybody that wants to see it I have a I have a platform that gives me access to payment. So there's really only two companies in the United States that fac this kind of payment on a regular basis. One of them exposes a fee of every payment that they facilitate payments in general. So, most of them are Bitcoin, but All right, guys. Uh, I'm happy to stick around and chat with anybody that wants to, but I do want to make sure that whoever's up next has a has chance to get on. Thank you.