There are a good deal of “tells” that the ransomware team doesn’t fully grasp how negotiators operate, regardless of threatening to dox info if victims simply call for enable.
The Ragnar Locker ransomware gang just place its victims on notice: Simply call for aid – be it from investigators, the FBI or ransomware negotiators – and the punishment will be the publication of encrypted data files.
Bryce Webster-Jacobsen, director of intelligence functions at digital risk security/ransomware negotiators GroupSense, mentioned there is cause to imagine considerably of this really should be taken with a grain of salt.
You can see why, from the gang’s perspective, it is a fantastic deal: Scare victims adequate and they’ll self-isolate. They will not enter into negotiations, and they won’t have any industry experts whispering in their ear about counteroffers. It is an equation that spells fatter profits for the crooks, in idea.
But the warning lifted a several queries. To start with, how critical is the danger? How blatant is it when negotiators stage in to support? Ragnar Locker’s be aware, posted to its dark net details-leak internet site, promised its so-named “clients” that the crooks have adequate practical experience to explain to if a victim’s becoming coached and would interpret victims’ requests for support as “hostile” actions.
Don’t even try, they said in broken English. We’re as well slick to be taken in by those negotiators:
“So from this instant we alert all our clientele, if you will employ any restoration organization for negotiations or if you will send requests to the Police/FBI/Investigators, we will contemplate this as a hostile endeavor and we will initiate the publication of entire compromised Data instantly. Never think you should that any negotiators will be ready to deceive us, we have sufficient practical experience and numerous approaches to recognize this sort of a lie.” — Ragnar Locker’s dark net take note.
But to even out the discussion, we requested for a ransomware negotiator’s take on the warning. GroupSense’s Webster-Jacobsen dropped by the Threatpost podcast to notify us what percentage of Ragnar Locker’s warning is bluff and what, if anything at all, security teams should just take very seriously.
First off, Webster-Jacobsen observed that back in the working day – as in, when ransomware negotiations have been in their infancy and there had been some unethical actors milking the predicament – these kinds of warnings had been essentially warranted.
“It’s not the first team that we’ve witnessed posts warning about performing with ransomware negotiators,” he said. “The one ..warning that we’ve found in the past was mainly about performing with ransomware negotiators that are, you know, working unethically and having edge of the victims.
“And sad to say … in the early phases of this industry… there’ve been some teams that placement them selves as ransomware negotiators, but seriously are there to form of take edge of the scenario that a business finds themselves in and test to profit off of that drastically,” he explained.
Obtain the podcast listed here, pay attention to the episode under, or scroll down to read a frivolously edited transcript.
It is time to evolve danger searching into a pursuit of adversaries. Be a part of Threatpost and Cybersixgill for Danger Searching to Capture Adversaries, Not Just End Attacks and get a guided tour of the dark web and master how to observe danger actors just before their up coming attack. Register NOW for the Reside dialogue on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, together with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.
Frivolously Edited Transcript
Lisa Vaas: Welcome to the Threatpost podcast. I’m your host, Lisa Vaas. Our visitor now is GroupSense’s Bryce Webster-Jacobsen, director of intelligence functions at GroupSense. GroupSense presents digital risk security from threats across all environments and gives, among the other points, remediation and danger engagement, such as serving as negotiators in ransomware attacks.
Bryce, welcome to the Threatpost podcast.
Bryce Webster-Jacobsen: Many thanks for acquiring me, Lisa.
Lisa Vaas: Confident. Would you like to give us give our listeners a little bit of your track record?
Bryce Webster-Jacobsen: Yeah, absolutely. So as, as you mentioned, I’m the director of intelligence functions at GroupSense. So my job is to supervise and handle our analysts and investigation groups that are performing with our customers to provide cyber danger intelligence, electronic risk safety providers as well as serve as a person of our a single of our ransomware negotiators. So I am conducting and advising on ransomware negotiations and working with clients that have experienced ransomware attacks, crafting our approach and then negotiating with the real ransomware teams. So it is a very assorted workload, but I genuinely enjoy it. And I have been with GroupSense for coming up on two many years now..
Lisa Vaas: Great. I’m glad you appreciate the work. It appears interesting. Now I needed to check with you about the current warning from the Ragnar Locker gang, which is to publish compromised information if its victims dare to call the law enforcement or the FBI or investigators, or to have interaction with ransomware negotiators. In advance of we get into that information, could you give me some history on how negotiation operates?
I indicate, does the negotiator typically make their involvement known to the attackers or…?
Bryce Webster-Jacobsen: It differs from situation to situation. Some negotiators will notify the ransomware team that they’re functioning on behalf of the client. Some others will not. We have utilized a mix of all those strategies, and there’s numerous added benefits to each sides, but typically talking, we never make it identified that we are a qualified negotiator when operating with the negotiator or working with the ransomer.
Lisa Vaas: Do you feel that this is a critical threat that victimized corporations are going to heed?
Bryce Webster-Jacobsen: I would definitely hope they do not. I, it doesn’t show up to be a serious menace to me. And there are a couple of tells in the Ragnar Locker statement: first, that they conflate ransomware negotiating providers, cybersecurity pros who are conducting ransomware negotiations, as becoming affiliated with law enforcement or FBI or, estimate, investigation company. And that is just not correct. To my know-how, there’s no immediate involvement with the FBI or police and any of the ransomware negotiation companies.
GroupSense does not function as an affiliate of any law enforcement business. We’re not deputized by the FBI. We undoubtedly are not off working on their behalf. So which is just one notify to me that this is mostly a danger, a veiled danger, by Ragnar Locker, to attempt to prevent victims from performing with experts and advocates who can enable them navigate the breach and navigate the attack.
And from Ragnar Locker’s point of view, they want the sufferer to be left on their have. So that they perhaps truly feel the strain. They really do not know the tips that the threat actors are seeking to pull on them and they can finish up shelling out additional funds on the ransom. And from Ragnar Locker’s point of view, that signifies larger payouts, faster.
Lisa Vaas: It that would make sense that they don’t want anybody chatting to a negotiator, in order to improve their profit.
The group’s note stated that they have a great deal of knowledge and can determine out if a victimized corporation is performing with a negotiator that may perhaps be affiliated with legislation enforcement. Does that audio credible, that a innovative threat actor could notify if there is a negotiator encouraging out?
Bryce Webster-Jacobsen: Yeah, I do believe that’s credible. If a ransomware team is innovative or has been working in this space for awhile, they are going to be able to explain to the change between victims who are potentially conducting negotiations on their possess. [Versus] those that are working with a professional negotiator or with cybersecurity experts.
So that was, that was a single element of their assertion that I did think was real. I really do not know if that’s just a danger to bolster their claim or to deliver much more believability to their assert, but I do think that they have some sign that that ransomware target is working with the negotiator.
Lisa Vaas: Alright. I would talk to you what the indications are exclusively, but I would not want you to exhibit your playing cards.
Bryce Webster-Jacobsen: Correct, suitable. I would say normally primarily based on the tone and tenor of it. Yeah. Of the negotiation, the cadence of the negotiation. I would say there are some tells in there for a ransomware group. From the negotiator side, it’s obvious to us when we’re working with much more sophisticated model smart teams vs . less expert ransomware affiliate marketers or someone potentially running a tool, a software or a package that they’ve obtained off the dark web.
So it goes each ways, ideal? we’ve dealt with difficult negotiations where by the ransomware team looks incredibly specialist. And I’ve manufactured remarks to some of my colleagues in the earlier that often I feel like I’m negotiating from myself for the reason that they are employing some of the same techniques that I may perhaps use if I were being in their in their position.
Lisa Vaas: Reasonable more than enough. If you have been heading to guess, would you say that other ransomware groups may well try to undertake the tactic? I signify, even if it’s 80 p.c bluff, it appears like a very good tactic from their standpoint.
Bryce Webster-Jacobsen: Yeah, it’s a fantastic question. I have basically been considering about that considering the fact that yesterday.
It’s not the very first team that we’ve seen post warnings about working with ransomware negotiators. On the other hand, in the earlier, the 1, I guess, warning that we have found in the past was largely about working with ransomware negotiators that are, you know, functioning unethically and taking gain of the victims.
And sad to say there have been a few of in, in the early stages of this marketplace variety of bubbling up there. There’ve been some, some teams that you know, position by themselves as ransomware negotiators, but truly are there to variety of consider gain of the problem that a company finds by themselves in and consider to earnings off of that drastically.
And so I have witnessed warnings from ransomware groups that came to move. Now, I haven’t found a warning like Ragnar Locker, in which they assert that if you’re doing work with a ransomware negotiator and they catch you in that, or it becomes obvious that they’ll release all your information and, proficiently, that tanks the negotiation at that stage.
You know, which is really the finish of the negotiation. So I have not witnessed that certain threat. I don’t know if, if additional teams will adhere to by means of. I assume more teams will abide by go well with and put up the same threats. I do see some other, you know, some possible that other teams will submit warnings: “I’m operating with ransomware negotiators,” or try out to begin to get in touch with out firms that are operating with ransomware negotiators. But I never know if we’ll see the very same threat that they will ,the ransomware group will close negotiation and submit all the files.
Lisa Vaas: I jotted down a dilemma I wished to inquire you, and I know you’re not heading to remedy it, but I’m compelled to talk to it anyway. Will negotiators modify counseling strategies at all in light-weight of the warning?
Bryce Webster-Jacobsen: I really do not know if in mild of the warning. We’re consistently updating our information and our counsel to our victims as they, as we, understand additional about ransom teams.
And as we, as we have encounter with these teams and as the ransom groups modify their techniques. So we’re regularly updating, I think this warning definitely is one more info stage that we have to think about in the suggestions. But we don’t have a single method that we use in every single negotiation, and we do not have one particular method that we have employed due to the fact the beginning.
We’ve been evolving our tactics and evolving our negotiation strategies, and evolving the information that we’re offering to our purchasers.
Lisa Vaas: Of study course, considering the fact that menace actors evolve their have TTPs, negotiators and investigators do the exact same. We’re sort of operating out of time right here, Bryce, but prior to you depart, I, I did want to chat a small bit about REvil’s reappearance.
Is this at all surprising, or is this just what takes place?
Bryce Webster-Jacobsen: What comes about. I’m not notably stunned that some of their infrastructure has now appear back online. You know, we’re still ready to see what the subsequent move is, but we’ve found ransom groups that fold and reappear and morph around time.
Some of the operators will income out and some associates of the crew will evolve into a new team. They might be generating enhancements to their malware. That’s the ecosystem for them. They joined forces with other groups and other teams. So I’m not stunned, especially due to the fact when they went offline, we didn’t see any notifications or indications or statements that regulation enforcement was included. There had been no reported arrests. There was no noted seizure of any of their cryptocurrency, no claimed seizure of any of their infrastructure. So I’m not that amazed that they are back again, and it’s been a handful of months, and which is generally the timeline, you know, they’ll go absent for a handful of months, regroup, and you know, likely expend some of the revenue that they’ve been equipped to acquire and then they arrive back.
Lisa Vaas: They’re having a trip when the weather’s awesome. You men had been negotiating this weekend, weren’t you?
Bryce Webster-Jacobsen: We have been pretty occupied this fall or the late section of this summer as we start off into the drop. So sure, we have been pretty chaotic in the previous several months and months.
I hope it slows down. I honestly do. I, I desire that we did not have to have this component of our company, but you know, until finally we can, we can make helpful variations kind of on the plan and advisory stage and practice stage. Then I assume we’re likely to have to continue on to do that.
Lisa Vaas: It’s unfortunate that you need to, but I’m glad any individual is out there doing it.
Effectively, thank you so a lot for your enter, Bryce. It’s been a real pleasure to have you on the Threatpost podcast. Many thanks for coming on.
Bryce Webster-Jacobsen: Thanks for obtaining me, Lisa.
Some areas of this write-up are sourced from: