Ep. 7: To Pay or Not to Pay (and Other Ransomware Decisions to Make)

Summary

The cost of doing business has changed significantly thanks to ransomware, but in terms of dollars and sense (how much should you pay, and what else should you do or not do?), well, there seems little consensus.

We turn to one of the nation’s leading ransomware experts for tips on what to prioritize: better cyber hygiene, frequent patching, stronger password policies—check, check, check. As for new laws forbidding ransom payments? Hmm, he says…never say never.

HOST: Maggie Miller, director of content marketing, Tanium
GUEST: Kurtis Minder, CEO, GroupSense

Show notes

Check out these articles in Focal Point, Tanium’s new online cyber news magazine, and a recent alert from our cyber threat intelligence (CTI) analysts on the debate Down Under.

• How Enterprise Is Facing Up to Ransomware
• Should Ransomware Payments Be Illegal?
• The Art of Ransomware Negotiation
• CTI: Australia Considers Ban on Ransomware Payments

Transcript

The following interview has been edited for clarity.

Kurtis Minder: Some folks in the government believe that if we just make it illegal, people will stop paying ransoms and the bad guys will stop attacking. And the fact is, is more than likely what will happen is you will drive behavior underground. If I have a choice, you know, as a small business, like, I’m gonna lose my small business that I’ve worked on for 18 years or break the law but maybe not get caught, I’m gonna probably lean toward the second one.

Maggie Miller: Hi, I’m Maggie Miller, and today on Let’s Converge, we’re talking ransomware and the key questions organizations should ask when attacked—questions like, do we pay the ransom or don’t we? How much should we pay, or should we tough it out and pay nothing at all?

Our guest is Kurtis Minder, a ransomware negotiator with more than 20 years in the information security sector.

As the founder and CEO of GroupSense, a cyber reconnaissance company, Kurtis knows firsthand how the world of ransomware is rife with contradiction. For example, many business owners believe that paying ransom is the most expedient way to get through such an attack and protect customers. But some experts claim that ransomware payments only encourage more attacks and higher demands.

In 2021, the French insurance conglomerate AXA said it would cancel cyber insurance policies of any firm that made ransomware payments. And last year, North Carolina became the first state to prohibit government agencies from making such payments. So what are enterprise leaders to do?

Well, thank you so much, Kurtis, for joining me.

Minder: Thank you so much for having me.

Miller: Before we get into the nitty-gritty of how organizations can deal with ransomware, I want to know something really basic: What is it like for you as a ransomware negotiator when you have to actually communicate with these cybercriminals? Is it hostile, is it threatening? What are these hackers like?

Minder: Well, it varies. It’s nuanced, but we refer to them as threat actors instead of hackers—there’s a positive side to being a hacker. But largely it’s templatized. They have a playbook that they go by and they have an organizational structure, much like a business. And once you do a few of these cases where you’re working with them, you sort of get familiar with the routine and the playbook. And so, while it sounds really exciting, a lot of it is mechanical in nature. Occasionally it does go off the rails or in a surprise direction, but not too often.

The other thing I’ll say is that dealing with the threat actors as part of the negotiation is definitely a challenge, sort of the meat of the scenario. But there’s a lot of trade-craft that goes into working with the victim as well. And depending on the size of the victim, that can range anywhere from office politics all the way down to being sort of a therapist, if you will, for the smaller businesses.

Miller: Wow. Well, can you walk us through the basic trajectory of a ransomware attack? So, I get in to work, my computer systems go down, a ransom is demanded. What are the first steps I need to take, and how fast should I take them?

Minder: The safe answer is, it depends on your organization. But yes, it is pretty shocking when you come into the office and literally nothing works. And I put an emphasis on nothing. Many of the threat actors have gotten very good at the disruption component.

And when you think about what nothing means, it doesn’t just mean you can’t use your computer, or customers can’t interact with you or order products, or maybe if you’re a manufacturer you can’t ship product. It also means things like you can’t make payroll and you can’t communicate with your staff electronically. So it poses a bunch of really nuanced challenges. Ideally, an organization of any size should have a plan, and they should be executing that plan. That plan is often driven by things like cyber insurance.

So if you have cyber insurance, that will dictate some of the order in which you do things.

The other thing I’ll say is that when you come across the ransom note itself—they’re sort of templatized—it’s going to have a series of dos and don’ts from the bad guys, some of which are not bad advice, but some of ‘em are sort of theater. But the ransom notes don’t actually contain the amount that they’re asking for, so you don’t actually know what the threat actors are asking for until you contact them. So there’s a whole art form about when and how quickly you do that. And it’s really based on the specific circumstances of the attack.

Miller: Wow. And we know that ransom attacks are on the rise, but how are they evolving? What’s new or different about the cyberattacks you are dealing with now compared to a few years ago?

Minder: Well, they’re always iterating and trying to get around our defenses as our defenses improve. So there’s a bit of a cat-and-mouse race from a technical perspective, from a strategy perspective. They’ve gone as far as to hire call centers to call your customers or employees to tell them about the attack, to shame you into talking to them and paying. So they’ve really stepped up the extortion part of it.

One of the things that’s frustrating is despite the cat-and-mouse race of the technical components changing, most of the attacks remain the same as a few years ago. And it’s usually some basic sort of cyber hygiene mistakes that companies are making that allow the threat actors to get in relatively easily.

Miller: One of the main jobs of a ransomware negotiator is determining what’s a reasonable amount to pay for different enterprises at different sizes. So how do you determine that?

Minder: That is a great question. When we first started doing this as a practice, we really just focused on what I would call the threat-actor engagement part or the negotiation part. But we kept getting asked on the front end of these cases, should we pay? And our answer was always, I don’t know, because that’s a business decision, and an ethics decision, and somewhat of a legal decision.

If I could walk you through the basic gates, the first gate is, does paying a ransom violate your code of ethics or your core values as an organization? That’s first. Because if it does, then obviously we’ve answered that question—we’re not going to pay, no matter what. But maybe you have priorities in your core values that say we’d rather remain in business and pay our employees, which is usually the case.

[Laugh.] And you get to the next gate, which is, is it illegal? The Treasury Department has a list of folks that thou shall not transact with. And so, understanding the legal ramifications … and now certain states are passing laws, including North Carolina, which has passed a law to say it’s illegal to pay a ransom. So we need to understand the compliance components of this. Is it illegal? So now you’re through that gate.

And here’s the really hard one, and this sort of aligns with your question, does it make business sense to engage and pay a ransom, and how much is the right amount? And that is a really difficult question because much of the attack is sort of subjective in nature and it’s hard to make a quantitative answer to that. I call it the ransomware blast radius, where we understand that the initial impact of the ransomware attack is operational interruption.

You can’t use your machines, you can’t interact with your customers. There are concentric rings of impact around that operational interruption that sometimes are longer-lasting and potentially more expensive or damaging than the operational impact itself. Some of those are obvious—we talked about the extortion part. So if they’re leaking data or contacting your business partners or employees, there’s sort of a brand or trust issue that that generates. And then there’s more nuanced ones, like if you can’t make payroll and maybe you can’t make payroll for some time and attrition occurs, what does it cost to rehire, retrain, and recruit new staff to replace those people.

That math is really hard, and to the best of our ability on the front end of the case, we’re helping companies walk through this, but it’s really up to them as a victim to decide what this is worth. And sometimes that dictates whether we engage at all, because if we come up with a number that is just unreasonable for the business, then the answer is, don’t even bother contacting the back guys at all—we’re just not gonna be able to do this and we have to find another way. It’s very complicated.

Miller: Yeah. You know, I interviewed an organization earlier this year that had been hit by a ransomware attack and they did not pay. The reason was they had a backup of all of their data, so they were able to have all of the data that they needed. They were also able to get back online safely. They had quarantined the endpoint that was infected. They were able to update every other endpoint and get back online pretty quickly.

So do you think this is basically the best position to put yourself in for something like this if it’s gonna happen?

Minder: Certainly, having a business continuity and technology approach to solving this is the best circumstance. But that often doesn’t work as well as you just described for a lot of organizations. So depending on the size of the organization, you’re already talking about everything—multiple sites, multiple networks, multiple systems—restoring that can be a very tedious and time-consuming process.

We’ve even had cases where folks initially are very confident and say, ‘Hey, look, we don’t wanna pay these guys. We have impeccable backups, we’re gonna restore.’ And I’m like, good, I don’t wanna pay ‘em either [Laugh.], so let’s do that. But then they call me 12 hours later and say it turns out it’s gonna take eight weeks to restore this and we need this thing running by Wednesday.

So it really depends on the organization and those backups, and what business-continuity processes are orchestrated on the technology side.

In my mind there’s four ways that we start to curb the ransomware problem: One is prevention. That’s my favorite because it’s like sphere of influence—it’s under our control. It’s relatively inexpensive and proactive.

Two is technology, which is what you’re talking about. Tools that can detect the threat, quarantine it, and minimize the impact.

Three would be policy. So right now, if you’re a ransomware victim, in a lot of cases you have two options: You pay a ransom or you go out of business or you pay a ransom or you lay people off. Or, if you’re a hospital, you pay a ransom or people die, which is like a real thing. Yeah. And I believe there’s room for a third option that could be driven by policy, which affords victims some subsidized recovery—a program that helps them from having to pay a ransom but stay in business. And so that’s something I’ve been working on in Washington.

The last [fourth] one is my favorite but least likely. And that is negative consequences for the bad guys. [Laugh.]. But as you know, most of the bad guys are operating in sort of unfriendly countries with no extradition and sort of unofficial amnesty from their home government.

Miller: Yeah. And I agree. This organization I spoke to, they were very lucky in the situation they were in. They said even the FBI, who they were working with, told them they were in a better position than pretty much any other company going through something like this.

Minder: Well, hopefully we can make that more the rule and not the exception in the future.

Miller: But I do like where you were going with the prevention angle. So what are some of the things organizations can do to be proactive? For example, how much can strong cyber hygiene help an organization fight off or minimize attacks?

Minder: I think one of the advantages of being on the response side—and this is true of both technical incident responders and the work we’re doing—is we get sort of to take inventory of how the threat actors gain access in every case. And if you distill those down, you find that the majority of the cases, about 80-plus percent, were sort of preventable from the beginning if they had done some basic cyber hygiene things, like you said.

It’s frustrating because most of our audience is probably technical, they’re probably cyber-focused folks. They are going to roll their eyes, and that’s OK. I’m not offended, because we’ve been talking about these things for a long time, but they’re still not getting done in many organizations or they’re not done well. Things like password policy and credential policy.

So, complex passwords, no password reuse. And when I say credential policy, what I mean is not using your corporate credentials on anything unrelated to the business. Don’t use it to create your Facebook account… or to sign up for your favorite hobbyist site, because the bad guys are getting the credentials out of those sites and using them against us.

Obviously we talk a lot about multifactor authentication—that solves a lot of problems. So if you didn’t do the first few things I said, in many cases MFA would solve that for you.

Patching—you know, I’ve been in cybersecurity for my entire adult life and I understand the complexities in organizations around patching, but I would say that even basic patching seems to still be an issue—not talking about industrial control systems; we’re just talking about people’s laptops, their Safari browsers or whatever they’re using, or their cellphones. I make this joke when I do public talks about it: I’m like, I know it’s really annoying, when you’re having a great word game, to update your cellphone, but do it anyway. And I know you’re doom-scrolling on Reddit and you don’t wanna reboot your browser, but do it anyway… And make that part of the policy and part of the cyber hygiene of the organization.

Miller: Yeah. I love these tips, and you can’t stress them enough. So how much is the cyber skills gap impacting ransomware? Some may see this as a separate business issue, but do you see connections?

Minder: Very much so, and I love this question because it’s sort of a passion project of mine. There’s a supply-and-demand issue with cybersecurity talent that leaves the bulk of the market without people to help them with their cybersecurity gaps. And that’s because there’s a shortage of talent. The mean average salaries are all at the top of the market, and people are economically driven are gonna go in that direction.

And so when you’re in the mid-market or further down, your access to real cybersecurity expertise is almost nonexistent. And it’s not getting any better. For example, for every cybersecurity incident/ransomware attack we hear about on the news, there are thousands of small businesses that get hit that we don’t hear about. But if you’re a dry cleaner or a print shop or a small accounting firm with five people, it is sort of unreasonable to expect you to understand and mitigate the risks associated with all of your technology adoption. I don’t know how my cellphone works, and I’m a tech guy. It’s a magic box, right? So to expect these people to understand all of those things is unreasonable.

So how do we get basic cybersecurity talent to those folks? I have a nonprofit that works on that problem, but I do think it’s impacting the national security of the United States and the economy.

Miller: It’s good to hear your thoughts on that. Switching gears a little bit: Last year the insurance company AXA announced it would suspend cyber insurance policies in France that reimburse companies for ransomware payments. This was in response to a request from cyber officials in the French government who were trying to stem the tide of ever-increasing ransomware attacks. What’s been the fallout since then? And has it had an effect on the situation?

Minder: I do think there’s an issue with those kinds of things, like making ransoms illegal. It’s sort of like telling your constituents to take one for the team.

You couple this with the question you asked before, which is, you’re asking people who have no capability to defend themselves to just basically die on the cross for everyone else so that nobody pays. I don’t think that’s a reasonable approach. And it’s probably going to have a larger impact on the economics of that country. So I think education and cyber skills are the right way to approach the problem rather than these punitive policies.

Miller: Could something like what happened in France happen here in the U.S.?

Minder: It’s possible; you know how politics can be [Laugh.]. I do have some hope, because I believe the folks at CISA—Jen Easterly and her team—are looking at this through the correct lens, which is more of a preventative and supporting program. And they’re driving some of that policy.

And I’m doing everything I can to educate lawmakers in the House and Senate about the reality of this and the potential long-term damage and impact from it. I think it’s incumbent on us technical experts who are in the field and in the trenches to educate the lawmakers, both locally and at the national level, every chance we get about what this is really about and what it’s really like to be a victim, and the circumstances around these attacks—like having no access to cyber talent—so that they don’t look at this as purely a negative situation or look at the victim from a negative perspective, because they’re like the rest of us.

These businesses are just doing their job. They’re doing the best they can—especially small businesses who just went through COVID and supply chain issues, and now [if they suffer a ransomware attack] to tell them you really just have to go out of business or break the law.

Then, with the legal approach to this, some folks in the government believe that if we just make it illegal, people will stop paying ransoms and the bad guys will stop attacking. But more than likely what will happen is you will drive behavior underground. If I have a choice, you know, as a small business, like I’m gonna lose my business that I’ve worked on for 18 years or break the law but maybe not get caught, I’m gonna probably lean toward the second one. I want to keep my employees and keep my investment.

And so we may end up losing visibility to the macro level of these attacks. I think CISA believes this too. And I hope they stick with it.

Miller: Well, we’ve been talking about some serious topics, and I’d like to end on a positive note, so let me just ask: What’s one of your favorite success stories? Maybe a situation where it was dire at first but things really just worked out?

Minder: Oh, we have a bunch of those, and some are similar to the scenario where the backups saved the day.

I will say that there’s always a bit of fine print on those scenarios, because the threat actors did take a copy of a bunch of data. They will sell it, or dump it, in most cases. There’s a funny side note as well, where some threat actors have such a volume of victims that they sometimes just forget [Laugh.]. We’ve had that happen, where we’re waiting for them to dump the data like they threatened, and they never do. They just forget. They’ve got 200 victims, and they move on to the next one.

Then we’ve had scenarios where we were able to convince the threat actors as a form of proof to publish the stolen files on the dark web, and we were able to pull down the most critical configuration files and things like that and restore. So we’ve had some really good ones like that.

My favorites, though, are the impact of the prevention programs and the nonprofit work we’re doing, where we’re literally helping small businesses make these changes for free, while simultaneously solving the cyber skills gap. And that’s the best, because the attack doesn’t even happen. We’re in front of it.

Miller: That is the best, and I’m glad there’s people like you out there to help us solve this problem.

Minder: Thank you.

Miller: Awesome. Well, it was so wonderful interviewing you today, Kurtis. Thank you so much for being on the podcast.

Minder: My pleasure. Thank you for having me.

Miller: I’ve been talking with Kurtis Minder, the founder and CEO of the cyber reconnaissance firm GroupSense.

If you’d like to read more about ransomware, check out Focal Point, Tanium’s new online cyber news magazine. We’ve got links to several articles in the show notes, or go to tanium.com to hear more conversations with today’s top business leaders and security experts. Make sure to subscribe to Let’s Converge on your favorite podcast app, and if you like this episode, please give us a five-star rating.

Thank you for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.