GuidePoint talks ransomware negotiations, payment bans

LAS VEGAS -- As the ransomware threat increases, more victim organizations are facing difficult decisions on whether to pay the ransom and how to negotiate with threat actors to resume operations.

During Black Hat USA 2024, TechTarget Editorial spoke with Mark Lance, vice president of digital forensics and incident response at GuidePoint Security, who specializes in negotiating with ransomware gangs on behalf of victim organizations following disruptive attacks. Lance highlighted challenges enterprises face when making the decision and expanded on what goes into the process. In addition, he weighed in on the ongoing ransomware payment ban discussion, which was sparked again earlier this year as the threat increased.

Lance also shed light on changes he's observed among the most active ransomware groups. While some, like the LockBit ransomware gang, might be taking a back seat, new groups have emerged, making the threat more prevalent than ever. GuidePoint currently tracks 60 ransomware gangs.

Editor's note: This interview was edited for clarity and length.

Walk me through a ransomware negotiation.

Mark Lance

Mark Lance: The most common way people recognize they've been impacted is they see ransom notes on the screen. Most of the notes now say, 'You've been impacted, go to this website, don't do anything with your files -- also we've stolen your information.' Then you go to the Tor site -- most ransomware groups have a webpage. From there, you enter a code, and it makes them aware of which victim it is.

When we're doing negotiations, we act on behalf of the client and say we are the client. For a while, some groups were saying, 'Don't use negotiators. If you do, we won't work with you.' But how would they know? And they aren't going to walk away. They're built to monetize.

One of the first things we do is work very closely with the client to understand what their strategy is and to set their expectations for what's going to transpire. Have you done a business impact analysis? Do you have a potential need to pay a ransom? Are you vehemently opposed to paying a ransom? Do you need decryption keys? A lot of times that strategy is, 'We need to delay while we wait for the forensics team.' We've had some negotiations where investigations delayed it about six months.

A lot of times with these threat actors, they love to give you timelines and say, 'You have to pay within four days or we're going to publish your information.' But generally you can ignore timelines once you're actually in contact with them. If they think they'll even get paid something, they'll stay engaged with you. Regardless of whether there's an intent to pay them, it's so valuable to do the communications because generally they're going to give you a file tree [of stolen data], which you can turn in to the forensic work team.

Do the ransomware groups follow through on giving victim organizations the decryptors once they've paid?

Lance: Yes, we had one last week where they provided the initial decryptor and it didn't work, so we got back in touch with them, and they said, 'Let's make sure we get you the right one.' The thing is, these threat actors have a reputation to uphold. We've seen them engage support teams internally to escalate challenges or issues with decryptors, and then they'll troubleshoot them with you. They want to make sure you get access to your data back.

We had a hospital that had access to offline backups, but it was going to take them two weeks to get access to those. The ransom amount was $2 million and they were losing $1 million a day, so it was cheaper for them to pay the ransom and get access to the decryptors than it was to access their own backups. It was a business decision for them. They were going to lose more money by not paying the ransom.

Did that attack interrupt patient care too?

Lance: They had to resort to pen-and-paper processes, but they were still able to provide services. There have been other attacks [on hospitals] that have, yes.

Do most people opt to pay the ransom?

Lance: There are a lot of reasons clients have the necessity to pay, but it varies. Some people are paying because they need access to certain systems they don't have backups for. It could be that they don't want all the information stolen posted to the dark web site. They want to do that on their own disclosure with external counsel. We generally advocate for if you don't need to pay the ransom, we don't recommend it. We don't want to fund criminals, but there are a lot of reasons people might feel like they need to pay.

What is your stance on a payment ban?

Lance: I don't think banning payments is necessarily going to be effective in all circumstances because there are going to be reasons clients feel like they need to decrypt. When it comes to Office of Foreign Assets Control [OFAC] sanctions, there's not an option to settle with those, but there are some companies who would potentially do it. You're going to find a way. What I hypothesize is they're going to make more reporting requirements around making a payment.

Do law enforcement actions such as the one against LockBit help?

Lance: I think initially it was helpful, but then LockBit was back online in a matter of days. What's been more disruptive is putting them on the OFAC sanctions list, because now essentially there are potentially civil fines and penalties if you pay them. I think that's been more disruptive [to LockBit], where at this point, I think they're struggling to stay relevant. One of the things we have seen is there's new splinter groups or new groups that are realistically operators from LockBit and BlackCat getting together and forming new groups.

Have you observed ransomware affecting the cyber insurance market?

Lance: The cyber insurance market over the past couple of years has been interesting. I think, at first, we were seeing some trends where people were being given policies at a reasonable cost, but not a lot of due diligence was going into determining insurability -- it was more of checklists. Then, so many people have been hit by ransomware, we saw how the insurance market became super extensive. I'm sure they were bleeding money because of the amount of insurance claims they were paying out, so costs went through the roof. I think they've normalized back down where it's not as expensive. But then the other piece is now they do have more insurability requirements and they're more well defined. They're actually going in and doing validation, which is a positive.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.