How to start talks with a ransomware group

First impressions are important, even when you’re confronting a cybercriminal.

Mark Lance, a ransomware negotiator and VP of digital forensics and incident response (DFIR) and threat intelligence at GuidePoint Security since 2022, often has to initiate interactions with his clients’ cyberattackers, using chat functionality on a ransomware as a service platform or a dark-web site.

And these days, there are way more groups to track, each with their own track record of encrypting, decrypting, deleting, or posting sensitive information online. In Q2 of last year, Lance told IT Brew that he and his team were tracking 45 threat groups; today the number has grown to 71. Lance said he takes the groups’ histories and backgrounds into account during the negotiation process.

“You have to look at these groups and what their primary motivation is,” he told us.

Lance spoke with us about how the conversation begins with today’s (many) adversaries.

These responses have been edited for length and clarity.

What is your first message, and what’s important to establish in it?

It really is dependent upon the intent of what a client is trying to get out of the negotiations. They might believe they have a drastic need to potentially consider making a ransom payment. Other times, it’s about just delaying the process and figuring out what ransomware amounts are. Generally our first message, in most circumstances, is going to be more acknowledgement that we know that they’ve impacted us, and we’re opening up the channels for communication. It’s like, ‘Hey, we received your note. Can you tell us more about what we have going on in the environment?”

What are you trying to discover in these early interactions with the adversary?

Typically, we can ask them, “Hey, you’re asking for X amount. Why do you believe that [data] is of value to us?” And [maybe] they’ll provide a file tree and that file tree can help determine, “OK, well, here’s what information they might have.” A lot of times if encryption is involved, you might not have access to those servers…Once they got in, what did they touch? What did they steal? A lot of times those breadcrumbs aren’t there, but by having them provide us a file tree, that’s something we can then turn over to the forensics workstream and say, “Hey, where were these files located? On which systems?”

How long do these interactions usually last?

It generally happens over the span of days to weeks. It’s not generally in a matter of hours. These kinds of communications occur over an extended period. Again, it’s the level of urgency; how frequently we’re responding is contingent on what we’re trying to get out of the negotiation itself.

And what is being negotiated exactly here?

One of the things that we need to determine is what are the terms of the negotiation: Are we trying to get access to decryptors? Are we trying to ensure that the information won’t be published to their dark-web site? Are they going to give us the method of ingress and how they actually got into the environment?...We try to get agreement with the cybercriminals: “Hey, if we make a payment, here’s what we expect.” We expect access to decryptors, or we expect that this information won’t be published, and we want indications that it’s been deleted. Realistically, can you expect them to fully delete it and not retain that information? No, these are still cybercriminals…Of course, the ransom payment itself is negotiable as well.

Would you say it’s best for organizations to pay or not pay?

We are complete advocates for not making a payment if it’s unnecessary. It is our responsibility as consultants to educate clients on what will potentially occur or what can potentially transpire and the associated risks of paying or not making a payment. But ultimately, it is up to the client…We are not in a position where we think anybody should be funding cybercriminals or these types of organizations if they don’t have to.