The Hacker Mind Podcast: Tales From A Ransomware Negotiator

Say you’re an organization that’s been hit with ransomware. At what point do you need to bring in a ransomware negotiator? Should you pay, should you not?   Mark Lance, the VP of DFIR and Threat intelligence for GuidePoint Security, provides The Hacker Mind with stories of ransomware cases he’s handled. 

VAMOSI: Four days after the Russian invasion of Ukraine, on February 28, 2022, members of the Conti ransomware group began leaking information about the internal operations. Conti, with ties to Russia, came out in support of Russia. However, the rank and file of Conti were in Ukraine, had a different opinion, and decided to speak up against Conti in and in favor of Ukraine in a Twitter account named Conti Leaks.

The account owner wrote: “My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.”

Over the next few weeks, chats from encrypted Telegram, and other communications were leaked. And it became clear that Conti was a large and otherwise well functioning criminal organization. It had its own recruiters, HR, Fiance, and in addition to engineers, there’s a team of customer support members. 

Check Point Software reported that Conti:

• Salaried workers — some of whom are paid in bitcoin — plus performance reviews and training opportunities
• Negotiators who receive commissions on paid ransoms
• An employee referral program, with bonuses given to employees who’ve recruited others who worked for at least a month, and
• An “employee of the month” who earns a bonus equal to half their salary

It would appear to be structured like any other tech company today. But, unlike legal tech companies, Conti fines its underperformers, punhsing them for coming in below expectations.

One other thing: the Conti source code was also leaked, allowing security companies to create their own decryption services for anyone infected with the Conti ransomware.

All in all the Conti leak  ripped a veil off of the often mysterious process involved with ransomware creation and operation. Information that would be useful to a ransom negotiator, like the one I’ll introduce you to in a moment.

{Music}

VAMOSI: Welcome to The Hacker Mind, an original podcast from Forallsecure. It’s about challenging our expectations about the people who hack for a living.

I’m Robert Vamosi and in this episode I’m going to talk with a ransomware negotiator I ran into in the hallways at this year’s RSA Conference in San Francisco.You hear a lot of  talk about ransomware as a technical attack, but what’s it like to be on the inside dealing with that situation. In a moment, we’ll find out.  

{Music}

VAMOSI: Maybe you’ve seen on TV or in a book where someone is held hostage and the law enforcement team calls in an expert on negotiation. The same is true with ransomware. Affected organizations will call in an expert.

LANCE: My name is Mark Lance, the VP of DFIR and threat intelligence for GuidePoint Security.  GuidePoint provides security consulting services to our clients responsible for all reactive Incident Response proactive threat discovery, our retainers, IR advisory services such as tabletops, Purple team exercises, playbook development, Ira plan development, as well as threat intelligence services including maturity assessments and you know, threat intelligence as a service portfolio. I manage the teams that do all of it. So I'm responsible for the teams that actually do the reactive incident response, but also the negotiations.

VAMOSI: Perhaps it’s best to set the stage by talking about the current threat landscape. Are Ransomware attacks getting worse? Getting better? Or staying roughly the same.

LANCE: So within the last year, within 2022, we did see a reduction in the amount of ransomware that we were seeing whether that was attributed to the Russia Ukraine conflict or other things we can only hypothesize the end again, just speaking with peers amongst the industry, whether it was more reactive incident response or whether it's, you know, cyber insurance carriers, they were seeing less claims year over year as well. By no means. Does that mean that there was no ransomware occurring? It was still very active within the last year, just not at the volumes that we were seeing in previous years. Now, that being said in 2023, specifically in q1, we've seen a substantial increase specifically in q1 where it is resuming back to pre 2022 volume so within q1 alone, we've already seen over a 25% increase in the amount of ransomware that we've seen.That's the volume of incident of incidents, publications that we're seeing inbound requests for, you know, assistance responding to an incident, you know, negotiations requests, those types of activities.

VAMOSI: And does this distinguish between criminal and nation state?

LANCE: We do. So we we categorize threats into multiple different groups, typically, by their motivations, nation state in a party are generally going to be more motivated by information. And criminal groups are typically going to be monetarily motivated. And so with ransomware, we would put it in the criminal category, we track over 30 Different ransomware groups. They're associated name and shame sites, and when there are publications to those sites, what the associated verticals are to those clients who've been published and, you know, track all those accordingly, from an open source perspective, but also, you know, responding to incidents for them as well.

VAMOSI: We hear about a lot of commercial targets, but there are also non commercial targets of ransomware as well, such as the Colonial Pipeline. Do these non-commcerial infrastructure targets get asked to pay ransom or Are there reasons that you alluded to just shutting down disrupting operations? Is that enough?

LANCE: I think, again, when we're talking about cyber criminals and criminal threat groups, their motivations are monetarily driven. I think where you start talking about more disruptive and specifically intend to be disruptive, you're generally going to see that from activist groups who are maybe trying to push an agenda based on political beliefs or religious beliefs or anything else, where maybe they want to have a desire to shut down an organization to, you know, show they're at their, you know, against whatever their message is. Similarly, you might see nation states who would perform more disruptive attacks, where they're actually looking at, you know, bringing down infrastructure versus criminal organizations where at the end of the day, their primary driver is monetizing their efforts and making money. So I think, in most circumstances, criminal groups are are after making money versus just strictly being disruptive

VAMOSI: What are some other types of Targets?

LANCE: So, different criminal organizations like to target different types of organizations themselves or victims. We know that there are some groups that do what would be considered maybe whale hunting and they're going to go after the larger targets and in larger payments, then you've got some of your smaller groups are just looking for volume. We know that you know, manufacturing is an area that we've seen a lot of targets over the last quarter. Again, because if you bring down manufacturing operations, there's a high impact to the business and necessity to recover quickly. So we again with certain criminal organizations and groups that we track, some of them we know will target certain industries and they will say, healthcare as an example, had they have a necessity to recover quickly because without operations in healthcare, it could lead to loss of life, it could lead to major complications and so those specifically target throughout healthcare, but then you've got others who have, you know, their their ethical obligations, according to them, where they specifically won't target health care or, you know, during COVID-19. We saw where they wouldn't target, you know, companies that were working on vaccines. But again, then you've got the other ones who see that as an opportunity and another switch to flip or a lever to pull so that they can get paid, which at the end of the day, that's their primary motivation. So we do see where it is, you know, it is really dependent upon the criminal organization as to who they typically like to target.

VAMOSI: This isn’t always how ransomware has been. Early on, it targeted individual personal computers.

LANCE: So within the last couple of years, what we saw is just the continued evolution of ransomware threats. Initially, it was well, depending on how far back you go, you know, initially it was more opportunistic targeting individuals. Then they transitioned over to organizations realizing that they're generally going to have more money, you can pick one organization versus 1000 people and make the same amount. And the continued evolution of the threat, you know, over the years was initially about operational impacts, and, you know, causing operational impacts in an environment which would then hopefully result in a ransom payment in order to get decryption keys or tools that would allow you to restore and recover your environment. Obviously, organizations gotten smart to that and they started doing offline backups securing their backups differently, so that they would continue to have access and availability. And so that's when you know threat actors within the last couple of years transitioned into the double extortion model, which is where prior to actually performing the encryption event, they're going to find what they believe to be sensitive information and steal that data from the environment. And so, a lot of times once the encryption occurs, that's really the final stage. Of the of the incident. And they've already gotten into the environment. They, you know, establish persistence, multiple ways to get back into the environment. They found what they believed to be sensitive data and then they perform the encryption. And then ideally from their perspective, if the operational impacts aren't enough to justify a potential ransom payment, then extorting you for release of that data is something else that they try to leverage in order to get that ransom payment. And so what you can expect is that once you see the ransom note, if you don't establish contact with them, they're eventually going to publish the name of your organization on their name and shame second, and then after that initial publication, they will start leaking that data and releasing that data for people to to download if the ransom payment isn't there.

[music] 

VAMOSI: So, an organization finds that there's a screen saying your data has been encrypted. What's the first step? It says the contact and there's some channel that's been established?

LANCE: Step one is freak out. No, I'm just kidding. So, the you know, what, that will be the most common way that people realize that they had been impacted by ransomware. To your point is that they find a ransom note. Within that ransom note. It will have a link to a tour site. You know, a lot of times a specific key or a unique site that you go to, which essentially notifies the threat actor that you are aware that it's occurred and initiating the conversations and essentially the negotiations. There are other instances where emails are sent. We had one instance recently where they were emailing from an internal account to members of the of the senior leadership team for that organization and saying, Hey, we've stolen data from your environment, you need to make a ransom payment, go here and do this so that we can initiate communications. But generally most of the interactivity between the threat actor and the client or somebody like ourselves, who are going to be performing the threat communications and negotiations, or is going to be through some sort of chat portal or platform that they're using.

VAMOSI: Telegram or Signal?

LANCE: So we have had a couple of threat actors that had use telegram but in most instances, there is some sort of channel or chat capability within the platform that they're using. There historically, one of the one of the groups that we got a lot of insight and visibility into was content, because during the Russia Ukraine conflict they initially came out and they said, you know, we support Russia, but then a lot of the, you know, people who worked for the organization were in the Ukraine, and so they started leaking information, SOPs, Bitcoin wallets. And so we got visibility into a lot of the capabilities and platform that they use. And so you can see where they've got very established work users. I've seen no better service desk capabilities in some of these criminal platforms. Then you would actually see working for an organization where you can see, you know, the specific, you know, client or victim that they're working with and then the details about the specific victim as well like this many servers were impacted encrypted, this many workstations, here's how much data we steal, here's what type it is, and then have that full kind of chat capability built into the platform where they can, you know, monitor and see the current state of the the communications and and they've got the full, you know, history there to interact with the victim.

VAMOSI:So there's also another another variation that I've heard, which is they only encrypt the first eight bits of the data, kind of smash and grab it's a very quick thing and oftentimes they don't do the offloading of the data. It just tried to extort, move on.

LANCE:  So one of the things that we've actually seen is even recently, we've had multiple clients that the encryption never even occurred. They're just stealing the data specifically within q1. We've had multiple incidents where they did not do any encryption. And yet, pardon me, they did not do any encryption, and yet they perform the data exfiltration and attempted extortion through the through the data that taken now. Again, we have to hypothesize sometimes on why they potentially didn't do that. We have no one circumstance where they ran into what appeared to be challenges trying to get the ransomware binaries, binaries to execute other instances, you know, they're so they're so nice. They've said things like, we could have encrypted your environment, but we did you the favor of not doing that. And instead we're only going to extort you for the information that we steal. So would that is something we've seen in the game across multiple clients within the last three months where that encryption event never occurs in their working strictly off of the stolen data and attempted ransom payment for that.

VAMOSI: So it was the eight bit that I heard about, is that rare. So it's exactly eight bits. Yeah.

LANCE: So the method of quick encryption that used to occur previously, I think was for ability to expedite the encryption process and make it occur as quickly as possible with with but again, causing as much operational impact as possible. So sometimes when you are, you know, you don't need to encrypt everything, you can just encrypt the first portion of it to basically corrupt the files and information that you have. And so it is it just a more effective and efficient way to damage an environment without having to, you know, take a long time for that to be deployed or implemented.

VAMOSI: Should you pay?

LANCE: I think that there's always going to be reasons that clients would justify needing to make a ransom a lot of times, it could be that they don't have available backups, and they aren't able to recover operations without the assistance to you know, a decryption tool. Other times, we've got clients, we've got clients that have we've got clients that have experienced the encryption event, and it's on specific systems that they find critical. And without access to that information or those systems, they're not able to continue to operate. So in those circumstances, they've said, Hey, we need to pursue a decryption capability because we have to get access to that to that information or that system, or else we're going to have to shut our business. Other times, we've got clients who consider it because they want to, they want to perform the disclosure on their timelines versus the threat actors timelines, so they will actually pay the ransom in order to not have it publicly released, work with counsel on what their internal and external notifications and disclosure requirements are, and do it on their own timeline versus having it published to the threat actor website beforehand. So lots of different reasons that clients would potentially make a ransom payment. And I think ideally, if you have the opportunity and don't need to fund a criminal organization through a ransom payment, I think most people would like to avoid that. But I think that there's you know, again, there's always going to be reasons or justification and, and instances where clients will have to make a payment.

VAMOSI: So there's a lot of preparatory work before a ransom attack, as you alluded to, like the data gets encrypted and exfiltrated before you actually see the notice on your screens. Does that include surveying the company and getting a baseline as to how much the ransomware could possibly get from that company? How much extortion?

LANCE: Absolutely. So when we're talking about these criminal organizations, there's a level of sophistication that a lot of people don't realize that they have. They have financial analyst who will go out there and they will review organizational information. They'll look at the market cap, they'll look at stock prices, they'll look at the size of the organization. They also then evaluate the information that they've taken from an environment and then they will tie that into what they believe the ransom amount should be. So I think there's sometimes some preliminary work from ransomware actors who do more targeted operations at specific organizations, but then even once they get in there, they're leveraging what information they have and access in details. They have to make a determination on what that ransom payment should be. 

[MUSIC] 

VAMOSI: So, you’re an organization that’s been hit with ransomware. At what point do you need to bring in someone like Mark?

LANCE: So, when an incident occurs, one of the first things that you should do is if you have somebody on retainer, or if you've got, you know, an incident response service provider that you'd like to use, contacting them. In addition to that, the other people you should be contacting almost immediately is external counsel, so that they can provide you with recommendations based on the output of some sort of incident response investigation. So the sooner we get a call from clients the better because we can provide them with recommendations on how to one contain the threat and then the steps that, you know should be taken. Trying to balance restoring operations with not damaging forensics and ruining any sort of potential artifacts that are available within the environment. So pardon me, the sooner they can get a hold of us the better because we can provide directions on you know, yes, you could start rebuilding these systems. You need to start limiting access here you need to perform these types of activities in parallel to retaining this information so that we can figure out how they got in, potentially identify what information was touched and access, what all their persistence mechanisms and backdoors are. So the earlier the better.

VAMOSI: Does Mark typically work with insurance?

LANCE: we work closely with insurance. We work closely with external counsel, when we're working in incident response effort, whether that's through AI, whether that's performing the incident response, investigation and forensics, or whether that is to actually perform the negotiations. Majority of time we will actually be working for counsel on behalf of the client. So you'll do a three party sale where, again, we're working for counsel on behalf of the client trying to maintain as much privilege as possible, in case there's any sort of litigation.

VAMOSI: And then there are examples where the ransomware operators are not serious about the ransom-- NotPetya, for example. Payment really wasn’t the point of that attack. Are there others like that? 

LANCE: I think there are. We have awareness to certain cases where the ransomware is being performed or the encryption is being performed as a diversion to some sort of targeted attack. That's, in a lot of circumstances going to be more of your nation states in AAPT, related, you know, threats, and it's going to be where maybe they're important performing the encryption in order to make it look like it's some sort of criminal activity, when in reality, their true motivation was to get in there and steal data. We also have to make a lot of kind of guesses or try to determine what motivations are because you know, we're the ones investigating, we're the ones trying to understand, you know, what the motivations are and why things occur. But really, only the people on the other side know that unless they, you know, specifically tell you otherwise. But yeah, to your to your point, I think there are instances where the negotiations are the whole ransom piece of it don't seem as legitimate and you can almost tell that maybe that it wouldn't be the primary motivator because they're not as driven by actually getting the ransom payment or potentially even negotiating in order to make sure they are going to make some sort of money versus you know, those were, in most circumstances when it's a criminal organization, and they've performed some sort of ransomware operations in a client environment. If they know that there's the opportunity to make money again, they're driven monetarily. So they're going to do whatever they can to make some sort of money off of the off of the operations and the level of effort that occurred so long as they know they're not going to that they're going to make something they're not generally going to walk away.

VAMOSI: And then in terms of payment, what is the preferred method these days, Bitcoin still using 

LANCE: Bitcoin?

VAMOSI: Why Bitcoin and not Etherium or Mineiro?

LANCE: No. Pure bitcoin is generally the way that we are still seeing or we're, you know, we work with brokerage firms actually assist with making the ransom payments. And bitcoin is still the method of payment that we're seeing across almost all of our engagements. We have had that we have had a couple instances where they will request us some other alternative means but in most circumstances, it's always Bitcoin. I think I mean, it's, it's a viable solution that is easily anonymized through, you know, different wallets and everything else. You can very easily determine you know, what the current price of Bitcoin is and adjust your ransom amount based on the current price of Bitcoin, as well as, in a lot of circumstances it's easier for clients to retrieve or procure Bitcoin than it is other types. of cryptocurrency.

VAMOSI: So once it's paid, it's immediately tumbled or mixed into something else and therefore, the blockchain becomes obvious after you skated and all that.

LANCE:   Yeah,we try to you know, obviously there we have to track certain Bitcoin wallets for OFAC sanctions and purposes of you know, inability to pay certain types of threat actors based on the directives that had been provided by the Department of the Treasury. So we do track various Bitcoin wallets associated with certain groups and can't make payments to those groups. But to your point, I mean, you can once a payment is received it's going to be pushed through multiple wallets, distributed across multiple wallets, to try to prevent the ability to really determine who it is.

VAMOSI:  In some cases the ransomware is in millions of dollars. Do organizations that choose to pay have trouble getting that much BitCoin on short notice?

LANCE: it so generally, it's not about an inability to get the amount of bitcoin it's more about their inability to fund the Bitcoin itself. So we haven't run into challenges where they can't actually procure the Bitcoin. We're in if an organization and this is not something I would recommend, if an organization is trying to do this themselves, but don't have the experience than he didn't it might be tough to try to procure the actual Bitcoin itself in the volumes that you need in a timely manner. That you expect. That's why you would use a, you know, a brokerage firm that can actually assist with, you know, not only procuring the amount of bitcoin, sending it over doing the appropriate OFAC sanctions checks in the due diligence that would be expected with making that sort of large payment otherwise, you can make a single mistake if you're not familiar with this kind of thing. And next thing you know, you get paid the wrong person or it's much harder to try to get your money back.

[Music]

VAMOSI:  As Ransomware cases grow in number, there’s more and more work for negotiators. Certainly the criminal organizations are aware of people like Mark. In general, how do they feel about working with a negotiator?

LANCE: do not want you using negotiators they were they would prefer to leverage the inexperience and the lack of familiarity. Then work with somebody who has worked with all the different threat actors and has the experience negotiating and knows all these things. So in a lot of circumstances, threat actors have even said if you work with a negotiations firm, we're going to go ahead and publish your information. They've even named certain firms, but it would be their preference, and they commonly don't want you using negotiators. And then even if you know some of the groups have even said that if you use negotiators it's going to avoid any sort of potential to make the ransom payment.

VAMOSI: So there’s a bit of subterfuge necessary. Mark and his teams have to act as though they are part of the organization.

LANCE: Yeah, so they, we always are taking on a persona of the client. We're working for me on behalf of the client. We're never referencing the fact that we are a negotiator and has been hired by the client. Now, there's always the potential that you know, and we're taking precautionary measures and, you know, performing our due diligence to make sure that they don't recognize that but, you know, there's always the potential that they have access to email and could see email communications. That's why we take steps to use encrypted email or you know, other channels for communication. If the threat actor is doing any sort of monitoring, but we never disclosed that we are a negotiator versus working for the client directly.

VAMOSI: As one would suspect, each negotiation is unique, so Mark and his team has be agile, has to respond in the moment.

LANCE: So when you go to perform a negotiation, there's multiple motivations behind initiating communications with the threat actor. There's value in communicating with a threat actor, regardless of whether there's any intent to make a ransom payment. And that's one of the things we do is work with clients beforehand to establish a strategy based on what their desired outcome is, is there a need to make a ransom payment and get decryption tools? If so, how quickly do they want to do that is their time to attempt to negotiate. But part of the other things we need to do is we need to get you know proof of life and proof of decryption. So we want to ensure that if the ransom payment is made, that they actually are going to be able to decrypt the files. We also want to do things like try to get file trees from them, trying to get confirmation on what they have stolen that they believe is so sensitive, and then that can be turned over to external counsel and turn it over to your forensics work stream. Because your forensics team now knows what systems go look at based on where the location of that data was. And a lot of those systems might be encrypted. So we didn't have forensics artifacts to determine that. Alternatively, it helps, you know, external counsel to you know, say this is the type of information that was potentially stolen and might need to be disclosed and can adjust the kind of disclosure requirements from there. So there's a ton of value in initiating those conversations, to feed your forensics workstream to feed external counsel regardless of whether there's an intent to actually make payment. Another one of the primary reasons we do that with clients is it allows them to delay so that we can, you know, continue to perform the forensics investigation, ensure that we have identified how they got in where the backdoors are located. And then again, allows them to actually prepare and ensure that they're not going to continue to be impacted, but also due to disclosure on their own terms versus it being clubbed should I name it same shame name and shame site. So there's a lot of different you know, justifications and reasons for engaging with them regardless of actually making a payment.

VAMOSI:  All this makes me wonder what skills are necessary to have as a negotiator?

LANCE: I think similar to you know, any other type of job or role you're looking for specific types of skills from your resources that are performing these types of activities. One of the things that that we are very specific about is approaching things logically and very strategically. Obviously, when you have a major incident, it can be very emotional, because you might be angry, you might be upset and sad that this has occurred worrying about your job. There's a lot of different emotions that go along with incident response. And so what we do is we come in and, and unfortunately or unfortunately, I'm not quite sure we do this daily. So we we have the experience of educating the client on what to truly expect and what the impacts of certain actions could be, what certain considerations are and things that they should be doing. So one, we're there to be informative, and so you've got to be able to communicate and be informative to clients. But then you've also got to help them establish a strategy like you might not know immediately based on our questions what you want to do, you might need more time to validate the the ability to recover from backups, you might you know, need more time to determine if a ransom payment is even an option and to speak with your senior leadership. So you might not all know all those questions up front, but we can establish what the strategy initially is, and then adjust that based on what the client's requirements are. And I think that's, that's really what's necessary is the ability to communicate effectively establish expectations. work very closely. collaboratively with clients, establish a strategy stick to that strategy. And then it's it's really just kind of ability to effectively communicate. So I mean, we've obviously studied and, and have, you know, gotten background about different types of negotiation tactics and skills, but I mean, I think a lot of it comes down to the strategy and what the motivation is, and then we can approach the threat actor in our communications accordingly.

VAMOSI: And I wonder if someone outside the typical computer science fields transition into something like this?

LANCE: A lot of the members of our team come from various types of backgrounds. We've got a ton of people who had experience in law enforcement, others with military backgrounds, others who had been IT administrators, and those I would say, tend to be some of the more common backgrounds of people or people who have gotten General it experience understand maybe how networks work, understanding how things communicate online. A lot of people with administrative backgrounds, from network administrators to you know IT resources that had been made the transition into more of a cybersecurity focus.

[MUSIC]

VAMOSI: Of course, given the nature of his work, Mark has stories.

LANCE: Oh, man, I've got all sorts of crazy stories. 

VAMOSI: I asked him if something stood out. 

LANCE:  So for me, we do obviously a lot of criminal work. I think where it gets extremely interesting is on the nation state nabp side. I would say one of the more interesting things that we ever saw is we had a client that we were working with, and they said they had an unhackable solution, which is obviously never the case. So that's a bad starting point for them. But we go into work with this client. And the reason that they engaged us was they were seeing inbound authentication successful to their environment for remote users, but it was on demand authentication and so they weren't seeing where the outbound authentication codes were being issued, or even the inbound requests for those authentication codes. 

VAMOSI: So right there, this seems like some kind of authentication bypass. How should it work?

LANCE:  So typically, it would go request an authentication code. Client then sends that back over to the user with the authentication code then they use that to authenticate those two first steps we're missing. So we're only seeing successful inbound authentication. And they're like we don't know why. 

VAMOSI: This is where Mark’s team puts on their investigation hats and drills into the network, looking for any reason why this would be. 

LANCE:  Come to find out through our research through our investigation, they've gotten in through a partner through a you know, a trust in a partner a relationship, a threat actor had, they had identified a backup of the Remote Access Server exfiltrated that when we assumed that it up in a lab somewhere and started just issuing their own authentication codes, and able to successfully access the customer environment. And once they're in I mean, Jim, typical to any other type. of threat. Once you're in and you have access, you leverage the tools that are available in the access as long as you've got, you know, privileged credentials and, and continue to try to fly under the radar as much as possible

[MUSIC]

VAMOSI: There’s a site that has best practices for orngazations that have been hit with Ransomware. Obviously the best situation is not to be in that situation. I asked if Mark had any key takeaways?

LANCE: By no means is implementing the basics going to prevent any sort of major attack. Generally, if a threat actor wants to get into your environment, they're going to find a way always dampening will work when it's that loud. as a second is there too given now? That's a second. Hopefully there's not a third. But I think it's by focusing on the basics. It reduces your exposure to a larger set of risks. There's, you know, a lot of threat actors out there that if they see things like oh multifactor authentication is enabled or if they're not able to easily fish you. They're just going to move on to the next target. That is, you know, going to be easier to get into the environment. So focusing on those basics can help prevent you from being impacted by some of the more opportunistic threats and and really just, you know, limit your potential exposure to risk. So focus on the basics MFA privileged access management, have, you know, some sort of endpoint solution but then also have people looking at things. I can't tell you the amount of clients that we work with the head of every solution known to man and capabilities, but nobody's paying attention. And so, you know, either they're impacted by ransomware, or there's a threat actor that's been present in their environment for two and a half years. So really just a focus on the basics is my key thing for clients to help try to prevent some of the more generic threats or commodity based threats.

VAMOSI: When you say doesn't get all the important solutions possible. It's a tower of Babel, they're just getting like, a lot of data but there's no synthesis of it, no analysis of it. It's,

LANCE: it's, we've had multiple incidents, even recently, we worked where clients have appropriate visibility, but they don't have people who maybe have the right skill set and so they will mark them things as false positive or the visibility that they have hasn't been appropriately configured and set up so they're not seeing the things that they should. So it's a wide variety of things from, you know, having the appropriate visibility, having the right people in place and the processes but if you're going to invest in all these tools and solutions and resources, make sure that they're actually using things and taking a look at them. 

VAMOSI: I’d like to thank Mark Lance for sharing his insights into the world of ransomware negotiation. It’s interesting to see how this has moved from ransoming a personal desktop to ransoming large organizations. Clearly, the criminal hackers are in it for the money … and they’re lazy about how to get it. In a few years, they’ll move on to something else, but for the time being there are people like Mark who can help organizations navigate their incident response to a ransomware attack.