Last week, the servers of ransomware giant REvil vanished.
Many applauded as dark-web (and clear-web) sites used to support the backend infrastructure of REvil, aka Sodinokibi, as well as to leak victims’ data, slipped offline early Tuesday morning.
Not REvil’s victims, though. They’re now stuck, many midway through negotiations, without the decryption key they need to unfreeze their data and their businesses.
As far as REvil’s disappearance went, it wasn’t clear whether it was a bust or whether the threat actors did it on purpose. As it was, the heat was intense: The group’s hit list had recently lengthened with the addition of Kaseya and its many managed service provider (MSP) customers, as well as the global meat supplier JBS Foods, Days before, the US government had rattled its saber at Russia, the group’s home base, with President Biden declaring that if Russia didn’t do something about the ransomware players in its midst, the US would.
Regardless of whether the group decided to lay low for a while or whether its servers went offline for any other of the numerous possible explanations, REvil’s victims weren’t any better off.
Gone were the servers used to negotiate extortion payments. That left an untold number of businesses up the river without a paddle – from huge, well-resourced Fortune 500 firms on down to florists, law firms and other tiny outfits that lack the IT resources to drag them out of the ransomware sinkhole. For going on a week now, their businesses have been crippled, ransomware negotiations have been severed and they’re left with no decryption keys to unlock their operations.
Kurtis Minder is chief executive of GroupSense, a cyber reconnaissance company that provides ransomware negotiation services. On any given day, his firm is negotiating two to three extortion demands. On the day that REvil’s servers went offline, one of his clients – a law firm – was 80 percent through the negotiation process. Fortunately, they hadn’t paid for a decryption key. But now, they’re stuck, as so many others.
On the Friday after REvil’s servers went kaput, Minder joined us on Threatpost podcast to delve into the “What now?” question that’s facing ransomware victims left in the lurch.
Download the podcast here, listen to the episode below, or scroll down to read a lightly edited transcript.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Lisa Vaas: Hello, this is Lisa Vaas, host of the Threatpost podcast. In today’s episode, I’ll be speaking with Curtis Minder, chief executive of GroupSense. GroupSense is a cyber reconnaissance company that provides ransomware negotiation services. Curtis is the guy everybody turned to when the REvil ransomware gang disappeared in the wee hours of Tuesday morning. Many have lauded the fact that REvil servers went dark, given that it’s one of the most notorious and active ransom gangs out there.
But as Curtis pointed out the servers going offline. It wasn’t all sunshine and roses for REvil’s targets. Organizations were left in the lurch, unable to pay the ransom, to get their data back and their businesses running and stuck without the decryption keys, they need to unlock their files. Welcome.
Curtis, it’s a pleasure to have you on the Threatpost podcast.
Kurtis Minder: Thanks for having me, Lisa.
Lisa Vaas: Well, first things first: Have the REvil extortionists made any attempt to reestablish communications with you since their servers went offline?
Kurtis Minder: No, no. And, and our team has been , monitoring the underground communications amongst the community.
And there’s lots of theories being thrown around about what’s happened here, but the actual, REvil team has not surfaced that we know of.
Lisa Vaas: What do you think about the most likely scenario? It’s so hard to tell if it’s law enforcement or they’re, , switching sites or what.
Kurtis Minder: Yeah. I mean, this is not terribly uncommon. These actors kind of come and go; they reboot. I mean, you look at groups like Babuk, who’ve done several of these in the past and rebranded several times. I think they rebranded last week as ramp. Okay. So this is not uncommon for them to disappear.
Although it is a little out of character for REvil, REvil being one of the more prominent and, and vocal of the of the actor groups. But yeah, so it could be, it could be law enforcement. It, the, one of the theories being talked about in the underground forums is that that Russia did in fact shut them down.
But none of this has been confirmed.
Lisa Vaas: Well, Russia says no.
Kurtis Minder: Russia would say that; that’s what they would say.
Lisa Vaas: Well, according to the New York Times, GroupSense was in the midst of negotiating with – everybody pronounces it differently; I’ve heard “REE-vil. And now you’re saying “R-evil.”
Kurtis Minder: Even amongst our team, we say it differently.
Lisa Vaas: We can’t even agree on how to pronounce their name. You should ask them that when you’re next in negotiations. Anyway, you guys were negotiating with the REvil extortionists on behalf of a law firm whose data was locked up when the servers were taken offline.
Could you tell me a bit more about the law firm and where they were at in that ransomware saga?
Kurtis Minder: Yeah, I mean, these things tend to be pretty playbook-oriented, both on our client’s and on the threat actors’ side, having dealt with REvil in the past, we kind of know what we’re getting into.
We kind of know how long it’s going to take, what they’re going to say: It’s a very script-driven organization. So that being the case, I would say we were 80 percent done with this thing on behalf of the law firm. We had already come to sort of an agreement on a number that was appearing to be feasible for the victim, or close to enough anyway. So we were feeling good about how it was gonna conclude, but as that didn’t happen. The silver lining is that we didn’t transfer a payment. And it didn’t happen between the transfer of the payment and the decryptor receipt.
And if that was the case, we would have also lost the payment and not gotten the decryptor. If I have to paint a silver lining, I guess that’s it.
Lisa Vaas: Yeah, that’s something. So I guess they’re now stuck in the midst of trying to scrape together things from backups, or can you not even talk about that?
Kurtis Minder: Yeah. I mean, so a lot of times the victims will have backups. In this case, the backups were also wiped out. But several of our victim cases, especially the professional services oriented [ones], businesses are able to recover a lot of their data just from email. And so they’re able to look back in their email history and pull documents that they’ve sent or so on.
The thing that’s difficult for them to recover and they can’t recover via things like email is the billing systems, right? Because our professional services are billing by the hour. All the client information is in there. The number of hours is in there, all that stuff’s in there.
That’s the thing that’s difficult to recover.
Lisa Vaas: Tell me a little bit about what a ransom negotiator does for their clients.
Kurtis Minder: First and foremost, we’re acting as a mediator between the victim and the threat actor. That’s the primary position we play in the scenario, but when we’re engaged, initially, what we bring to the table is a lot of information about the adversary.
And that information is anything from threat intelligence information about that group, but also about their playbooks: how often they settle, what they settle typically at, are they honorable? Do they actually honor the settlements? Lots of intelligence that we’ve gathered both from from our core business, which is an intelligence business, but then also from doing negotiations.
And then as part of that, we’re trying to inform the victim. Enough that they can make a business decision on whether it makes sense to proceed at all with the negotiation, or if they do decide to proceed, we will lead that negotiation. We allow the client a full access to every communication and they approve it. Every communication. So they, they can veto and change the messaging.
Although we will advise them if we think it materially changes the strategy or outcome. So full transparency between the client and us: As we’re talking to the threat actor, we’re providing that operational layer of security and then from a negotiation sort of intelligence perspective, what we bring to the table is some expertise on the negotiation strategy itself. This is a little bit different than buying a car or negotiating in general, just because of the threat actor.
We can’t read their tone, their body language. And they speak English as a second language. And that’s really important because you have to understand that the words you choose have to be very deliberate.
And you have to think about how those words will translate in their native language. Because a lot of times they may be just cutting and pasting what you say into Google Translate. And if that translates incorrectly, you can mess the whole thing up. And so you’ve got to think about that. And then in the end, once we’re finished, we play a role in helping with the cryptocurrency component, as well.
We do things like OFAC compliance checks throughout the process that includes that on the front end, but also on the backend with the digital wallet. So lots of little technical things that we’re doing in between, and then of course documenting all of this so that afterwards, this can be presented to the cyber insurance company, the law firms, etc.
Lisa Vaas: Right. Can we generalize to say how long these negotiations tend to take, or does it differ greatly depending on the size or any other attributes of the victimized organization?
Kurtis Minder: From our purview, it does differ quite a bit. I’ve seen some numbers thrown out about average time of impact of something like 14, 16 days of outage.
But I haven’t seen a number on average length of the actual negotiation. I would say if I had to guess, like, just throw a dart at it, I would say, , four to five business days is kind of the mean average, but our clients, the victims, vary from very small businesses all the way up to Fortune 500 companies. The Fortune 500 companies can afford to stall and wait it out a little bit more than the small businesses can, sometimes.
Lisa Vaas: That makes sense. So small businesses tend to be more amenable to paying the extortion?
Kurtis Minder: I don’t know if they’re more amenable, but they’re more vulnerable. They’re more likely to lose their business. They don’t have as many choices, where a larger company usually has the resources to sustain for a little bit longer.
Lisa Vaas: When this went down on Tuesday, you asked a question that I think a lot of reporters, including myself, didn’t delve into in their coverage. Namely, what’s the plan for the victims? I suspect that was a rhetorical question, but seriously, are there any options for victimized organizations at this point?
Kurtis Minder: If I had the answer to that, I’d probably be really, really busy right now solving people’s problems. Oh, man. Yeah. I am busy now, but not for other reasons. But basically, I think that question was really guided alongside the theory that, if it was a US government operation, I would hope they would have considered collateral damage as part of their operation and maybe have a plan to distribute keys.
Efficiently and quickly, we’d like to think. Like, right after the Kaseya thing where we’re talking about an unusual number of victims that are probably impacted, although I think there’s likely a single key that can decrypt all of those. My thought was like, ‘Hey,’ [I was] asking on the forum that I had to the US government, ‘Hey guys, what do you, what’s the plan here?’
Because I know there’s a lot of small to medium businesses that are probably, especially after Kaseya, that are probably suffering right now.
Lisa Vaas: And the US government said what to that?
Kurtis Minder: We cannot confirm nor deny that we’re involved.
Lisa Vaas: OK. Next question: what empowers larger organizations to choose another path besides paying ransom?
Kurtis Minder: Well, a lot of times when you see larger organizations, like the Fortune 2000+, these companies are going to have an IT staff, a security staff, they will have money to throw at IT consultants, cyber insurance, etc. All those tools put together give them a little bit more leverage when it comes to recovering.
Alongside the one that we were doing for REvil, we were doing one for another company that was quite large. And it was not an REvil attack. It was actually Xing [a ransomware group linked to a pipeline attack on LineStar Integrity Services, hacked around the same time as Colonial Pipeline], they also go by Quantum Team, I think. We were doing [ransomware negotiation] for [this client], and they were able to recover from backups.
So it’s just the resources and the capital that they have at their disposal that gives them much more leverage than a small business who may not even have a single IT person on staff, or if they do, just a handful, not enough to rebuild everything quickly from scratch. If you have a lot of people around you can rebuild, right?
Lisa Vaas: How many clients are you negotiating for at this point?
Kurtis Minder: It varies, it goes in waves.We certainly don’t do the volume of some of the other negotiator players that focus solely on negotiation.
Nor could we, because we’re not big enough. But with any given day, we’re probably handling two to three at a time. Sometimes that goes up and the spectrum of the victims is all over the map. Our victim clients come to us via law firms or cyber insurance companies.
But we do have a fair number of organic inbounds that Google and find us and call us, or fill out a form on our website. Those tend not to have cyber insurance or a law firm representing them, and they tend to be a little bit smaller-profile. It kind of runs the gamut.
Lisa Vaas: What’s your opinion on cyber insurance? I mean, I’ve heard opinions that it’s causing this spike in ransomware, or at least that it’s not helping to suppress it.
Kurtis Minder: I don’t see it necessarily as a cause. But yeah, to your point, as long as we continue to pay these [extortionists], it’s not going to help suppress it. but. I think it’s a useful tool for companies to mitigate risk, just like any insurance policy would be.
I met with the leadership of a major carrier yesterday. The landscape is forcing them to rethink how they insure these companies. You can imagine the insurers who had a lot of the policies for the MSPs and or the flow-down customers of Kaseya, they’re probably looking at their actuary tables right now and going, oh, shoot.
I think it’s a necessary tool. It’s a useful tool. The insurance carriers are now rethinking how they’re going to handle this. And they’re starting to build in risk mitigation as a contingency on the policy.
So they want to see. They’re not going to just send you a questionnaire about whether you have firewall and endpoint software anymore. That’s not going to be how it works anymore. They’re going to check, they’re going to have some tools to actually check, to make sure that you’re doing what you’re supposed to be doing from a due care perspective as a customer.
Lisa Vaas: I’m a bit taken aback that they haven’t been doing that already.
Kurtis Minder: Some of them have, but a lot of them have been using sort of transactional tools to do that. That would be like your scorecard tools. What I’m hearing from them directly, from the leadership of these cyber insurers, is that those tools don’t align directly to risk very well. They give you a point in time snapshot of which machines are currently vulnerable to which vulnerability, and maybe patch cadence, or that sort of thing, but they don’t really give a full picture of the risk of an organization.
I’m not saying they’re throwing those out, but they’re saying like, look, these aren’t sufficient to measure risks. They didn’t really do anything for us from a risk perspective or risk measurement perspective as it relates to ransomware, for example.
So they’re looking at a lot of other ways to do that and tools to do that. And they’re collaborating, they’re creating data-sharing groups and things like that among the insurers.
Lisa Vaas: Well, that sounds like a reasonable thing to do. Kurtis, I’m going to let you off the hook really soon now. Before you go though, any tips for businesses that don’t want to wind up needing negotiation to pay ransom?
Kurtis Minder: Yeah, that’s a great question. Obviously we take inventory of how the threat actors gain access in each of our cases. And I can say it does boil down to some pretty simple cyber hygiene, things that I I think are preventable. I hate to keep picking on them, but they kind of deserve it. So I’m going to pick on Colonial again. If you look at what happened at Colonial, it was a combination of the three major security faux pas, right?
It was: One, a VPN concentrator with no MFA. That’s a big one. No multi-factor authentication: A user inside the organization who used their corporate email address on a third-party site and used the same password as the password they used in the corporate site. And that third-party site got hacked, and that credential ended up on the dark web.
They did not see that. That guy just logged into the VPN concentrator. You can’t even really call that hacking. They just took a credential off the dark web and logged into the VPN concentrator. And of course that’s not going to set off any security alarms. The third thing I heard is that, that user credential had not worked at the company for some time.
[But] they didn’t decommission the user. So there’s like three major, completely preventable things. Now, credential monitoring on the dark web, which is something that, frankly, we do, … is freely available. You can find out when your credentials end up on the dark web. A company the size of Colonial, I would expect them to have been monitoring for that, and it would have caught that credential and blocked it. MFA would have blocked it. Decommissioning the user would have blocked it. So certainly, starting with the shortlist of things.
MFA, good password and credential policy – obviously, having complex passwords and managing that as a policy, but then also having a policy that says ‘Do not use your corporate credentials outside the enterprise for anything personal or social media,’ etc., because those sites get hacked all the time and [attackers go on to] use those credentials for credential, stuffing, phishing attacks, things like that.
And then of course monitoring for those things. When the user does do it, you wouldn’t have any way to know until it happened. Right? So as an enterprise, you need to monitor for it. And when it happens, reset that account and make them reset their password, send them an email and say ‘You violated policy. Don’t do that.’
And just keep slapping them on the hand. I would say, out of the cases that we worked, that remote access credential reuse problem is probably like 60, 70 percent of those things. Of course, patch your system. You can get the MDR software on your endpoints, some basic things.
And I think if you check those boxes, you’re probably above 90 percent protected, and that’s it. And that’s one of the things I’ve been focusing on. With some of these responses that the governments have, it’s, ‘Should we make paying ransoms illegal’? And I say, No, no, no, you’re just going to punish a victim.
If we just take the calories we’re spending on that and focus on education, prevention and maybe even a program around that also a program around recovery. Give small businesses a third option where the option right now might be go out of business or pay a ransom.
You can also say, go out of business, pay ransom, or we’ll help you recover. And maybe [make that a] government-subsidized program or something similar.
Lisa Vaas: I like it. Well, if anybody’s listening, maybe you’ll have fewer customers in the future. I don’t want to curse you by saying that, though.
Kurtis Minder: I would be perfectly happy not having any ransomware clients.
Lisa Vaas: Well, that’s all the time we have. Thank you, Curtis, for shedding light on what happens to victimized businesses when their tormentors go up in a puff of smoke. It’s been a pleasure to talk with you.
Kurtis Minder: My pleasure, Lisa.
Lisa Vaas: And listeners, thank you for tuning in. If you have questions or comments, we’d love to read them in the comments section. Ditto for podcast interview recommendations: Who do you want to hear from, and about what?
Finally, make sure to join us for future podcasts. I’m Lisa Vaas, over and out.