Security

Cyber-crime

Ransomware negotiator weighs in on the extortion payment debate with El Reg

As gang tactics get nastier while attacks hit all-time highs


Interview Ransomware hit an all-time high last year, with more than 60 criminal gangs listing at least 4,500 victims – and these infections don't show any signs of slowing.

Drew Schmitt is a professional ransomware negotiator and practice lead for the GuidePoint Research and Intelligence Team or GRIT — that's the team that compiled the above-mentioned 2023 figures.

In this role, Schmitt has interacted with all of the major ransomware crews. The Register recently caught up with him to discuss the criminal gangs' evolving ransomware tactics, the role he plays in companies' incident response when they have suffered an infection or intrusion, and the larger question of whether ransomware payments should be completely banned. You can watch the full interview below.

In addition to the debate over a total payment ban, there's also some controversy surrounding negotiators themselves, and whether they should be regulated. The official advice from the Feds is that victims should not pay ransom demands, nor should they negotiate with criminals. 

"When we're talking about these types of situations on my team, we're talking about threat actor communications rather than negotiations, because there is so much more that goes into what we do other than just making a payment," Schmitt said. "We are there to advise on risk. We are there to have conversations with threat actors, focused on recovery, rather than moving towards a payment."

As GRIT has watched ransomware gangs use "more coercive tactics" to put pressure on victims to pay — this includes releasing sensitive data and even contacting companies' customers and business partners — law enforcement is also turning up the heat via coordinated takedown efforts

These have seen varying degrees of success, and while it's still too early to declare victory, "it proved some of the biggest names in ransomware are not untouchable," Schmitt said. "In some cases more of a short-term impact," he added, citing LockBit in this category. "ALPHV, has gone through something that's a little more permanent it seems."

Of course, only time will tell if the gangs rebrand, or their affiliates join other crime gangs, so the jury is still out on the long-term nature of these disruptions.

While the increase in size and scope of ransomware attacks has led some to call for a complete ban on ransom payments, Schmitt said the problem is too complex to be solved with a silver bullet like a ban. That might be part of the solution, several years down the road, he opined, but the reality is that eliminating ransomware will take a multi-pronged approach.

"The one piece that really sticks out to me is the incentivizing of improving security," he said. "Whether that's through things like cyber insurance, or it's going to be having the federal government provide some tooling that can help small- and medium-sized businesses, really it's gonna be providing that incentive to want to be more proactive about cybersecurity." ®

Send us news
43 Comments

Cicada ransomware may be a BlackCat/ALPHV rebrand and upgrade

Researchers find many similarities, and nasty new customizations such as embedded compromised user credentials

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

The government-backed crew also enjoys ransomware as a side hustle

RansomHub hits 210 victims in just 6 months

The ransomware gang recruits high-profile affiliates from LockBit and ALPHV

Ransomware batters critical industries, but takedowns hint at relief

Whether attack slowdown continues downward trend is the million dollar question that security researchers can't answer

Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure

Planned Parenthood confirms cyber-attack as RansomHub threatens to leak data

93GB of info feared pilfered in Montana by heartless crooks

Transport for London confirms cyberattack, assures us all is well

Government body claims there is no evidence of customer data being compromised

Brain Cipher claims attack on Olympic venue, promises 300 GB data leak

French police reckon financial system targeted during Summer Games

Six ransomware gangs behind over 50% of 2024 attacks

Plus many more newbies waiting in the wings

Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disaster

Three state attorneys general probed the company and found plenty to chastise

Iran hunts down double agents with fake recruiting sites, Mandiant reckons

Farsi-language posts target possibly-pro-Israel individuals