Ep. 3 – Insights from a Ransomware Negotiator

Key Takeaways from the Episode

• The role of cyber hygiene in mitigating ransomware risks
• How ransomware affects brand perception and employee morale
• AI applications for both attack and defense in the cyber realm
• Preparing for the impact of quantum computing on cybersecurity
• Insights into the evolving landscape of cyber warfare

Ransomware Trends You Need to Know from a Ransomware Negotiator – Episode Transcript

Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to keep your data safe, your operations sound, and your business ready for whatever comes next.

This is Logically Speaking.

STEVE RIVERA

Today’s guest, we have Kurtis Minder, the founder and CEO of GroupSense. It’s a cyber reconnaissance company. They deliver customer specific intelligence. They use a combination of automated and human reconnaissance to create what I’ll call finished intelligence. It’s tailored to each of their customers’ digital risk footprint. Curtis has also successfully raised this company from the ground up. He’s got over 20 years of information security experience that span operations, design, business development. And Kurt’s become one of the industry’s leading ransomware negotiators, which we’ll talk a little bit about, which he had an interesting foray into. But this is going to be an exciting podcast. We’re going to jam a lot in a little bit of time. Kurt, thank you so much for joining us today. You and I can probably do a podcast on food and wine pairings, but we’re here to talk about cybersecurity.

Why don’t you start off by sharing with our listeners what your experience in cybersecurity is and maybe we can start there.

KURTIS MINDER

Sure. Sure. And I actually, I don’t understand why we can’t do both like the food and wine and cybersecurity. This is a new podcast format. I like this. I like this. Yeah. No, thanks, Steven. Thanks for having me. I’m honored to be a guest. So my background, you mentioned I’ve been doing this for over 20 years. Most of that was, was hands-on sort of technical stuff. I was, I did various operational roles, anything from, you know, administration to pen testing to later moved into sort of architecture and design from a security perspective. And I did that at small internet companies, and I did it at the biggest internet companies like SBC and, which is now called AT&T. And then I started doing sort of high-tech startups, did a couple of those. And then the last, the last company I worked at was Fortinet, where I was responsible for their service provider team. I think you and I got connected because of that role. And then I made the questionable life decision to start a company. So that I’ve been doing this for about eight, eight plus years, little over eight years from when I started GroupSense. And just, just to get to that real quick, we started very humbly in a coffee shop. And one customer at a time, one use case at a time, we did not do the Silicon Valley sort of get big or go home route. We did the sort of pragmatic growth approach, which is the hard way, but it also allows you to do pretty creative things that sometimes in a venture environment you wouldn’t be allowed to do or it’d be harder for you to do. And most of those things are focused on, you know, sort of customer outcomes and desires, which I’m pretty proud of.

STEVE RIVERA

So a lot of our listeners are in that mid-market SMB kind of market space. And in your opinion, how does that mid-market handle cybersecurity and that ever-shifting threat landscape that we have? I mean, I know you and I have worked in so many enterprise spaces, but I know that you’ve, that the SMB is kind of dear to your heart.

KURTIS MINDER

Yeah. Yeah, no, that’s a great question. I mean, I think, I think sort of the, well, first of all, the middle market and the SMB space is the backbone of the US economy, right? And these, this is why it’s near and dear to my heart is the, the software companies don’t, don’t tend to focus on that market. It’s a hard market to reach. Venture money that the funds, a lot of the high-tech startups really fund those startups to sell into the early adopter markets, which are the large enterprise and financials, etc. As a result, a lot of the tools that are available to these, to the market are not really consumable easily by, by the broader market, the mid market and SMB. And, you know, so these, I’m very sympathetic to these folks because they have the same challenges as everyone else. They have less resources to address those challenges. The, as you know, there’s a sort of a talent gap in the cybersecurity industry supply and demand is driving that talent gap up market. Those are salaries are just too much for most folks. So it, it, it presents a pretty, you know, pretty strong challenge for those organizations to do, to do all the necessary things to protect themselves and thus the rest of us, right? Because they are the backbone of the economy.

STEVE RIVERA

Yeah, so let’s talk industry, right? So what industries are you seeing that are have the least amount of investment in cybersecurity? Like what industry is really lagging in investment?

KURTIS MINDER

Yeah, it’s always dangerous to generalize these things, but, you know, my, and my sample size is what it is, right? But, but, but there are certain industries that, that kind of stand out. I would say a lot of them, there’s, there’s, there’s a long list. But if you look at some of the more sort of operationally driven industries, things like working in logistics, for example, or manufacturing and things like that seem to be a little bit behind in these areas.

They, they, those industries have sort of unique challenges as well, which I’m also sympathetic to which is, you know, where, where maybe a professional services organization, let’s say accounting firm or something similar, the systems they use are basically commoditized systems, they’re using, you know, Windows and Mac and HP printers and the basic systems that everybody is familiar with. When you start getting into these, these industries like manufacturing and logistics, you start getting into systems that are not the normal systems and you’re talking about things like product lifecycle controllers and things like that, that, that have embedded software. But the security of those systems is also critical and difficult to manage.

STEVE RIVERA

Yeah, I mean, it’s, you bring up a couple of really good points. I mean, when you think about the cyber threats and the threat actors that are out there, what, what are you seeing? What’s your team seeing that that would be unique to the mid-market, maybe more so than anything else? Is there anything that kind of jumps out at you that says this is kind of a new threat vector or this is kind of the same old routine kind of attack pattern?

KURTIS MINDER

  Quick Byte >> Easy Targets: Why Small and Medium Businesses are at Increased Risk 

Sure. Well, I think, you know, take, let’s just take nation state activity out of this for a moment and, and, and focus on cybercrime or, or those, those types of attackers for a second. Most of them, you know, for the most part, the best for the, for the listeners, they’re running a business, right? And just like any other business, they, they’re trying to minimize costs while maximizing profit. (07:45) And to do that, many of them have recognized that, you know, spending a lot of time attacking is blue chip companies who have spent ridiculous amounts of money on cybersecurity infrastructure and have a security operation center in house and all of these things is expensive for their time wise and resource wise when they can get access to a lot of the same digital assets, stolen data, et cetera, or similar in value by attacking organizations that are not that well-resourced. So what, where I’m going with this is that, that, you know, that many of the cybercrime syndicates have recognized that their time is better spent on a volume approach attacking as many small to medium businesses as possible. And when I say, when I talk about the data, what we, so we see just ransomware is one of our specialties, right?

So, in ransomware, you know, one of the things that the threat actors do is they take a copy of as much data from the organization as they can before they execute the ransomware. Well, what we’ve seen in those, in those sort of sample data sets is that, you know, these, these SMBs and or mid-market companies that are being attacked have some of the same data or some of the same critical data as the big organizations that they could have attacked because they’re suppliers to those organizations, right? And so they, they’re, they’re actually getting access to the same stuff or cheaper. And they’ve, they’ve recognized this. And that’s, I think that’s something, and then the last thing I’ll say about that is, yes, they occasionally are using some sophisticated tactics, but more often they’re not. They’re using very simple sort of cliche cyber-attacks that, that frankly, with the right education, you know, most of these organizations could, could protect themselves from.

STEVE RIVERA

(09:35) It’s interesting because I, we were, I just saw a buddy of mine post something on LinkedIn about RSA and he said, it was an interesting, it was about hygiene, right? Right. He saw someone leave the bathroom without washing their hands and he thought, you know, that reflects upon your company and their, their own security hygiene, right? Don’t wash your hands after using the bathroom. Right. And I thought that was pretty funny because you’re right. Some of the basic blocking and tackling is oftentimes the, the attack vectors that are used most commonly because hygiene is something that is required, you know, daily. The vigilance that’s required to validate that those things are being done on a continual fashion. People like to focus on the, the next new thing. And so the silver bullet when it comes to cybersecurity. So, hygiene becomes that much more important and, and is there a percentage in your mind that, that would protect people against these attacks if they maintain that vigilant hygiene in their networks and make sure that patching and, you know, their systems were not out of warranty or out of support. Is there a percentage in your mind based on what you’ve seen?

KURTIS MINDER

  Quick Byte >> Cyber Hygiene

Yeah, I mean, I, you know, I hesitate to be quantitative about it, but I, you know, in the, in the attack sample sizes that we’ve seen, yeah, 95% or something. It’s so, it’s so pervasive. And this, this term hygiene is a metaphor, right? For, for, for, you know, what you were talking about, like washing your hands, brushing your teeth. And when I do these public speaking engagements, occasionally I’ll get people who ask sort of the, some version of this question where they say, well, you know, is it going to be necessary for all everyone to become cybersecurity experts? And my answer is no, just like it’s, you don’t have to be a doctor to know how not to die. Right. That’s what hygiene is. It’s like basic things that keep you alive and approachable as a human being, I guess. But I think, I think that, you know, adopting a few core things for a lot of these organizations and then maintaining that is one, it’s relatively inexpensive to do. It’s mostly an educational thing. And then two, it would reduce the risk for them, you know, a greater than 90%. And one last thing I’ll say is when you hear on the news about how the bad guys hacked into this company or hacked into that company, I like to remind people that in most cases, the bad guys did not hack it. They just logged in. They just logged in. And so if we can just prevent them from just logging in, that would be a good start, right? And that’s one of those hygiene things, right?

STEVE RIVERA

So, I want to shift gears because, because I did one of the most, you know, interesting things that you and I have always talked about are, are these your introduction into ransomware negotiating. And I know you, you, you can’t mention names, so I want to respect that. But could you walk us through a recent negotiation, you know, lead names out to protect the, the innocent, but, you know, maybe share with our listeners some of the kind of engagements that you’ve been involved in most recently that might help them to either become more aware or protect against – I shared one of your stories recently where, you know, ransomware, a company was attacked with ransomware. They went to activate their incident response playbook and it was on a device on the network that had been encrypted, right? So it’s one of those scenarios where they forgot to print out their incident response playbook so they would have it in the event of an incident. But could you walk us through one of those ransomware negotiations that you’ve done?

KURTIS MINDER

(13:50) Sure. And, and, and just to set a baseline, when we started doing this a few years ago, you know, the primary engagement was that it was what I would say through what I would call threat actor engagement or the negotiation part. Over the years, though, it’s evolved to be a little bit more comprehensive than that. It includes. So, what, what I’ll tell you what happened is, you know, we’d go into these two negotiations and the first question every victim would ask is, should we pay? And the answer is, I don’t know. That’s a business decision, right? Like, I don’t know the answer to that. Let me help you figure that out. And so we, we, in the front end of these cases now we’re, we’re helping the companies sort of fully digest what the rent, what the ransomware impact is, and then helping to the best of our ability, helping them come to a quantitative sort of decision on whether it makes sense to engage the bad guys at all. And then ideally that, that quantitative decision would also drive some kind of number like roughly a range of what they would be willing to pay to, to get out of the situation, right? The, the other part of that is there’s a compliance part. So, we got to, we got to work through that and make sure that, you know, doesn’t make any sense to engage if, if, if it’s against the OFAC sanctions, right? And so, we have a process for that as well. We then, if we go through this process with a company and we decide, yes, this makes sense, we’ll, we’ll engage. Then this meat, that’s the meat of the standards. That’s the negotiation part. That’s where I, or my team engages with the threat actors on the, on the company’s behalf and tries to drive that number down. And then, and also ensure that we’re getting, you know, what we, what we ask for the money. There’s a parallel process that we run, which involves cryptocurrency. So, in the end of this, you’re going to, you know, likely make a payment via cryptocurrency to, to a threat actor. Most companies don’t already have a digital wallet with a, with a balance in it ready to do this. And while, you know, you and I, Steven can open up a Coinbase account and just transfer money from our bank account. Some commercial banks aren’t really cool about that, right? And they, and they, and they actually limit the amounts and or restrict the amounts. So we need to get in front of all of that because at the end of the negotiation, the bad guys don’t care about my banking processes. They just want their money and they get really impatient. So those are, that’s all the components and remind me, because I want to come back to the beginning part with the business impact, because there’s, there’s this thing I call the ransomware blast radius. I want to talk about that, but I’ll come back to that.

(16:33) Just, you know, recent cases. Yeah. So we, I mean, the, one of the things we picked up on in very recent cases, it was, it was particularly egregious is that the threat actors have gotten quite good at their, their casing of the system. So they will, they will break in in this case that I’m about to reference, they broke in a year prior to actually executing the ransomware and they sat in just the medium size, let’s call it a governmental organization, medium size and they, they broke in, they persisted for almost a year before they actually executed the ransomware. And during that period, they, they use that time to slowly case the systems, learn where every single network component was, learn how they did their backups, get access to the backup systems. But here’s the thing that I’ve noticed that they’ve been doing lately and I think there’s been a few articles written about this. They also recognize that a lot of other systems are connected to the network. They got into the phone systems. They got into the HVAC systems. They were in the thermostats of the, of the buildings, right? They had gained access to these systems. And I’m sure that most, you know, of the listeners understand this, but all of these systems are just computers and they run operating systems, right? And they’re connected to the networks. They’re totally candidates for, for being affected by ransomware. And when they did execute the ransomware, the impact was more than, than the typical impact where you usually have the operational impact from a, from a network systems and computer systems perspective. So that, that obviously you can’t send email, you can’t make payroll, maybe you can’t ship product, perhaps things like that. But in this case, they couldn’t climate control their buildings. And those, and those buildings included things like jails. So they got prisoners in jails and they can’t, they can’t climate. You can see how good these guys have gotten at this process. When we did the incident response, you know, component for this, we learned that the main vector for entry was a very old exchange server vulnerability that, that could have been patched some time ago. And so going back to our earlier conversation about sort of basic cyber hygiene and keeping these systems up to date, you know, they, they could have saved themselves a lot of headache by just following a good patch program and process. I’ll pause there and let you ask any questions.

STEVE RIVERA

No, no, that’s really interesting. I mean, I’m, I’m interested in the follow up on the comment you made about blast radius, right? But, but then I have a follow up question, which I’d like for you to give your opinion on whether victims paying the ransom is feeding the problem, feeding the beast, or should there be like a stake in the ground that, that whether it’s the government or someone says that we need to stop paying these pay, you know, these, these ransoms. I mean, so maybe we’ll talk about last radius first or talk about the ransom payment second.

KURTIS MINDER

(19:54) So just a couple of seconds on the blast rates. So we all understand the sort of the, I think we all understand the, the operational impact of a ransomware attack. And we probably understand now at this point, as much has been written about it is sort of the next, you know, concentric circle around that is, is the sort of extortion data exfiltration impact, which includes things like brand trust in your brand, you know, customer confidence, maybe, maybe employee morale, because, because if they took PII and they’re dumping employee data, things like that. So I think we understand those, the more complicated things that sometimes like outlast the actual attack and sometimes have a longer lasting and sometimes more expensive impact or things like, well, what if you can’t make payroll for two weeks and 25% of your staff just quits. How much does it cost you to recruit, retrain and rehire for those roles? These are things that people aren’t thinking about. Intellectual property. So if you’re working in the manufacturing space, you have a product. I mean, I had a conversation with a victim at one point that really illuminated this for me. They were a manufacturer, they, they got hit and they just like we talked about the bad guys took a copy of as much of their data as possible. And in that was a, let’s call it a recipe that for their, for their manufacturing product and in that data set. And at the end, when we were kind of doing our post mortem and talking about, you know, the go forward plan, the CISO told me that his, while this was painful and expensive, the actual ransomware attack itself, his biggest concern was if that intellectual property ends up in the hands of my competitor in China in five years, I have a bigger problem. And it’s in the smaller, the company and the more critical that that sort of trade secret is the bigger impact it might have, right? And on their business specifically. So these are just things that we want people to think about when prioritizing protecting themselves from a ransomware attack. It’s more than just your stuff doesn’t work for a couple of days. It’s more than that. That’s a lot more than that. Right. Yeah. So I’ll stop there.

STEVE RIVERA

Oh, no, that’s, that’s really good. I think I was having a conversation with the client just the other day and they were not thinking about the cascading, like the ripple effect of, you know, some type of outage. And what we talked about was not just a ransomware attack or a cyber-attack, but anything catastrophic to their from an environmental standpoint. And this was a manufacturing plant around, you know, the food industry and they had a major operation in, in, you know, making sure that the integrity of what they were mixing and, and the food that they were dealing with at various levels, right? So there’s a physical level, there’s a logical level, there’s a cyber level. So it, yeah, I mean, you’re absolutely right. The cascading effects are, can sometimes be disastrous. In this case, they would have to shut down the entire plant if they had some challenges and then eliminate all of their inventory food wise and, and ensure that, those things were to the, you know, the regulatory levels. So, it’s, you’re right. There are so many layers. And I think that oftentimes most people are just thinking operations, making sure that things are continuing to go, but there’s brand protection and others. So that’s really good.

What about like, you know, what’s your team seeing that, that could possibly give our listeners that look over the horizon? Is there anything that you could, I know you don’t have a crystal ball. But like, is there anything that you’re seeing that are new kind of attack patterns that might be uniquely different from what you’ve seen in the past?

KURTIS MINDER

You know, other than the threat actors continue to innovate on, on the kinds of systems. Again, going back to my original comment, which was the running a business and they’re trying to figure out how to do this more quickly and more cheaply. You’ll find, you know, some articles written about some of the new attack vectors around things like virtualization, things like that. And so the, you know, the threat actually recognize, hey, we can impact more systems by attacking the bare metal sort of virtual machine operating systems, which have virtually no protection on them to begin with. And yeah, so they’re getting smarter about that. I think, you know, if I was going to say something positive, I think, you know, awareness is up. You know, the White House just released the cybersecurity strategy doctor document. I don’t know if you’ve got a chance to review that, but you know, there’s some encouraging things in there, although, you know, government doesn’t exactly move at our pace, Stephen, but I’m encouraged that it’s getting visibility at that level. And I think, you know, we’ve seen where, you know, federal law enforcement has been able to disrupt some of these folks. Unfortunately, you know, not very many bad guys are actually getting arrested. So, they just stand a new one up, but it makes it expensive for them. And as long as we can continue to raise the bar from a protection and prevention standpoint on our side and have the law enforcement doing their part, I think, you know, it makes it harder for the bad guys.

STEVE RIVERA

(25:40) I want to, I want to tap your, you know, kind of experience when it comes to artificial intelligence, because that’s been something that’s, you know, everyone’s talking about AI, chat, GBT, spoke to someone in the industry recently about fishing attacks that are becoming highly scripted and very like almost spearfishing using things like chat, GBT that are really hard to determine whether or not it’s a fishing attack or not. But I mean, how are you seeing AI on the threat actor side, but then also being used for good to combat those types of attacks?

KURTIS MINDER

Yeah, I mean, you, you, you had some of the use cases. I mean, the very first application, you know, that the threat actors jumped on with the AI is was were the fishing campaigns. We did some experiments early on too, with, with tools like chat, GBT, where we, you know, he said, Hey, look, here’s my profile. I’m a 46-year-old male. I live in Colorado. I, you know, just describe, I’m a CEO of this company. This, you know, this is anything that you could find out about me on LinkedIn, I guess. And then we just asked chat BT, how would you send me a fishing email, an effective fishing email, and it was good. It was real good. I would click on that. It was really good. And so what it does is it adds a level of scale and customization to those fishing attacks that are kind of scary, the kind of scary.

Now, the second part of your question is, can we combat that? I think so. You know, that same AI technology can be used to learn about those attack tactics and automatically create protection mechanisms inside our, our male appliances and things like that. I think those are, those are useful tools. It also helps with, you know, just general knowledge transfer for, for folks. Our analyst team uses the AI technology for explaining mitigation techniques when we send an advisory and to do that more quickly and at scale and with more detail is useful.

STEVE RIVERA

Yeah, I know that that’s, that’s interesting. And I think that the speed with which these things are being created, which used to be marked in like weeks and months are now marked in hours or minutes, right? And that’s to me, the most concerning because our ability to react to them, you know, it’s always this cat and mouse, right? Our ability to react to that, we have to be that, that much faster.

Let me ask you kind of a forward thinking, how do you think the cybersecurity landscape is going to change over the next five to 10 years, right? You and I are, I hate to say it, but we’re some of the older guys in the industry. But I mean, how do you see it changing in the next five to 10 years? I mean, you and I have probably, you know, we were in this when all the rage were firewalls and that was like, ooh, that’s, that’s so new. And then IDS came out, then IPS and then, you know, so now we’re talking next gen things and leveraging AI and machine learning. What do you think is kind of the next wave that if you had kind of let that time machine and go out 10 years, what do you think will be that next wave?

KURTIS MINDER

(29:15) Yeah, I think you could do a whole talk just on that. I mean, there’s so many things in play right now that, and you’re right, you know, I remember the first firewall that I ever installed in the state of Illinois and it was a checkpoint, it was running on a sun, no, it was running on an HP, I forget the name of that server. It was a cool bladed server that we installed. And I remember when they told me, you know, the purpose and I was like, why do you want to block traffic? Why would you want to block traffic? It’s the internet. Why would you buy something that stops the traffic? I don’t understand. Yeah, we’ve come a long way from that, right?

I think, you know, on the positive side, the technologies like AI are going to make our software smarter and make it more difficult for the threat actors to get creative and hopefully, you know, when used in the development process itself, maybe prevent us from making some of the development mistakes that create these vulnerabilities to begin with, which also the White House strategy document talked a little bit about, you know, sort of some taking some ownership, the software manufacturers taking some ownership of that. And I think AI will help with that.

(30:33) Quantum throws a whole wrench in this thing, you know, when that becomes, and it will, when that becomes a thing, encryption is going to be a whole new, there’s going to be a weird flip from today’s encryption to quantum encryption, and it’s going to have to happen quick. And there’s already a bunch of companies working on this. And so that’s going to be fascinating.

I think just from a macro level sort of cybersecurity discipline standpoint, I do think that, you know, we’re an industry that sort of, you know, accidentally appeared with the quick adoption of technology, and in for the longest time, you know, you know, it has been an afterthought from both the people writing the software and the people consuming it and so on, which has made our job frustrating at times, as you might recall, you know, like people just not getting it. But I do think, you know, in the next, you know, five years that that shift is going to happen, cybersecurity and information security is going to be, you know, part of the fundamental operations of a company.

People are going to recognize this is the new, this is the new risk landscape. And I think ransomware in some ways has a pretty profound impact on this, because if you think about, you know what’s a cyber-attack, we’ve almost forgotten about this, right? But a cyber-attack was, I don’t know, seven years ago, you know, cyber-attack was somebody broken, and they took something, and it was embarrassing. Right? That was it. They took something and you’re like, oh, man, I got to pay a fine. I got to notify somebody, you know, that’s embarrassing. And so you kind of designed your cyber strategy around not being embarrassed, you know, that’s not what this is. This is like complete operational interruption. This is like your stuff does not work, right? Like nothing works. And so that I think that’s forcing an issue where companies like, hey, this, you probably got to prioritize this from a budget and operation standpoint. I think in the next few years, that’s going to continue and grow and become part of our fundamental business process.

STEVE RIVERA

(32:41) Yeah, it’s interesting. I think that cyber insurers are starting to get wiser abo