https://www.theregister.com/2021/09/03/how_to_be_a_ransomware/ [user] [user] Sign in The Register(r) -- Biting the hand that feeds IT [magn] [burg] [burg] Topics Security Off-Prem All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem All On-PremServersStorageNetworksHPCPersonal Tech (X) Software All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Vendor Voice All Vendor VoiceAdobeAmazon Web Services (AWS)Amazon Web Services (AWS) MigrationGoogle CloudGoogle Cloud's ApigeeGoogle Workspace NutanixRapid7Red hatSophosVeeamVirtru (X) Resources * Whitepapers * Webinars * Newsletters Situation Publishing * The Next Platform * Devclass * Blocks and Files Get our Weekly newsletter [front] Security Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage We can't deny people are paying up left, right, and centre... Dominic Connor Fri 3 Sep 2021 // 10:28 UTC 58 comment bubble on white --------------------------------------------------------------------- 58 comment bubble on white # reddit Twitter Facebook linkedin WhatsApp email [https://www.theregis] Copy Interview Many people outside of IT believe computers will do away with jobs, but the current ransomware plague shows that new and more curious kinds of jobs are created at least as fast. So what sort of background sets you up to talk to people holding your data for ransom? To find out, The Reg talked to Nick Shah of STORM Guidance, who says he acts as a conduit between victims and the extortionists. We should point out that current British government advice is not to pay a ransomware demand. The National Cyber Security Centre, meanwhile, has urged British businesses to think carefully when picking a cyber insurance policy - but won't say whether insurance that covers ransomware payoffs is a bad thing or not. Nick Shah got his OBE in 2019. He has dealt with many serious criminals, and has the instinctive blunt circumspection of a 30-year veteran cop about his past work, having worked on more than a thousand kidnap and extortion cases in his career with the National Crime Agency (NCA) and assorted organisations in Africa. He has been a part of investigations tackling criminals and terrorist groups that were intent on causing fear, harm, and in many cases death - somewhat more intimidating than the passive aggressive emails we get from HR. NCA's director general said of Shah's work: "Whilst the detail cannot be given here, I can say with confidence that the UK public has been protected as a result. I am delighted that his service is now being formally recognised." Buying time Shah's first advice is that: "A negotiator should never reveal that they are a 'trained negotiator'. Ideally we purport to just be another member of staff. "It is important to indicate to the attackers that you (the negotiator) are not a senior member of staff that can make decisions," reducing their ability to put pressure on you whilst you "purport to be administrative level staff and need to refer upwards for decisions." He added: "Should the incident require longer term negotiations, we could at some point - to keep the attacker's interest - suggest we have escalated it to a manager. Again this manager would not be senior. In reality, it could just be the same negotiator, using a different name and conversation style." Negotiation is not about getting the lowest figure possible, it is mainly about getting information and time Although the attack vectors repeat, he says, the gangs seem to fission often enough that Shah and his team don't recognise the same actors in multiple attacks, so the "relationship" must be built up each time. This is partly necessary because of the stress the victims are under. [front] "I have seen many CEOs and senior managers be badly affected by the emotional pressures of dealing with a ransomware incident. As well as some feelings of guilt for causing or at least failing to stop criminals from getting into systems, they also carry the burden of worry of what impact this could have on the business and its staff." [front] [front] To get some idea of just how stressful this is, STORM has found it sometimes needs a team of confidential counsellors to get staff through it, since even if they are at fault, they are also part of putting it back together and as Shah says: "There is no time or benefit from pointing the finger of blame. It is a rescue mission." But that, of course, doesn't stop it from happening. Shah sees his role as a conduit for the business to talk to the attackers, rather than a middleman, which means first he has to establish that the Storm team doesn't get involved with working out who was at fault. They are going to be working with these people to clean up while he starts the negotiation process. His experience is that most people are very reluctant to talk to serious criminals themselves. [front] Often he finds that the ransomware gang's negotiating skills are quite weak. So part of his role is to make sure that the ransomware-flingers - or their henchpersons - don't learn anything more during the negotiations than they already do about the company they've attacked and the data they've encrypted and/or stolen. Who are you talking to? Shah spoke to us about his process, in which he forms a model of the sort of people he's dealing with. He said that even over encrypted chat, there's a lot you can learn. This starts with the time of day they respond, as well as the variant of English used, even though a large chunk of the responses are cut and paste. He also told us that in general he doesn't expect to be dealing with the developers of the attack but rather a subset of staff within the criminal organisation that are basically the "Help Desk from Hell". The more amateur operations use email to communicate with their "marks," which creates gaps that allow stalling whilst remediation efforts are being carried out. That is part of the balancing act the negotiator needs to maintain: making sure the criminals keep in contact, and are talking towards some sort of solution while the in-house IT professionals and his firm work to try to get things back on track. Storm's technical team need time to try to disarm the ransomware and, if possible, resolve the issue without payment, Shah tells us, adding: "Negotiation is not about getting the lowest figure possible, it is mainly about getting information and time. My job is to get them time without the attackers becoming aware of the tactic." [front] But be clear when data is leaked, it stays leaked. Shah explains: "The attackers will increase the pressure as time goes on. They are focused on getting payment as soon as possible and as such will make attempts to rush matters along. "Storm experts and the negotiator's role is to support the clients with knowledge and experience to assist them in making the appropriate business decisions in a timely manner. We will be able to assess the validity of threats and give advice on the likelihood of the threat being carried out." Talking money Part of the reason for using a negotiator is that not being personally affected or blamed, Shah and his team will not sound so panicked, and will be much less vulnerable to high demands. An axiom of this work is "to not let them know what your bottom line is going to be - if they know that, you will pay more, they will demand it." "The skill of a negotiator is not to make offers, but to get the attackers to 'bring an offer'," he tells us. "When discussing their offer we could use tactics to indicate that the demands are unaffordable, unrealistic or [that] acceding to such demands would take some time. These conversation styles generate further debate, either providing us with additional information, delays or a lower demand price. We can then potentially repeat the cycle, until we achieve our objectives." His experience with these criminals has not left him very impressed, he says. Firstly, the former NCA man says, they waste too much time on unrealistic demands and would make more money by asking for a number that can be put down as a cost of business then moving on. Speaking about them personally, he adds: "It is important to note also that ransomware attackers are criminals - just like kidnappers. In most cases, they generally have the same incentives of financial gain, and as such a good negotiator will use the same skills in building a relationship and maintaining discussions to seek a resolution. Unlike a kidnap, where you cannot put a price on a hostage's life, in ransomware cases, you know the value of the data relatively well "The obvious difference is that in a kidnap, the negotiator's primary objective is the safe release of the hostage, and in a ransomware incident, it's to protect or retrieve data. Suitably trained and experienced kidnap negotiators will have the appropriate skills in their 'tool kit' to manage ransomware attackers." Since their escalation includes releasing partial data sets, selling it to other criminals and aggressive messages on screens and DMs - and in some cases getting printers endlessly outputting threats - you can see need for STORM's counsellors to help to stop the client folding or melting down. Shah says that "the threatening manner and pressures imposed by attackers have similarities to kidnap situations, but unlike a kidnap, where you cannot put a price on a hostage's life, in ransomware cases, you know the value of the data relatively well." Gangs vary a lot in how much they know about you and that includes complete ignorance, so keeping it that way is important. According to Shah, the amount they demand is "more of a function of the policy of the gang, rather than any analysis of what the victim can or will pay." Talk to me To get their money, extortionists are often more than willing to answer questions during the process, and part of Shah's work is to get samples of what the attackers have exfiltrated to prove they are telling the truth about it (apparently some criminals lie) and/or to get them to decrypt some data, since there is little point in paying them if they cannot do this. Whether they will or not is another matter. In this way, the negotiations are a lot more stepwise than the binary state of a hostage release. Shah's experience is different to most others this writer has talked to in that he doesn't see repeat attacks, "mainly due to the fact [that], post-incident, the company strengthens their cyber security protocols." He adds: "I have not seen any reporting or evidence to indicate that by paying a demand [this] leads to an increase in vulnerability, however, like any negotiations, it is important to not make yourself an easy target by giving an impression that you will accede to initial or any demands." * 'Work pressure' sees Maze ransomware gang demand payoff from wrong company * UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organised' DDoS attacks on UK VoIP companies * Fired credit union employee admits: I wiped 21GB of files from company's shared drive in retaliation * Blackbaud - firm that paid off crooks after 2020 ransomware attack - fails to get California privacy law claim dropped Opinions vary widely, but David Jemmett of Cerberus tell us: "The first thing we tell the customer is, 'do not pay it'. Because they're going to still have a copy of it, and they can come back any time." So the trick is not to be seen as such a soft target that they will come back again - or you can choose to believe their assurance that this is just a one-off crisis. Shah finds there is an element of grim humour in all this. "From experience, during discussions they offer, at an extra charge, follow-on services to provide cyber security services, which [sometimes] includes information on how they originally got access. "They are criminals and most likely to continue their criminality against you." While you or I might see that as funny, they wouldn't do it if some were not foolish to take them up on it. And if your org does happen to pay the ransom, it's certainly worth checking whether you're correct about the way you believe they got in. The bad news is that, despite having had the highest security clearance, Shah and his team get very little intelligence from the police or any other part of law enforcement, finding that the flow of information is very much one way. Shah says: "We have seen (or rather not seen), the authorities make almost no tangible progress or assistance in dealing with the gangs around the Black Sea and unless you're critical to national security, the bottom line is: you're on your own here." (r) Get our Tech Resources #Share reddit Twitter Facebook linkedin WhatsApp email [https://www.theregis] Copy 58 Comments Similar topics * MORE * Security * Ransomware Corrections Send us news --------------------------------------------------------------------- [front] Other stories you might like * Activision Blizzard accused of union busting, intimidating staff in complaint to watchdog CWA, employees file lawsuit on same day HR head ejects Katyanna Quach Tue 14 Sep 2021 // 22:17 UTC comment bubble on black Activision Blizzard intimidated its workers and illegally obstructed their attempts to form a union, a US watchdog was told today. The allegations were made in an unfair labor practices lawsuit submitted to the National Labor Relations Board by Activision Blizzard employees and the Communications Workers of America union. The computer games goliath has had a rocky summer. In July, California's Department of Fair Employment and Housing sued Activision Blizzard, alleging pay inequality, sex and race discrimination, and sexual harassment against women. By August, Blizzard leader J. Allen Brack and HR boss Jesse Meschuk had resigned. Jen Oneal and Mike Ybarra - who were executive vice-presidents of development, and platform and technology, respectively - are now co-leaders of the Blizzard studio. Continue reading * UK gives military's frikkin' laser cannon project a second roll of the dice First try had a habit of melting its mirrors, apparently Gareth Corfield Tue 14 Sep 2021 // 21:36 UTC comment bubble on black DSEI 2021 The UK has awarded contracts for laser cannons to be fitted to tanks and warships, a mere five years after first bounding into the field of directed energy weapons. A government announcement today said that consortia led by Thales and US arms megacorp Raytheon's UK tentacle would see a new laser weapon being tested aboard one of the Royal Navy's Type 23 frigates. The zapper will be "detecting, tracking, engaging and countering Unmanned Aerial Vehicles (UAV)," according to the Ministry of Defence, while the Army gets to have a go at melting drones with a laser gun strapped to one of its Wolfhound armoured trucks. Continue reading * Apple debuts iPhone 13 with 1TB option, two iPad models, Series 7 Watch Come for superlatives and executive enthusiasm, stay for the photographic enhancements Thomas Claburn in San Francisco Tue 14 Sep 2021 // 20:35 UTC 3 comment bubble on white Apple on Tuesday announced iPhone 13, a "new iPad" and iPad mini, and Watch Series 7 at its "California streaming" event, held virtually again this year to avoid going viral in the wrong way. The iBiz's latest shiny things arrived in the wake of a patch released Monday for its mobile and desktop operating systems to block a serious zero-click iMessage vulnerability and of protests outside Apple stores in major US cities to demand the company commit to abandoning its recently suspended plan to scan photos and messages on devices for child sexual abuse material. Apple managed to shoot itself in the foot in the run-up to its product launch by announcing a child safety initiative based on using its customers' devices against them - a laudable goal that contradicted the mega-corp's privacy commitments and alarmed technical experts for its intrusive approach. The backlash prompted Apple to pause its CSAM scanning rollout and the protesters who took to the streets on Monday hope that pause will be permanent. Continue reading * Krita art app users targeted by ransomware posing as paid 'collaboration' opportunities Artists advised to delete emails asking them to download 'media bundle' Gareth Halfacree Tue 14 Sep 2021 // 19:27 UTC 1 comment bubble on white Krita, an open-source cross-platform digital painting application, has become the latest victim of ransomware - but rather than being attacked directly, its name is being used to spread malware among users via emails offering advertising revenue. In one example of the emails seen by The Register the recipient was offered a fee to mention the app on YouTube in a 30 to 45-second advertising spot. The fees on offer: $350 for accounts with 10,000-80,000 subscribers, rising to $1,700 for those with up to a million - or "individually" priced for larger accounts. Those looking to take advantage of the "offer" are asked to "register as a Krita partner" and sent a link to download the Windows version of the app and a "media pack" of assets - the link, naturally, pointing to a convincingly named domain outside the control of the Krita project and hosting a ransomware dropper which takes over the victim's system, encrypts their files, and demands payment to reverse the process. Continue reading * Jekyll in hiding? Maintainer claimed engine behind GitHub Pages was 'RIP' since 2018, but development continues Maybe it's just feature-complete Tim Anderson Tue 14 Sep 2021 // 18:15 UTC comment bubble on black The open-source Jekyll project, used by GitHub for its Pages feature, was declared frozen and "in permanent hiatus" earlier this year by one of its core maintainers. Jekyll is a Static Site Generator (SSG), which compiles source files into a static website. Dynamic content is possible by calling services from JavaScript, the approach sometimes called Jamstack (JavaScript, APIs and Markup). Alternatively, an SSG can simply update the static content. Jekyll was created in 2008 by San Francisco developer and former GitHub boss Tom Preston-Werner who said at the time: "I was tired of complicated blogging engines like WordPress." Continue reading * Boffins say Martian colonists could pee in buckets, give blood if they want shelter In terms of building materials, Mars has nothing to offer but blood, soil, sweat and tears. And urine. Lots of urine Matt Dupuy Tue 14 Sep 2021 // 17:33 UTC 23 comment bubble on white A group of boffins from the University of Manchester have proposed an innovative if unexpected way of creating structures for any future Mars colony: mixing the bodily fluids of the first colonists with Martian soil to create super-strength concrete. The method, published in the journal Materials Today Bio, reflects the difficulty and cost of transporting building materials over the vast interplanetary distances that would be involved in any future Martian settlement project. Transporting building materials from Earth to Mars would require extraordinary expenditure - one estimate suggests that it would cost as much as $2m per brick - as well as a considerable increase in the logistical complexity of any mission. The obvious solution would therefore be to create structures from materials already present on the Martian surface, a technique known as in situ resource utilisation (or ISRU). Continue reading * Security bods boost Apple iPhone hardware attack research with iTimed toolkit 'The first complete infrastructure to enable general-purpose hardware security experiments on the Apple iPhone SoCs,' they claim Gareth Halfacree Tue 14 Sep 2021 // 16:45 UTC comment bubble on black A trio of researchers at North Carolina State University (NC State) have released what they describe as a "novel research toolkit" for Apple's iDevices - and to prove its functionality, have disclosed side-channel attacks against the company's A10 Fusion system-on-chip. "A lot of people interact with Apple's tech on a daily basis," first author Gregor Haas, a master's graduate from NC State, explained in a statement pointing out the obvious. "And the way Apple wants to use its platforms is changing all the time. At some point, there's value in having independent verification that Apple's technology is doing what Apple says it is doing, and that its security measures are sound." Continue reading * US Air Force puts Godzilla in charge of autonomous warfare effort with Project Kaiju Pulls Mothra, Mecha Rodan, King Ghidorah, Kumonga, and even King Kong along for the $150m ride Gareth Halfacree Tue 14 Sep 2021 // 16:01 UTC 7 comment bubble on white The United States Airforce (USAF) has unveiled Project Kaiju, a $150m (PS108m) effort to build "cognitive electronic warfare" systems capable of operating entirely autonomously - to be run under Godzilla's watchful eye. Named for the entertainment genre, Japanese for "strange beast", Project Kaiju is not - sadly - an effort to breed giant monsters to defend US interests. Rather, it's the name given to a project which seeks to give the USAF better electronic warfare capabilities - including the ability to run autonomously, without human interaction. "US aircraft are increasingly required to operate in hostile environments heavily defended by integrated air-defence systems (IADS)," Project Kaiju's coordinators explained in the Broad Agency Announcement (BAA) unveiling the project. "The next evolution of advanced IADS is likely to employ radars, surface-to-air (SAM), and air-to-air (AAM) threats that utilise multi-spectrum technology. Continue reading * Brits open doors for tech-enabled fraudsters because they 'don't want to seem rude' Impersonation scams and smishing rocket, say UK Finance and Which? Tim Richardson Tue 14 Sep 2021 // 15:15 UTC 14 comment bubble on white Brits are too polite to tell phone scammers to "get stuffed", "take a hike" or "sling yer 'ook" when they impersonate so-called "trusted organisations" such as banks. That's according to the trade association UK Finance, which found that the number of "impersonation scam cases" more than doubled in the first half of 2021 to 33,115 - up from 14,947 during the same period last year. The industry body reckons these particular frauds - whether by text, email, or voice calls - have duped "even the savviest" punters out of almost PS200m over the last year or so and all because people "don't want to seem rude." Continue reading * Java 17 arrives with long-term support: What's new, and is it falling behind Kotlin? Text blocks, sealed classes, switch expressions, records, and more Tim Anderson Tue 14 Sep 2021 // 14:29 UTC 6 comment bubble on white JDK (Java Development Kit) 17 was released today, the first long-term support release since JDK 11 three years ago. A new version of Java appears every six months, in March and September. According to the Oracle Java SE support lifecycle, these are supported only for six months until the next one appears, whereas LTS releases are supported for eight years. Java 8 (the last before a major revamp of the JDK in Java 9 with many breaking changes) has extended support until December 2030, while extended support for Java 11 runs up to September 2026. Continue reading * Cloud is fundamentally more profitable than on-prem, says Oracle's Safra Catz as revenue misses mark for investors In case you were wondering why vendors are so excited about it Lindsay Clark Tue 14 Sep 2021 // 13:45 UTC 8 comment bubble on white Revenue growth of 4 per cent was not enough for Oracle to appease market watchers as the omnipresent software vendor's shares slumped following the release of its latest quarterly financials. Big Red confirmed revenue went up 3.8 per cent year-on-year to $9.728bn for Q1 of its fiscal 2022 ended 31 August, yet this was lower than analysts' forecasts of $9.77bn, causing the shares to tumble 1.4 per cent. Cloud services and licence support was up 6 per cent to $7.3721bn, cloud licence and on-premises support declined 8 per cent to $813m, hardware was down 6 per cent to $763m, and services grew 8 per cent to $781m. Continue reading ABOUT US* * Who we are * Under the hood * Contact us * Advertise with us * Seeking client-side dev MORE CONTENT* * Latest News * Popular Stories * Forums * Whitepapers * Webinars SITUATION PUBLISHING* * The Next Platform * DevClass * Blocks and Files * Continuous Lifecycle London * M-cubed Situation Publishing The Register - Independent news and views for the tech community. Part of Situation Publishing SIGN UP TO OUR DAILY NEWSLETTER Subscribe Twitter Facebook LinkedIn feeds no-js Biting the hand that feeds IT (c) 1998-2021 Do not sell my personal information Cookies Privacy Ts&Cs