What Ragnar Locker Got Wrong About Ransomware Negotiators – Podcast

There are a lot of "tells" that the ransomware group doesn’t understand how negotiators work, despite threatening to dox data if victims call for help.

The Ragnar Locker ransomware gang just put its victims on notice: Call for help – be it from investigators, the FBI or ransomware negotiators – and the punishment will be the publication of encrypted files.

Bryce Webster-Jacobsen, director of intelligence operations at digital risk protection/ransomware negotiators GroupSense, said there’s cause to think much of this should be taken with a grain of salt.

You can see why, from the gang’s perspective, it’s a great deal: Scare victims enough and they’ll self-isolate. They won’t enter into negotiations, and they won’t have any professionals whispering in their ear about counteroffers. It’s an equation that spells fatter profits for the crooks, in theory.

But the warning raised a few questions. First, how serious is the threat? How blatant is it when negotiators step in to help? Ragnar Locker’s note, posted to its dark net data-leak site, promised its so-called “clients” that the crooks have enough experience to tell if a victim’s being coached and would interpret victims’ requests for help as “hostile” actions.

Infosec Insiders Newsletter

Don’t even try, they said in broken English. We’re too slick to be taken in by those negotiators:

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile attempt and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie.”  — Ragnar Locker’s dark net note.

Duly noted.

But to even out the conversation, we asked for a ransomware negotiator’s take on the warning. GroupSense’s Webster-Jacobsen dropped by the Threatpost podcast to tell us what percentage of Ragnar Locker’s warning is bluff and what, if anything, security teams should take seriously.

First off, Webster-Jacobsen noted that back in the day – as in, when ransomware negotiations were in their infancy and there were some unethical actors milking the situation – such warnings were actually warranted.

“It’s not the first group that we’ve seen posts warning about working with ransomware negotiators,” he said. “The one ..warning that we’ve seen in the past was mostly about working with ransomware negotiators that are, you know, operating unethically and taking advantage of the victims.

“And unfortunately … in the early stages of this industry… there’ve been some groups that position themselves as ransomware negotiators, but really are there to kind of take advantage of the situation that a company finds themselves in and try to profit off of that significantly,” he said.

Download the podcast here, listen to the episode below, or scroll down to read a lightly edited transcript.

It’s time to evolve threat hunting into a pursuit of adversaries.
JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.

Lightly Edited Transcript

Lisa Vaas: Welcome to the Threatpost podcast. I’m your host, Lisa Vaas. Our guest today is GroupSense’s Bryce Webster-Jacobsen, director of intelligence operations at GroupSense. GroupSense offers digital risk protection from threats across all environments and offers, among other things, remediation and threat engagement, including serving as negotiators in ransomware attacks.

Bryce, welcome to the Threatpost podcast.

Bryce Webster-Jacobsen: Thanks for having me, Lisa.

Lisa Vaas: Sure. Would you like to give us give our listeners a bit of your background?

Bryce Webster-Jacobsen: Yeah, absolutely. So as, as you mentioned, I’m the director of intelligence operations at GroupSense. So my role is to supervise and manage our analysts and research teams that are working with our clients to provide cyber threat intelligence, digital risk protection services as well as serve as one of our one of our ransomware negotiators. So I am conducting and advising on ransomware negotiations and working with clients that have suffered ransomware attacks, crafting our strategy and then negotiating with the actual ransomware groups. So it’s a pretty diverse workload, but I really enjoy it. And I’ve been with GroupSense for coming up on two years now..

Lisa Vaas: Great. I’m glad you enjoy the work. It sounds fascinating. Now I wanted to ask you about the recent warning from the Ragnar Locker gang, which is to publish compromised files if its victims dare to call the police or the FBI or investigators, or to engage with ransomware negotiators. Before we get into that news, could you give me some background on how negotiation works?

I mean, does the negotiator typically make their involvement known to the attackers or…?

Bryce Webster-Jacobsen: It varies from case to case. Some negotiators will notify the ransomware group that they’re operating on behalf of the client. Others will not. We’ve used a mix of those strategies, and there’s various benefits to both sides, but generally speaking, we don’t make it known that we are a professional negotiator when working with the negotiator or working with the ransomer.

Lisa Vaas: Do you think that this is a serious threat that victimized organizations are going to heed?

Bryce Webster-Jacobsen: I would certainly hope they don’t. I, it doesn’t appear to be a serious threat to me. And there are a couple of tells in the Ragnar Locker statement: first, that they conflate ransomware negotiating services, cybersecurity professionals who are conducting ransomware negotiations, as being affiliated with police or FBI or, quote, investigation agency. And that’s just not true. To my knowledge, there’s no direct involvement with the FBI or police and any of the ransomware negotiation firms.

GroupSense does not work as an affiliate of any police organization. We’re not deputized by the FBI. We certainly aren’t off operating on their behalf. So that’s one tell to me that this is mostly a threat, a veiled threat, by Ragnar Locker, to try to prevent victims from working with professionals and advocates who can help them navigate the breach and navigate the attack.

And from Ragnar Locker’s perspective, they want the victim to be left on their own. So that they potentially feel the pressure. They don’t know the tricks that the threat actors are trying to pull on them and they can end up spending more money on the ransom. And from Ragnar Locker’s perspective, that means higher payouts, quicker.

Lisa Vaas: It that makes sense that they don’t want anybody talking to a negotiator, in order to maximize their profit.

The group’s note said that they have plenty of experience and can figure out if a victimized organization is working with a negotiator that may be affiliated with law enforcement. Does that sound credible, that a sophisticated threat actor could tell if there’s a negotiator helping out?

Bryce Webster-Jacobsen: Yeah, I do think that’s credible. If a ransomware group is sophisticated or has been operating in this space for awhile, they’re going to be able to tell the difference between victims who are potentially conducting negotiations on their own. [Versus] those that are working with a professional negotiator or with cybersecurity professionals.

So that was, that was one element of their statement that I did think was true. I don’t know if that’s just a threat to bolster their claim or to provide more credibility to their claim, but I do believe that they have some indication that that ransomware victim is working with the negotiator.

Lisa Vaas: Okay. I would ask you what the indications are specifically, but I wouldn’t want you to show your cards.

Bryce Webster-Jacobsen: Right, right. I would say generally based on the tone and tenor of it. Yeah. Of the negotiation, the cadence of the negotiation. I would say there are some tells in there for a ransomware group. From the negotiator side, it’s apparent to us when we’re dealing with more sophisticated brand smart groups versus less experienced ransomware affiliates or somebody perhaps operating a tool, a tool or a kit that they’ve purchased off the dark web.

So it goes both ways, right? we’ve dealt with tough negotiations where the ransomware group seems very professional. And I’ve made comments to some of my colleagues in the past that sometimes I feel like I’m negotiating against myself because they’re using some of the same strategies that I may use if I were in their in their position.

Lisa Vaas: Fair enough. If you were going to guess, would you say that other ransomware groups might try to adopt the tactic? I mean, even if it’s 80 percent bluff, it seems like a good tactic from their perspective.

Bryce Webster-Jacobsen: Yeah, it’s a great question. I’ve actually been thinking about that since yesterday.

It’s not the first group that we’ve seen post warnings about working with ransomware negotiators. However, in the past, the one, I guess, warning that we’ve seen in the past was mostly about working with ransomware negotiators that are, you know, operating unethically and taking advantage of the victims.

And unfortunately there have been a couple of in, in the early stages of this industry kind of bubbling up there. There’ve been some, some groups that you know, position themselves as ransomware negotiators, but really are there to kind of take advantage of the situation that a company finds themselves in and try to profit off of that significantly.

And so I’ve seen warnings from ransomware groups that came to pass. Now, I haven’t seen a warning like Ragnar Locker, where they claim that if you’re working with a ransomware negotiator and they catch you in that, or it becomes apparent that they’ll release all your data and, effectively, that tanks the negotiation at that point.

You know, that’s really the end of the negotiation. So I haven’t seen that specific threat. I don’t know if, if more groups will follow through. I think more groups will follow suit and post the same threats. I do see some other, you know, some potential that other groups will post warnings: “I’m working with ransomware negotiators,” or try to start to call out companies that are working with ransomware negotiators. But I don’t know if we’ll see the same threat that they will ,the ransomware group will end negotiation and post all the files.

Lisa Vaas: I jotted down a question I wanted to ask you, and I know you’re not going to answer it, but I’m compelled to ask it anyway. Will negotiators change counseling techniques at all in light of the warning?

Bryce Webster-Jacobsen: I don’t know if in light of the warning. We’re constantly updating our advice and our counsel to our victims as they, as we, learn more about ransom groups.

And as we, as we have experience with these groups and as the ransom groups change their tactics. So we’re constantly updating, I think this warning definitely is another data point that we have to consider in the advice. But we don’t have one strategy that we use in every negotiation, and we don’t have one strategy that we’ve used since the beginning.

We’ve been evolving our techniques and evolving our negotiation strategies, and evolving the advice that we’re giving to our clients.

Lisa Vaas: Of course, since threat actors evolve their own TTPs, negotiators and investigators do the same. We’re kind of running out of time here, Bryce, but before you leave, I, I did want to chat a little bit about REvil’s reappearance.

Is this at all surprising, or is this just what happens?

Bryce Webster-Jacobsen: What happens. I’m not particularly surprised that some of their infrastructure has now come back online. You know, we’re still waiting to see what the next step is, but we’ve seen ransom groups that fold and reappear and morph over time.

Some of the operators will cash out and some members of the team will evolve into a new group. They may be making improvements to their malware. That’s the ecosystem for them. They joined forces with other teams and other groups. So I’m not surprised, particularly because when they went offline, we didn’t see any notifications or indications or claims that law enforcement was involved. There were no reported arrests. There was no reported seizure of any of their cryptocurrency, no reported seizure of any of their infrastructure. So I’m not that surprised that they’re back, and it’s been a few months, and that’s generally the timeline, you know, they’ll go away for a handful of months, regroup, and you know, probably spend some of the money that they’ve been able to acquire and then they come back.

Lisa Vaas: They’re taking a vacation when the weather’s nice. You guys were negotiating this weekend, weren’t you?

Bryce Webster-Jacobsen: We’ve been very busy this fall or the late part of this summer as we begin into the fall. So yes, we’ve been pretty busy in the past few weeks and months.

I hope it slows down. I honestly do. I, I wish that we didn’t have to have this part of our business, but you know, until we can, we can make effective changes kind of on the policy and advisory level and practice level. Then I think we’re going to have to continue to do that.

Lisa Vaas: It’s unfortunate that you must, but I’m glad somebody is out there doing it.

Well, thank you so much for your input, Bryce. It’s been a real pleasure to have you on the Threatpost podcast. Thanks for coming on.

Bryce Webster-Jacobsen: Thanks for having me, Lisa.

Suggested articles