The Ins and Outs of Ransom Negotiation

Intro 0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:20  

HI, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and a certified Information Privacy professional and I provide practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Alright, Justin Daniels here as we’re having the plumbing done today, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback, helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  0:53  

And this episode is brought to you by experimenter Red Clover Advisors, we help companies to comply with data privacy laws, and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, ecommerce, media and professional services. In short, we use data privacy to transform the way companies do business. To learn more, visit redcloveradvisors.com. So Justin, who do we have with us today?

 

Justin Daniels  1:24  

Well, today we’re going to be talking about a very specific part about incident response. And that is ransomware negotiation, though Today we have with us Mike Snader, who has been with Kivu since January of 2020. Working in incident response and ransom negotiation. He spent 25 years at the Scottsdale police department with most of his career and investigations, including nearly a decade on the United States Secret Service Electronic Crimes Task Force. Welcome, Mike.

 

Mike Snader  1:52  

Thank you. Thanks for having me.

 

Jodi Daniels  1:53  

Well, it’s a pleasure to have you Mike, can you share a little bit about your background? How did you get to where you are today?

 

Mike Snader  2:00  

Where am I today, sitting at a desk at my house trying to not infect the world with COVID? Right? All right. So I retired from the police department and January of 2020. And a friend of mine went to work for Kivu Consulting and explained to me what he was doing, it was very similar to what we were doing at the police department, except it was a private company doing it. And I went see him at work one day and saw what they did, which which is incident response. And a couple days later, I was hired Kivu and was working in Incident Response Team.

 

Jodi Daniels  2:35  

So what does that mean? What is ransom negotiation with different

 

Mike Snader  2:41  

types of incident response, and ransom, just a component within the incident response. And if you were to think of it like like a crime show, and whatever your average our crime show, I’m sure you’ve seen negotiators negotiating for hostages, we’re we’re doing the same thing. So we will open up communications with our bad guy. And then we start making offers based on their offer. And then we negotiate whatever, whatever we’re choosing to so if you’re negotiating somebody out of the bank, let’s say we’re having that conversation. And while that conversation is going the incident response, people are putting up a perimeter and staging a SWAT team and putting people around the building to fix whatever damage occurs during the incident itself that I’m kind of my metaphor there.

 

Justin Daniels  3:29  

So can you just talk to us a little bit in general about how a ransom negotiation process works

 

Mike Snader  3:34  

kind of from start to finish, a client aka victim will be ransomed. So will they’ll walk into their can typically walk into their office in the morning and their computers don’t work, they’ll call their IT people and say, our computers don’t work. And the IT people have a very bad moment right there where they realize that there’s a ransom involved. And they’re staring at a screen that says, we have taken your data, and we’re going to sell it and make lots of money if you don’t pay us a ransom, and then it kind of spirals from there. So the client will usually call their insurance company, if they have cyber insurance. The cyber insurance brings in breach coaches, privacy counsel, and privacy counsel then brings us into the discussion and we all kind of play together nicely to do what really what’s best for the client. At the end of the day, we’re talking to the bad guys. Generally a couple different angles, bad guys go. And we deal with both those angles to meet the business continuity of really to meet the continuity of whatever business or private person Grantham. So the two angles that are normally attacked. One is that it’s actually locking up the data so a company can’t get to their information. And then the second part is the bad guys like to steal the data, and then they sell that data on brilliant. This sounds like a really deep, mysterious place, but on the deep dark web, and there There are plenty of markets that will buy that information.

 

Jodi Daniels  5:02  

Well, thank you for sharing, you know, over the last 12 months or so can you share about how ransom negotiation has changed? Yeah,

 

Mike Snader  5:11  

ransoms. I mean, ransom has a whole stay very similar. Some tactics have changed in the last 12 months been some really large cases that have been very public, like colonial pipeline, that that threat actor, that bad guy is not operated well, dark side as a named group is not operating anymore. The FBI and international authorities shut them down. But at the same time, they just opened their door up with a different name attached to it. So we’re pretty sure we know who that the new group is. What we’re seeing is is more expensive ransom to larger companies. And we’re seeing a lot of offshoot or ransomware, as a service called in the ransomware as a service are these smaller splinter factions that basically franchise out they’ll they’ll buy the software that that will cause the ransom, and then they try to work it as they would a small mom and pop business and they split the revenues, then with the big boys. It sounds very convoluted, but it’s it’s like franchising, and I don’t want to use a franchise store. But it’s like franchising, a little convenience store.

 

Justin Daniels  6:19  

So, Mike, from your experience, are you most often working with on these projects through legal counsel? Or do you very often work with the company’s director directly with outside without outside legal counsel?

 

Mike Snader  6:33  

The majority include legal counsel, we actually we strongly support that because of the privacy side. If they’re not so worried about privacy, and they are just encrypted, then sometimes the privacy side, sometimes privacy counsel isn’t necessary. But we we like to we actually like to work with privacy. counsel,

 

Jodi Daniels  6:53

you had mentioned a trend of working with larger companies. Do the smaller companies also have to worry about ransomware?

 

Mike Snader  6:59  

Great question. Yeah, we have a spike in business right now with with really small businesses, like sole practitioner doctors, sole practitioner, accountants are prime targets. Some smaller construction companies seem to be getting hit. Now I can look at some stats while we’re talking, as I look at some stats while we’re talking to me, so if you were to break down the industry, and these are just some of our tools that we use, professional businesses, so lawyers, doctors are a big, big chunk of what we’re seeing in the ransomware game now. But when I say big chunk about 30%,

 

Jodi Daniels  7:35  

that’s really interesting. I think so many smaller companies think they’re so small, I’m boring. Leave me alone there.

 

Mike Snader  7:41  

Yes. And when they when they get locked up, or when they get ransom, they usually have that that moment where they’re like, why are they going after me? At the end of the day, if you’re a sole practitioner, Doctor, you have all the HIPAA compliance, and they know that it’s gonna be an expensive route for you, just on the privacy side

 

Jodi Daniels  7:57  

really interesting really furthers the need for all businesses of all sizes to protect.

 

Justin Daniels  8:04  

So Mike, knowing Kivu a little bit, but for the benefit of our audience. What other types of services does Kivu provide besides this particular service with ransomware?

 

Mike Snader  8:15  

Ryan, is that something you want to go down the list because you’ll give it much more credence than I will?

 

Ryan  8:20  

Sure Thank you, Mike. My name is Ryan. I’m with Kivu. consulting Kivu provides a full lifecycle of breach services. So Kivu supports organizations with pre breach services, which typically, folks associate with maybe penetration tests, risk assessments, tabletop exercises, and other services in that category will also help with business continuity and restoration plans. Kivu then does your traditional digital forensics and incident response services, doing log analysis, imaging devices doing doing collections, helping organizations contain incidents, we also have our post breach remediation services, where we come in and help organization with boots on the ground services, people on site helping rebuild and restore organization, help them decrypt data and get that back into the environment when they are encrypted. And then we wrap that around with managed services with a managed MDR managed detection and response service where we help contain and remediate and continually monitor organizations for evolving and continuing threats to the organization. That’s what Kivu does.

 

Justin Daniels  9:33  

Well thank you for that. And so Mike, kind of changing topics just a little bit is from all of your years in this industry, and what the Electronic Crimes Task Force is, do you have a best security tip for our audience? Well,

 

Mike Snader  9:46  

sarcastic I would say don’t plug anything into anything. That’s my that’s my failsafe you know from the reality of things are if you keep your security updated if you keep your operating systems you keep everything you’re running what the current best practices are, you’re going to be in better shape. If you’re a larger company, you got to have an onion approach, defense in depth approach, though layer after layer after layer. And if you’re just again, if you’re just the average person, if you’re really careful what you clicked on, and those phishing emails that that you read about that you hear about, you see about are very real. I get them sent to me every day and somebody wants to know if this is a phishing email. Now it’s text messages. So not to disparage Amazon. There’s no free amazon gift cards, though. Don’t ever click on that. It’s the whole story of if it’s too good to be true. You get marketed all over the place, though I tell people limit their exposure as much as they can. If you’re if you’re the person that walks through the mall and fills out the winner free card or coupon whatever the thing you put your name, address and your phone number on and your email contact you should expect to get more phishing email than the average person. convoluted answer.

 

Jodi Daniels  11:03  

Now there are excellent tips, excellent tips, I really like the walk through the mall and fill up

 

Mike Snader  11:08  

the form for the free car. There’s nothing free. Just doesn’t So Mike,

 

Jodi Daniels  11:12  

when you’re not giving out security advice, or helping companies when they have these types of situations. What do you like to do for fun outside of

 

Mike Snader  11:23  

messing with the keyboard? Like I like to play golf, and I’m a huge baseball fan, huh?

 

Justin Daniels  11:28  

I love baseball fan. Dude, we could have a whole separate discussion, we can definitely have

 

Mike Snader  11:33  

a separate discussion about

 

Jodi Daniels  11:34  

that as well. So thank you so much for sharing all this great information if they want to learn more about Kivu and ransomware negotiation Where should we send our audience?

 

Mike Snader  11:45  

kivaconsulting.com. So I didn’t want to mess that up. And I have Ryan looking at me with that smirk on his face kivuconsulting.com

 

Jodi Daniels  11:54  

Perfect, though. Well, Mike, thank you again for joining us. Really appreciate it.

 

Mike Snader  11:58  

You’re very welcome. Thanks for having

 

Outro 12:03  

thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.