During the Black Hat USA 2024 conference, Mark Lance, the vice president of digital forensics and incident response at GuidePoint Security, shared insights on the increasing ransomware threat and the challenges faced by victim organizations in dealing with ransomware attacks. Lance discussed the negotiation process with ransomware gangs on behalf of victim organizations, shedding light on the complexities involved in making the decision to pay the ransom and resume operations.
According to Lance, one of the key ways organizations recognize they have been impacted by ransomware is by seeing ransom notes on their screens, instructing them to visit a specific website and warning of stolen information. When initiating negotiations, Lance emphasized the importance of representing the client and setting clear expectations for the process. He highlighted the significance of understanding the client’s strategy, such as the need for decryption keys or a business impact analysis, and the potential implications of paying a ransom.
In terms of negotiations with threat actors, Lance revealed that cybercriminals often set timelines for ransom payments, but these can be disregarded once communication is established. He also emphasized the value of engaging with threat actors to obtain critical information, such as a file tree of stolen data, to aid forensic investigations. Additionally, Lance shared a case where a hospital had to make a cost-benefit decision between paying a ransom to regain access to critical data and accessing offline backups, showcasing the financial implications of ransomware attacks.
When asked about the efficacy of ransomware payment bans, Lance expressed skepticism about their effectiveness, especially in cases where organizations feel compelled to pay to regain access to essential systems. He suggested that reporting requirements around ransom payments may be more practical than outright bans. Furthermore, Lance discussed the impact of law enforcement actions on ransomware groups, noting that while initial crackdowns may be effective, some groups may re-emerge under different names or splinter off into new entities.
Reflecting on the cyber insurance market, Lance highlighted the evolving landscape influenced by ransomware attacks, which led to increased scrutiny and validation requirements for insurance policies. He noted a shift from checklist-based underwriting to more thorough due diligence processes, resulting in more defined insurability criteria and potentially lower costs for policyholders.
In conclusion, Mark Lance’s insights at Black Hat USA 2024 underscore the growing challenges faced by victim organizations in navigating ransomware attacks and negotiating with threat actors. As ransomware threats continue to evolve, organizations must carefully weigh their options and strategies to effectively respond to and recover from these disruptive incidents.