Semperis’ Jeff Wichman discusses why it doesn’t ‘pay-to-pay’ ransoms to ransom gangs.
Transcript: BBC News interview with Jeff Wichman, Director of Incident Response at Semperis Cyberattacks are nothing new, but they are becoming more frequent and more serious. The International Monetary Fund says these kinds of successful hacks nearly doubled between 2020 and 2023, amounting to losses of $28 billion dollars. The financial sector is a particular target, accounting for 1/5 of all attacks. And that's just the companies we know about. Many attacks are kept quiet as victims pay the hackers and don't officially report the incident. My first guest spent many years negotiating with the hackers on behalf of their victims. He's now the director of incident response at the cybersecurity company, Semperis. Jeff Wichman, welcome to Talking Business. And let me start with this. If you determine that someone or something has breached your system, what is your biggest concern? What is your priority to solve it? From a priority perspective, I think it's gonna really determine or be determined by what your company does. So if it's a hospital, lives are on the line, patient data is priority. If you are a bank, financial information is priority. I think one of the things that historically was a problem was companies would investigate on their own Monday through Friday and then throw in the towel on Friday and then ask for help. Friday is always the busiest day for IR firms. Firms need to understand that if you believe you are a victim of a cybercrime, especially of ransomware, don't wait. Get your IR firm, your forensics firm on the line as quickly as possible. Those first couple of days can you know, that can help a lot. Well, talk to me about what happens if a firm finds out that it's being held to ransom by a cyberattack or cyberattack. What part of the process would a negotiator then get involved with? I would actually communicate with the victim, communicate with the attacker, and try to weasel information out of the attacker and try to reduce the payment for the client. So you were very much the intermediary in that. Correct. So talk me through those stages. You say weasel that information from the attacker. What did that involve? What were you looking for? Yeah. So, typically, we're looking for information that will help the incident response team or the forensics team quickly determine or as quickly as possible, determine what the attacker may have taken. Have they left backdoors in the environment? Are they still in the environment? Main question always, what did they take? Did they really take what they're saying they took? And can they the information for us if we provide them raw files that have been encrypted? Again, it helps tell the story of what happened, speed lines. Because if you look at it from a perspective of an incident response team and thousands of systems, there's not time to go through thousands of systems to figure out what the attacker did. Try to get as much information as you can to narrow down your focus and identify systems of interest and start there. And then find your breadcrumbs, and that usually spiders out into a little web of systems that really need to be triaged. What's the most difficult bit to determine? Is it exactly that? You know, how damaging has this attack been? Where have they been? What have they stolen? Yeah. Absolutely. You know, maybe tracing those footprints through it. Is that the hardest bit in those early stages? I think so. Yeah. Tracing where they've been, what they took. One of the one of the gotchas is and I we see it in attacks to this day where, you know, 2 months after the attack, the company ups the number of, impacted individuals or data. And, really, that falls down to poor hygiene of the environment. You know, some user had a spreadsheet on their desktop or on their system that contained a whole bunch of information that should have been residing in a secure location on a server where it was controlled. That's typically the hardest piece to find. Now, of course, the official advice is to never pay a ransom. It's not illegal to do so. A lot of companies do because of the implications for their own systems, maybe potential breaches of companies that they trade with. Client data also are at risk. Talk me through what a negotiation would look like. I would say negotiations would take anywhere from 7 to 14 days, for a typical engagement. You have to remember, attackers are in different countries, so we got different time zones that we have to worry about while we're chatting with the attacker. And we go through the communication process trying to weasel that information out. And then when it comes down to trying to find that comfort level of where the company is willing to make the payment, try to get it to an amount that is easier to swallow, I guess would be the right term, for the organization. It's literally just a chat communication, kinda like using Facebook Messenger. We're just chatting with the attacker except for it's on a web interface, on a web page in the, on the Dark Web. And, essentially, what you're doing there is negotiating a number that both sides are happy with and coming to some sort of compromise, I guess. Correct. Correct. Can you ever trust the hackers, though? No. Given what they've just done to that organization, they are holding it to ransom, and they say, give us this much money. We'll give you access. What happens if you pay and they don't meet their side of the bargain? You have nothing. You—there's nothing. You can't do anything. There should never be a level of trust with the attacker. Maybe feigning trust with the attacker while we're negotiating with them and, you know, trying to build that buddy buddy. But in the grand scheme of things, even when we ask for proof that they deleted the data they took or give us the data back, there's no guarantee that they haven't kept a copy. That's typically one of the first things we bring up when we start having our pre-brief with the victim is there are no guarantees when we're dealing with attackers. They could stop responding in the middle of negotiations, and we're just left. Or they could demand a payment and not give us the decryption or the access to the files, or delete the files. I always warn the clients that there is no guarantee that they will not keep a copy of the data and come back in 6 months and try to re-extort you. One assumes there are lots of organizations that fall victim to this that do not publicize it, we simply don't know about? You know, have you got a sense given your work about how many we actually hear about versus how many go unnoticed or undiscussed? I'd say we're just scratching the surface on what's publicly available. What's been the most difficult case that you've worked on? And you don't need to give me sort of names and details, but talk me through you know, I'm assuming this is sort of sleepless nights. It's a 24-hour operation. It's you sort of on the Dark Web having to message people that you'd rather not be dealing with. Tell me the story. So probably the worst one that I had was a large organization on the West Coast. Yes. It was on the West Coast of the U.S. Thousands of systems we had to dig through. Each system there were multiple environments or infrastructure within this company for affiliates or subcompanies. Attackers were everywhere. We had to go through thousands and thousands of systems. The attacker literally hit just about every system, and I would say that one lasted about 6 months. The negotiation part wasn't—I mean, the negotiation part from my perspective is fairly simple because it's a I have a very defined start. I have a very defined stop, and it's easy. I send my message. I wait for the attacker to respond. Whereas the investigators, they are combing through all of the data, looking for the breadcrumbs, looking for the telltale signs that the attacker was on the system, and it's a system of interest. Because sometimes just being on a system does not make it a system of interest. It could have been just a, a system that they thought was, you know, juicy at the time and moved on to where the juiciness was. Wow. So this is a growing problem and one I assume that it's just gonna get worse. It's gonna get worse. I don't know if there's really an end game of it ever getting better unless organizations take the steps to make their systems resilient, and operate from a mindset of we've already been breached. We need to keep security top of mind. Jeff Wichman, so good to talk to you. It's been a fascinating insight. I'm really grateful for your time on the program this week. Thank you. Thank you for having me.
