.png)
Cyber Crime Junkies
Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
Ransomware Negotiations EXPOSED: Inside Cyber Hostage Deals with Kurtis Minder
Kurtis Minder, seasoned ransomware negotiator, shares insights into the complex world of cybercrime negotiations. He discusses the psychological aspects of negotiating with cybercriminals, the role of AI in both offense and defense, and the importance of understanding the motivations behind cybercrime. The conversation also touches on the evolving landscape of ransomware as a service and the implications for businesses and national security.
Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
π₯New Special Offers! π₯
- Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
π₯No risk.π₯Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies - π₯Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today π₯ Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq
π§ Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!
Dive Deeper:
π Website: https://cybercrimejunkies.com
Engage with us on Socials:
β
LinkedIn: https://www.linkedin.com/in/daviddmauro/
π± X/Twitter: https://x.com/CybercrimeJunky
πΈ Instagram: https://www.instagram.com/cybercrimejunkies/
Speaker 1 (00:07.662)
Imagining a message that all your systems are down, no technology can be accessed, and your entire network is encrypted. Your backups, gone. Your company's future, hanging by a thread. You have two options. Pay the ransom and pray. Pray that the people that you're paying are actually the ones with your data or that they won't leak it afterward. Or two, you can call
the person that actually negotiates with hackers for a living. This isn't science fiction. Today we go into the dark corners of ransomware negotiations where one wrong move can cost millions and even cost lives. Our next guest, Curtis Minder has faced down cyber criminals from Russian syndicates to North Korean back groups and lived to write about it. This is cyber recon.
This is how to handle cybercrime negotiations, hacking, and the best ways to stop ransomware. And this is Cybercrime Junkies.
Speaker 1 (01:19.694)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cyber Crime Junkies, and now the show.
Speaker 1 (01:39.594)
Alright, well welcome everybody to Cybercrime Junkies. I am your host David Morrow and alongside me today is a fantastic co-host, my good friend Dr. Sergio Sanchez. Dr. Sergio, how are you, sir? How are
Hello everybody, thank you for again be here with you guys and we are ready to start.
Yep, very excited. So today's guest isn't just talking about cybercrime. He's negotiating with cyber criminals behind it. He's been called the real life ransomware whisperer. And if he doesn't know that he's been called that I just calls him that founder and CEO of group sense author of an outstanding new book cyber recon, a gripping look inside the world of cyber espionage, high stakes negotiation, and the psychological chess match that plays out behind every
ransomware attack. Please welcome the man who mastered the art of negotiation with cyber criminals, Mr. Curtis Minder. Welcome to the studio,
Thank you, that's quite a lot to live up to,
Speaker 1 (02:44.654)
Hey man, if you ever want, I will jump into any teams and zoom meeting and just introduce you like that and then leave.
Be like, my hype man.
So I appreciate your time today. So let's, let's dig in. one of the questions that, I stole from Sergio and our prep is in writing the book, were there any stories that you wanted to share, but you couldn't either due to operational security or ongoing cases or things like that.
Actually a lot. the content for the book was basically an amalgamation of a bunch of little vignettes that I had made. I had a drive just full of these documents that are point in time experiences that I was like, have to save this. have to this. I'm going to say half of them, I just couldn't β there's too much risk either for me or for the other people involved and I couldn't do it. So it was hard to pick which ones frankly.
Yeah, absolutely. You know, your book talks about several in in you do an excellent job of kind of breaking down the subjects. And so we're going to get into like spying as a service and and the ransomware negotiators themselves and AI now. But one thing I wanted to ask you is the the all the experience that you have in negotiating these ransomware attacks. Are there
Speaker 1 (04:13.422)
certain trends or categories that you've seen. Like after a while of doing something, always kind of, we have good, you know, 30,000 foot view of it that other people don't really have. And I'm just curious about trends that you're seeing, things like that.
Yeah, I mean, we see a lot of patterns and trends. think first and foremost, you know, after doing a few dozen of these, we noticed that there is a very distinct playbook that these red actors, most of them are operating off of. You know, they do pivot from that occasionally, but not too often. They pretty much stick to it. so, you we would go into cases and we'd be able to tell the client, they're going to ask for this.
We're going to go back and forth like this for five days and we're going to settle about here. Right. And because it was so predictable. Now, some of them have figured that out and have, have, you know, change, made changes to the playbook to try to throw us off or a number of groups have also picked up that they're dealing with professional, you know, academic level negotiators and they've studied themselves. And I was like, I recognize that trick, know, like, so we, they're definitely adapting, I guess, but yeah.
That's phenomenal. One thing I want to ask you, we were talking about the books I have on my shelf and the Chris Voss and the Black Swan framework that he talks about. What was your, like, to what degree do you involve almost FBI style negotiation in hostage negotiation when you're negotiating with ransomware?
Because there's so many parallels to it. Because the data is being hostage. There's an emotional effect that's happening to the business owners. They see their life flash before them.
Speaker 2 (06:15.762)
And they're acting irrational. I think, you know, the Venn diagram overlap of like the sort of business academic level negotiation, you know, tool set and hostage negotiation tool sets that maybe somebody like Chris Foss would, you know, fostered his job. think there's a pretty big overlap in what in the middle of that Venn part is really where the ransomware world lives. It's combining those two. When I first got a call from Chris, we were both going to speak at this conference in New York.
It was the NYPD Counterterrorism and Cyber Intelligence Conference. And he called me before I knew he was going to be there. was excited. I wanted to meet him because I obviously read his book and I took his masterclass. And he called me and he said, Hey, I just listened to a Wall Street Journal tech podcast you're on and I really dig your methods. And I said, of course he said in a better voice than that.
He's like...
And I said, And I said, that's because they're your methods, That's one. Exactly. But yeah, so there's definitely a lot of overlap and I have taken a lot from his book and applied it to this very strange paradigm.
He liked them.
Speaker 1 (07:27.448)
Well, in, in, in ransomware negotiations, can you, you know, for a non-technical business owner, small, mid-sized business, can you just kind of walk us through what all is involved? Because when every now and then we are, first, we're an MSSP. And so we're brought in as first responders and
We do a lot of, I'm part of InfraGuard, so we do a lot of just security awareness training when we're talking to people. like, you know, are you ready? You know, are you aware that, you know, everything could be down, all of your icons and all the systems could be white and there'll be a text file that says, you know, come speak to us on some talks channel, right? And people are like, what? Like they have no idea even what you're talking about. I'm like, this is how it works. Like this is real. Like.
you that's why you have to prepare for events like this. Can you just walk us through high level kind of like in a traditional scenario like what is what occurs like like this is for the non-technical person who may be listening.
Well, I'm glad you asked it that way because, you know, the negotiation part is obviously the part that gets talked about a lot, but there's a lot more to the ransomware response job than the negotiation itself. In fact, sometimes that negotiation is actually rather minor part of the process, right? we're, it also depends on the size of the client, right? Or the sort of, you know, financial profile of the client that varies quite a bit. But in most cases, you know, the cyber insurance company or the law firm
is bringing us to the table most of the time. Sometimes it's organic. And the first thing I'm doing is I'm assessing what have these guys done in planning for this and where are they in that response process, right? So try to understand what have you done so far and discuss impact. And we even developed sort of a basic business impact matrices that we would walk clients through to try to help them.
Speaker 2 (09:34.294)
understand the financial impact. It's really difficult to do no matter what size your business is. It is better that we, before we engage with a threat actor, that we have some quantitative sort of order of magnitude, I guess, of where we want to go with this. And not just like, Curtis, go take it down to as close to zero and call me back. That's not a good strategy. So we kind of walk them through that. We help them, we educate them, we help them understand who we're dealing with.
set expectations. Sometimes the expectations are seemingly obvious to people like you and I, but not to them. like for example, one thing that I often tell clients and this has been the case a lot lately with some of the larger groups like Akira and groups like that. say, look, this thing that just happened to you is the most important thing in your universe. It's not in theirs. So your expectations about their timeliness and responses don't matter.
Like they have a hundred victims. you know, so just setting expectations about what's really going on, who we're dealing with, and then walking them through sort of their menu of options. And you know, as a side note, I often act as some form of a therapist, I think, for these people.
Well, yeah, I mean, that's what that's what our team has talked about because we've had people, you know, business owners pass out on Zoom or even in person. They they cry, they get very emotional because their their personal lives are so tied into their business, especially if it's, you know, a 30 million dollar manufacturing company. Like they built that thing. Right. Like that is their baby. That's their whole life. And it's tied to their
their retirement and everything about their life and their identity. And it's being attacked by people overseas who have grown up their whole lives not liking us. Right. And it's very difficult for business owners to accept sometimes.
Speaker 2 (11:22.592)
It's their identity.
Speaker 2 (11:39.948)
Indeed.
Curtis, I have a question for you. And of course, if you can answer, I don't want you breaking any confidentiality, okay? Can you tell us, what was the most intense ransomware negotiation that you have been part of?
Well It's kind of hard to say between the the ones that have the highest stakes so when you talk about You know something that's impacting human life like a medical situation a cancer charity That one that one was tough and the ones that are just big numbers. It's really hard to do they're both similarly stressful for different reasons But you know, I do think the one and even like some of the smaller ones. I know I'm not giving you the exact exact
Right.
Speaker 2 (12:28.332)
you know, single answer you want, even some of the smaller ones where it's like, I know that this person, like their entire business is, is, is gone unless I figured out a way to make this work for them by Tuesday. mean, there's so many that are so stressful for different reasons. but certainly the ones where we're concerned about like human safety, I think are the ones that are, that are definitely, I would, they sort of trump everything else, but we've had a little bit of everything.
You know, the tens of millions of dollars, you know, large international organizations that are, you know, undergoing, you know, huge operational interruption costing them millions of dollars a day. And if you've read any of the books, like some of the books behind you, you'll know that speeding through these things is not wise. Delay is a great tactic. And so, you know, when you're losing millions of dollars a day,
and your board is yelling at you to hurry up, it's just really stressful.
Talking about the stress, how do you personally manage the stress of negotiation with these criminals? How do you do it?
Yeah, I mean, think, I mean, not to be cheesy, I think I have a pretty good mental health regimen to begin with. I meditate every day. I write in a journal every day, right? I eat healthy, I exercise. So all of those normal sort of healthy habits help. I think also I have a therapist, right? And that helps.
Speaker 2 (14:06.71)
I also have a good network of people who have done this kind of work, whether in law enforcement, undercover, or people like Chris. I can text Chris, or call Chris. When I get stuck or I get frustrated, I have an outlet in those ways. But it still can really get to me. I do lose sleep over it.
Being able to text Chris Voss helps. The author of Never Split the Difference, if you're able to text back and communicate with the leading FBI hostage negotiator, that's something that'll help my mental health next time. That's pretty good. I had him on one interview. I wish I could text him and be like, my wife is really mad at me. Could you help me do this? How do I negotiate this?
I didn't say you text me.
Speaker 1 (14:56.142)
That's a good idea.
I usually text them war stories. say, this happened. They did this. I used this tool and this is what happened. Have you ever seen that before? That kind of thing.
That's phenomenal.
And Kurt is talking about tools and I must tell you, I love AI. I think AI is a wonderful new tool that will make life easier. But also thinking about this is a very good tool. I know these criminals are going to use it. So how tools like Chagypti, Deepfakes, know, all these AI agents are changing this game now for attackers and defenders. you have?
Any opinion?
Speaker 2 (15:43.404)
Yeah, I do. I I think like the rest of us, the threat actors and ransomware groups included started with using AI to build better synthetic content. That's like the first thing they did. It was better phishing emails, better credential harvesting landing pages, the days of the phishing emails with all the...
with all the grammatical errors and things like
So they fix all that. The next thing, and I sort of predicted this was coming, you know, Dr. Sanchez, they take with every attack, they'll first take a copy of as much data as they can. And they're taking terabytes, tens of terabytes, hundreds of terabytes, like depending on how long they've been in there, they'll take a lot of data. And I think it's in the past, it had been too much data for them.
of weed through and find things that were useful for their case, For leverage, for extortion. I don't think that's true anymore. I think that they're using AI to find the most important documents in the data set and surface them and even educate them as to what the documents are and how they can be used as leverage. So I think they're using it in that way. I don't know that they're using it to write malware yet or if they are, it's nascent, but it's coming. It's coming.
No, go ahead.
Speaker 3 (17:07.31)
Sorry, I was going to ask you something. do always these criminals require payments into, you know, with cryptocurrency?
Yeah, yeah, it's not always Bitcoin mostly Bitcoin, but a cryptocurrency Bitcoin Monero Zcash, know, yeah
And then, and then that raises the whole issue of, you paying the right cyber criminal? Right? Like there's a vetting process, right? Don't you ask for in typical, I know every single negotiations unique, but excuse me, don't you get a proof of life to vet that they actually have the data, right? And then when you're making the payment, don't you actually have to make sure that it's going to the, to the right.
Right. Yeah. A test payment. Yep. So we'll make a test payment of a random small amount and ask them to read it back to us. And yeah, we also have to check for compliance. Right. We have to make sure these guys aren't on the sanctions list and things like that. So we're not in trouble with the Treasury Department. while we're talking about the cryptocurrency part of it, I think that's another part of my job that people don't realize. And that is the financial logistics associated with what we just talked about can be non-trivial. So
You know, you think you could just call your bank up and say, I'd like to transfer $2 million to a crypto wallet. They go, you know what? We only do $50,000 a day, right? bad guys don't care about your bank policies. And so these are all part of the, you know, the stuff that we do on the front end to understand what we have to work with. You know what I mean?
Speaker 1 (18:33.432)
Yeah, that's nice.
Speaker 1 (18:47.86)
Unbelievable. And then let me ask you this, does...
Speaker 1 (18:55.502)
How do how do ransomware negotiators in general vet or validate that the data won't be leaked later? Because once they have a copy of the data and I believe it was the power school breach recently, it was not a ransomware attack, but in the power school breach recently, I believe I read because I like slams slapped my head when I read it. Like they,
to the cyber criminal and the cyber criminal took a video of them deleting the data and that's how they knew that that they weren't going to ultimately release that data later and I was like what I'm like yeah you're gonna believe them like here's me I'm typing keys do you see this I am deleting your data don't you worry you can pay us the money now like what like there's got to be a better way right
If you guys know a better way, let me know but I don't know unfortunately. Yeah
Is that, you really have to kind of take them at their word, don't you?
Well, and I just tell victims that they should assume that they didn't delete it. No matter what log files they give us assume that they didn't and do some post incident monitoring. So, you know, dark web monitoring. You don't want that to blindside you and show up late. Right. You don't want to hear from your customers or law enforcement or the media about this stuff surfacing someplace that shouldn't be in a few months from now. So do some monitoring. yeah, should assume storage is cheap. Just not to get into the nation state part of this, but I think most of these actors have this sort of
Speaker 3 (20:25.966)
in
Speaker 2 (20:31.936)
Unofficial amnesty awarded them by their country. Yes, Russia for example that amnesty probably has a quid pro quo Which is we get a copy
Right. that's a good point. then the intelligence group will be able to access all of the data. Yeah. Regardless. Yeah. That's a very good. I never thought of that. That's really good. Well, and we saw, think it was the change healthcare where they paid when Black Hat, right before Black Hat did their exit scam, allegedly, it seems like they had paid the Black Hat administrators.
But then the main affiliate who had done it still had a copy of the data. So they didn't, they weren't able to vet that. And then he went back to them or something like that.
Yeah, and I think that's, you know, that probably more of a flaw in Blackhat's, know, ransomware as a service infrastructure. But yeah, that's, mean, we're dealing with criminals. It's, it is what it is, you know.
Thanks.
Speaker 1 (21:34.838)
One of the things you talk about in the book is spying as a service. I'd like you to kind of elaborate that, explain that in English and explain the difference between that and ransomware as a service.
Yeah, the reason, I mean the main product that the company I started, you know, was started to perform was more of a cyber espionage operation on threat actors. And that, mean, the idea behind it is no different than why we have the CIA, right? It's having a better understanding of our adversaries capabilities, motivations, and resources helps us inform ourselves as to how to defend ourselves.
Like we have limited resources to defend ourselves. And I mean, it's the exact same for CISOs and even maybe more extreme. It's like if you don't have a picture of what's going on and who might target you with what and why, then you're guessing. You're building this wall. You're kind of guessing. And so that's sort of the purpose behind it. took... We didn't raise a lot of venture money mostly because a lot of the venture funds didn't... They want product companies. They want high volume.
You know
Yeah, transactionally they can see their returns every quarter, etc.
Speaker 2 (22:53.74)
Right, and this wasn't that. This was more, it was more outcome driven. That almost became a religion at the company. was like, look, we don't develop a solution if we can't drive a tangible outcome for the client. sending you data that tells you about bad things that you can't do anything about is a terrible product. So we hired a lot of people and we had these really smart people that spoke a dozen languages and were hanging out in chat rooms with bad guys and doing almost
traditional human intelligence work and we were really good at it. And that's sort of what dovetailed into the ransomware response work is we had a reputation among the responders for, you if you need somebody to go talk to a bad guy and validate some stolen data or something, you know, the group sense people can do it. And we sort of had this reputation for that and that they assumed that also meant we could negotiate. we did, but initially we were not
as let's say scientific as we are now.
Sure, absolutely. When there's a ransomware attack and a business owner or leadership has to decide on whether they pay or not, you know, there's a lot of talk about possibly banning ransomware payments in certain industries. What's your view of it? I know the FBI always says, we always say not to pay a ransom because you're funding cybercrime, but we understand that there are
business decisions that need to be made.
Speaker 2 (24:30.498)
Well, I mean, I've actually briefed two committees in Congress about this stuff and I've got a pretty strong opinion. If banning ransomware payments, if the goal of banning ransomware payments is to prevent people from making ransomware payments, I believe it will fail because if the victim has basically two choices, pay a ransomware payment or go out of business or pay a ransomware payment or people die.
They're going to make the payment and you're just not going to know about it. Keep in mind, we're doing this over dark web and cryptocurrency, so it won't be hard for them to hide this. what you end up doing as a government is losing the visibility. I think there's an ROI for the government investing in prevention and response to give companies a third option.
I would agree with that. That's great.
Yeah. Well, and then going back to my, going back to my point about the data, you know, the bad guys have been taking this data for seven or eight years, a standard operating procedure. The, just assume that the Russian FSB has exabytes of our data of our maps of our roads, architectural plans of our buildings, financial statements. It's, it's a national security issue, frankly.
yeah, absolutely. mean, cyber crime in general is. Yeah, completely.
Speaker 2 (25:51.821)
Yeah, yeah
So do you see a pattern in these kind of criminals? Are they doing it for money, for ideology, ego, politics? What do you think? Is a pattern there?
I think it's primarily financially driven, but it's reinforced with ideology. the, and I talk about this in the book, you know, trying to understand the perspective or the lens that these folks might see the world through, you know, in some ways I feel like we've shot ourselves in the foot in the West because if you watch Western television and you're from Donetsk, you think we can afford this. Right. just think like, yeah, we're all rich.
We'll recover. We'll be fine. We'll be fine. I don't think they use that as an excuse for what they do. I also try not to judge them because I didn't grow up in Donetsk or Minsk or whatever. I don't know what it's like there economically. I don't know what opportunities you have. So this might be what they think is the only way to support their family. I have no idea. I'm not excusing them. It's not sympathy, but it is maybe some form of empathy, right? Where I can understand
what they might be thinking.
Speaker 1 (27:04.236)
That's exactly what John DiMaggio and I just spoke about last week is because he gets a lot or actually two weeks ago right before he went to DEFCON because he has and I know that you know him. was he's in your book. He said, you know, I get a lot of flack. People think I'm sympathetic to them. He's like, I'm not, but I have to understand them and you can't help but. But feel for their scenario, even though what they're doing is wrong and there's no question about it. And I'm like.
That's empathy. it's different. Like learning to understand is different than sympathizing with them, right? Like in agreeing with them. Like John never agrees with them, but he needs to understand just like you do. You need to understand their modus operandi, their motives, their general tactics in order to defend properly.
Yeah, 100%. I mean, and that's also, you know, that takes from the espionage playbook as well. It's like, get as close to them as you can possibly get so you understand their why and their motivation and their capabilities. Yeah.
One thing Sergio and I talk about quite a bit is the undetectability when they first get in. It's just shocking to me how long they are inside for a period of time. And a lot of it has to, I know every organization is different. Some organizations don't have detection capabilities in place anyway. So they're going to be in there for a while. Are you seeing any, any trends or any, you know, any
consistency in terms of how long they are generally inside undetected before either they launch or something catches them.
Speaker 2 (28:52.386)
I mean it used to be you know months yeah pretty commonly months you know we had one case where I think they were in there for over a year and they took 400 terabytes with nobody notice Wow we notice that's a lot of data to transfer right lately they seem to be moving a little bit faster I think that's part of the ransomware is as a service you know they're they're not as interested in casing the client they just want to do quick quick hit hit grab and run kind of
So they've definitely, at least on the broader market, it's funny, I like to think these guys have their own go-to-market strategies to their business, and they have go-to-market strategies. And so some of them, it's a volume game. They're hitting as many people as they can as quickly as they can. Others are still doing the big game hunting. I think the big game hunting is where they're gonna still be very, there'll be long dwell times, where they're gonna spend time in the network and really understand it better.
So they can impact things like the backup processes and stuff like that when they do that. Yeah.
There is, have you ever come across having to clean up afterward of a prior ransomware negotiator or anything like that? I mean, I know that there's in John DiMaggio's recent findings, he talked about how the the Kaseya hackers in jail and one of the questions that he was asking John was, know, I'm
My sentence is to pay back 60 million. I only stole like five.
Speaker 2 (30:27.854)
Because of the data recovery people.
Because the data recovery people had had hold the victims, you know, like they bought from me the decrypt key for a million. Then they told the victims, well, we're going to be able to get it for 10 million. And they were keeping the difference or something like that is what the
remember the first time, I've run into those guys a lot of times. I've filed FTC complaints against them. know some of them have offices here in the US. They're still operating and it drives me nuts. But I remember the first time I found one of those guys and it was kind of, it goes to the beginning of your question, which was the person, the victim called us, it was a day after Thanksgiving a few years ago and they said, hey, we tried to pay this recovery company and they kind of ghosted us. And I said,
what was the recovery company going to do? And he said, well, they said they had some special software they could do.
Yeah, like quantum. They've got quantum in computer. Yeah, if they have that, we would love to see it.
Speaker 2 (31:21.066)
I didn't want to- I was already-
Right. Yeah, well, we'd have bigger national security concerns, wouldn't we? yeah, so I said well I didn't want to upset the guy anymore, but I'm thinking in my head like that's not a thing but okay, right? And he said I said what did he what did he ask you for? He said that he asked me for the ransom note and a couple of files that he could test his software on that sounds a lot like a proof of life to me and why would he need the ransom note? Why would he need that? And so I was like, can I see it please? went
And I saw the transcript of the data recovery person negotiating. And I remember in your episode with John, you talk about how they take it offline. They did not take it offline. I saw the whole thing. wow. And I saw what they negotiated it to. And by the time I had done that, they had contacted this guy again, the recovery company, and marked it up 80 % from what I saw the final number was.
Wow.
Speaker 1 (32:14.774)
And business owners victims of these attacks, they don't know. How would they?
Well, but do they? Here's a question I have. In the US, I think it's illegal now for some municipalities or government entities to pay a ransom or it's against the rules, But what if you just paid a data recovery company?
I didn't pay the bad guy. paid this company. They have special software. Do you see what I'm saying? It's a plausible deniability. And if you go to some of the websites of these data recovery companies, you will see all of their reference clients are municipalities and law enforcement. Wow. And I think they might know what they're doing. And they just, they're just covering it up. Yeah.
Right.
Curtis, based on your experience, what is the number one mistake organizations still make that leaves them vulnerable?
Speaker 2 (33:05.144)
password reuse.
Wow, you had that ready. You had that ready.
Yeah, that's what it is.
I have another question for you. How many companies, you know, get ransomware? They pay the ransom and a couple of weeks, months or days later they get again ransomware. Re-infected, would say.
Yeah, it does happen, but I don't know of a single case where, at least in my sample size, where it has been the same ransomware.
Speaker 1 (33:41.895)
Right, because they hear about it, the other gangs hear about it, right? And then they target them.
And this really just speaks to your incident response capabilities, right? So if you haven't truly locked the doors, you're susceptible. The other guys are opportunistic. They don't care that you just had an incident. They don't care. They'll go for the... So I've had that happen. I will say though, we've done some research and I do believe that the ransomware actors do repurpose some of that other data to do other kinds of attacks like business email compromise and things like that.
So we've seen evidence to support that. But I don't see ransomware groups attacking the same victim twice, Dr. Sanchez.
I have to tell you something interesting and I hope nobody's taking ideas from me, people here in this show. thinking about, again, I'm coming from a country that sadly, drug dealers is a huge business, But because also it's a huge business, you know, they have to spend money in the business, know, locations, people, transport, equipment, etc.
infrastructure.
Speaker 3 (34:53.608)
You think that will be kind of scary that all these and all the now, you know, Mexican drug lords, but everybody now thinking, well, you know what? Yeah, drugs is a lot of money that we can get money from, but the high risk of get caught or lose the business. What about if we now try to do what, you know, North Koreans, Russians, basically all those look.
Yeah, we do cyber crime and don't worry about getting mules and getting worried to be arrested in US soil because we will never step there anyway. What do you think about that?
Right.
I think that's entirely plausible. And I also, it's probably, some version of that's probably happening, maybe not on a grand scale. I also think that the US specifically is not prepared to handle it from a law enforcement standpoint. some of the work that I do, I do lot of sort of pro bono work for small businesses. A lot of that comes through local law enforcement and municipalities around the country. And...
The digital investigation capabilities of municipal law enforcement is near zero. So if you're a of a cybercrime, take out the major metros, but anywhere else in the United States, they're going to tell you to file a report with the IC3, which is the Internet crimes reporting site. They're never going to call you. And that's the end of your case. So you're the victim of an actual financial crime and no one's going to investigate it. And that's a problem.
Speaker 1 (36:22.328)
Yeah.
Speaker 2 (36:33.44)
And that also needs to get fixed.
Is it just is it really just a staffing matter or a resource matter on at the federal level do you think I mean
It's the double-edged sword of how the US is so fragmented, right? Same thing with election security. The people responsible for election security are these little municipalities who have no money. Same thing, the law enforcement is the same issue, but the funding is going to have to come from the federal government eventually to support this. And there's a cultural issue too because a lot of police officers don't think this is a real crime. They're like, it's computer stuff. That's not real crime.
I tackle people who rob the shoe store. That's a real crime. This is not. And so there's a cultural gap as well. It'll be a tough road, but we're going to have to figure it out.
I will not further answer Sergio's question, but I did see there was a documentary that John DiMaggio was part of about two years ago. was on National Geographic. And they had talked about, they had interviewed actually a couple members of the Crips and the Bloods and how they were talking about, they were going into carding.
Speaker 1 (37:55.5)
Not necessarily. I mean, it's cyber crime, but it's not ransomware per se. But they were going into that because they said, look, if I get caught, I do maximum five years in a federal penitentiary. I call her crime and I'm not jeopardizing getting shot. I go to a federal prison rather than state and it's five years as opposed to the mandatory minimums that drug dealing has. So that was the first.
It's a white, it's a white color.
Speaker 1 (38:25.07)
thought I ever had about them switching over in some capacity.
Anybody wants to look it up? That show is Trafficked by Marianne Van Deller. Trafficked, correct. Yeah, it's a great series.
Great show. It was interesting because that was the first time I don't see at least in the breaches that I researched, I don't see that being prevalent yet, but it could be something that evolves over time as their computer skill sets improve.
And with AI, everybody can be a actor now.
Well, I also don't think, you know, with ransomware, you've got these initial access broker markets, which are people that break into the networks and then sell the access. You've got ransomware as a service platform. So if you can use cryptocurrency and you can use the dark web, there is no technical capability required. You buy the access, you plug in the ransomware as a service, and you take a percentage. That's it.
Speaker 1 (39:25.08)
Yep. All the coding and all the, the highly technical aspect is all it's really just bought. It's like a product.
Unbelievable. In terms of dark web marketplaces, you touched about them in a section in your book. What is it that business owners need to understand about dark web marketplaces? mean, to me, it's always fascinating because you can buy session cookies, you can buy obviously credentials, right? And log in as somebody as opposed to even
having to hack it because people.
Which doesn't set off your intrusion detection system, does it? Right.
No, it doesn't and people reuse passwords and it's right there like I got a good password I use it on everything and I'm like no, that's not the answer right? Like it's good that it's a good one that it's long, right? But it's but it's not good that you are you know, your Facebook is the same as your banking like that's not good
Speaker 3 (40:28.778)
Yeah, I think having your key, one key for your house, your car, your office.
Exactly, one key and then you leave that everywhere. Right.
And your safety deposit box. I think what companies need to understand is that there is, know, dark web monitoring seems like a nice to have. These days, because of everything you just said, it's pretty much fundamental part of a security program. looking for indicators of risk for your organization in dark web marketplaces has a tremendous amount of...
Exactly.
Speaker 1 (41:01.146)
Yeah, yeah, absolutely. Okay, that's really good. And it seems that, I mean, it is exciting when international law enforcement combines and they take down one of these big marketplaces, everybody celebrates it because it is a win. But then we all know like immediately five others pop up, right?
Yeah, yeah. mean, those disruptions are very temporary.
Yeah,
Probably the solution would be to create an international or kind of like an internet police. Kind of like a what is it? Ziphole or something like that.
Yeah.
Speaker 2 (41:43.642)
I mean, I know there's a lot of collaboration between Interpol and the US federal law enforcement, something on a regular basis, but they've all got different agendas. having a united central one wouldn't be a bad idea.
So one thing I wanted to ask you is how do you balance all of it when you are in a negotiation and you are negotiating with a cyber criminal? know, pay your liability, moral hazards, You know, potential future hacks. How do you balance all of that?
So one, I try to be sort of the dictionary for the situation. don't try to impose any sort of my will on anyone. other than if it's illegal, I won't do it. But I won't engage with a threat actor, know, sanctioned list or whatever. But other than that, if somebody asks me, should I pay? That's up to them. one of the things that I do discuss often with these victims is
And I think this is super important, but it sounds kind of cheesy. that is, you know, if you run a values based organization and this would, this paying a ransom would be against your values. If the first time is inconvenient for you to honor those values, if you just pay the ransom, your values are useless from here on out, like for everyone. Right. And so, you know, we talk about, you know, is it, that's a gate, that's a gate you have to cross. Is it against your values as an organization or as a person?
Is it illegal? That's another gate. And then does it make business sense and how much? Right? And those are really the gates and walking them through those as transparently as possible.
Speaker 1 (43:26.466)
That's that's got to be so delicate. I mean, that's why you have got Chris Foss on speed dial. much like how
Yeah, I think I think I was blessed with like some some form of empathy too. So I definitely understand it but and I say that because I I've tried to hire for this and it's not right, right? It's not it's not a trainable skill so much. It's something somebody has or doesn't have it it's but I do think I have a ability to not only understand the victim and the bad guys but also speak to them in a way that they understand that I understand and yes, it's
But it is emotionally exhausting for me.
I bet.
Absolutely, you know one thing I was curious on so OFAC has a list of like Places you can't you know, we don't trade with we're not allowed to pay Let's say a gang gets placed on OFAC But then some of the gang members of the affiliates they move around all the time or the gang itself Dissolves we're out of business like black hat. We're out of business. Meanwhile, everybody that was there is just
Speaker 1 (44:37.356)
rebranded in other ones. How do we enforce OFEC when that happens? How do you deal with that? How do you address that?
So we, you're absolutely right. It's almost useless because
That's what I was like... It's almost useless. come up with and I'm like, there's gotta be somebody smarter than me has figured this out.
It's, I mean, if you're just doing it, you know, in the spirit of following the line of law, it's a checkbox and you just do the thing and submit the paperwork and move on. know, companies like GroupSense, if you're doing, I believe you're doing this correctly, you are providing additional context, like what you just talked about, saying, hey, look, the person in this group is widely known to have been a founder of this other group, which is on the list. Now, while we're not technically violating sanctions,
we are paying someone who was on the sanctions list under another name and then they'll ask me legal advice and I'll be like, take that to your lawyer and you guys decide what you want to do. So we do give them that additional contact. It helps to be a CTI espionage company because we have a lot of that data. We know where these guys are.
Speaker 1 (45:52.65)
Unbelievable. And have you ever had a business owner that was true to their values and just would refuse to, I refuse to pay criminals for doing this. But then it gets to the point where their back is against the wall and if they don't agree, they could go out of business. And so then they fight and fight, but then they have to do it. And there's still rationale there. And
Yep. I've had both of those. know, I think the toughest part for the... And I can't remember if we talked about this, but I do the cases at GroupSense. Those are brought to us by cyber insurance companies and law firms. I do a bunch of pro bono work also. So I see all into the spectrum. And on the small business side, I think that where that gets flipped, where somebody's like, no way, I'm not paying terrorists, I'm not doing this. They eventually come to the conclusion that they're harming 30 other people's livelihoods for not doing it.
Yeah.
There's, I've also had somebody who, who was going down the path and this is actually fairly recent was going down the path of not paying out of principle and they were able to actually recover from the backups. They ended up paying, they ended up paying just to have the data removed from the, from the, shame site on behalf of their clients. Just the, there's a lot of social pressure, think, you know, when they, if you're, and this was a healthcare organization, so there's some pretty nasty data that was up on the.
No, wow. Wow.
Speaker 2 (47:21.036)
Yeah.
Damn.
The HHS wall of shame is not something you want to wind up on.
Right.
Curtis, thinking about that, know, we all IT guys, IT professionals, I will call it nerds that we are, we are kind of prepared, we know what, you know, look for, be ready for, but I will not say the problem, I will say the high issue here is with people that are not technical at all.
Speaker 2 (47:58.796)
Right.
They are actually the ones that they target, know, mostly with, you know, phishing emails mostly. If you were talking to a non-technical audience, what is the one everyday habit that you would beg them to change to improve their digital safety?
It's the same thing. It's stop reusing pass- stop reusing passwords basically. Oh my god. This is the number one.
That's unbelievable. That's so basic. And yes, you know, like you go down and I've been in cybersecurity for a while now and it still gets down to the things that they said before I was in it. And it's still shocking to me to
I know we've been we've been saying the same things for 10 years, but but yeah So one of the things I talk about in my talks is I talk about you know I often refer to the cyber poverty line and it's kind of what you're saying You know, dr. Sanchez that that there's there's a certain line that technology is absolutely fundamental to everything we do Like you can't survive in business or life without embracing it to at some level I think it is unreasonable to expect the average human being to understand and mitigate the risk associated with that adoption That's not fair. Like I don't
Speaker 2 (49:10.446)
Like I'm a really technical guy. I don't know how this works. This is my iPhone, right? I don't know how that works. and I don't think I should have to know how that works. But I do think that, you know, as we evolve as humans, there are some things that we're going to have to learn. one of the, one of the clips I use often is like, people will ask me, well, do we all have to become cyber security experts? And my answer is no, just like you don't have to become a doctor to know how not to die. Right? So there's a
There's a small list of things that I think you can learn and there are tools that you can use too like password managers that solve some of these things for you. And then one of my other soap boxes is sort of attached to that is I believe that it's a civic duty to adopt these things.
We're all connected. it's a matter of national security and it is your civic duty.
I do this one talk called the digital butterfly effect, which is, know, the butterfly effect from chaos theory where you've got butterfly flaps, it's wings, one part of the world, it's cycling. And the subtitle to that is from the dry cleaners to the dip, the defense industrial base. And I show how what seems to be a benign cyber attack, a phishing attack on a dry cleaner ends up being a national security concern. And the point of that whole thing is like, we're all connected.
And we all have a responsibility and if as a group, collectively, we all do a little bit more, it'll improve everybody's lives. And that's, you one of my soap boxes.
Speaker 3 (50:34.072)
Curtis, let me tell you, that was one of the main things that I used to, again, I used to work for the Vatican, for the priest. And when I went to tell them, well, please don't use your AOL account anymore. Please use now the official one that is given to everybody. And they says, I don't care about my password. I don't care about the emails. don't know. Yeah, but did you ever saw a movie, Six Degrees of Separation, with Kevin Taken?
Yeah.
Where?
Basically, the basis of the movie is that everybody is connected to everybody and it's just six people in between. But you should tell them, look, you know somebody that knows somebody that knows somebody that knows the pope. So if I had your account, I will be using you like a bridge to get to the pope. And I can destroy the Catholic Church in minutes.
And then, oh my God, yes, you're right. Let me go and change my password right away. And they used to choose these, you know, Bible bears in Latin, the good numbers and letters. Like, woof. Right.
Speaker 1 (51:40.814)
But if it works for them, that's phenomenal, right? Yeah.
That's a pretty unique password manager.
That's great. It's got all the biblical phrases That's awesome. Well, yeah, mean you one of my last questions for you was in your book and I will cite it correctly It was on page 57 You say if you do only one thing after reading this book You should look at your personal digital risk and that's basically what you're talking about, isn't it? Yeah, like
Yeah, well, and I think in the book, I also talk a little bit about your personal attack surface too. it's like, just like a business assume that it could still happen. It might still happen. Reduce how effective that is for the bad guys. So don't keep all the emails you've ever been written for 30 years in an inbox. You don't need all of that. Yeah. So I think there's some just basic things that everybody could be doing and we'd all be better off.
Done.
Speaker 1 (52:38.002)
yeah. Yeah, absolutely. So as we wrap up, because I want to be respectful of your time, talk to us about what you're seeing in the future of cybercrime. AI's role, how they're, I mean, they're leveraging it through generative AI, agentic AI to some degrees. Like, what is, where are we heading right now, Curtis?
Well, I do think, I mentioned they're not, I think the main reason they're not using AI for custom polymorphic malware is because they don't have to, because we keep reusing passwords. But as we start to improve, they will. I know.
I know. Yeah, we got AI. We could really crush you with it. We don't have to because you leave the doors open. Like that's basically...
Right. Why spend the effort? I do think that these things are hard to predict because of AI. If you talk to an AI, or sorry, a venture capitalist right now, their biggest challenge right now is deciding where the technology of any particular company will go in the next three years because of AI. I think that's true for cyber crime and cybersecurity where that tool is only getting better on both sides. We're using it in defense, they're using it in offense.
And it's escalating and escalates the arms race. You know, it's really hard to say. I do know that the most effective, you know, approaches and this goes back to your, your, you know, episode with John DiMaggio is, is almost traditional, still traditional criminal investigation type work. mean, it's getting down to finding an asset and flipping the asset and then they give you access to like, it's that stuff. And so as, as our federal law enforcement gets smarter about
Speaker 2 (54:23.946)
cyber investigations and things like that, think we will make a difference. And then the rest of it's going to be diplomacy. And I don't know how that's going to go.
Well, that's always interesting. Like that's always, that's just a hot mess. That's, that's, that's phenomenal. any, any position or thoughts on synthetic IDs, AI deep fakes. I always ask because I'm fascinated by them. I deep fake myself all the time. Like I talked to, I talked to my kids. They're like,
Yeah.
Speaker 1 (55:01.784)
dad why were you doing that? I'm like I'm standing right here that's not me. They're like how are you doing that? I'm like it's like a parlor game.
Actually, that's a great idea. In the beginning, you were saying about like, what I tell my wife when she's upset with me. You're saying you're an avatar.
yeah, that way it fields it all, right? I better make sure she doesn't watch this.
I'm thinking about the same with mine.
I'll edit that out. I'm going to edit this out. honestly, tell me what your thoughts are. I I know it's kind of popular to talk about and a lot of people are addressing it. Maybe it's just another element of social engineering, really.
Speaker 2 (55:42.254)
It is, it is like one another thing I have been doing recently is doing seminars and workshops for people who are recently retired or about to retire. Oh, yeah. On scams and how they get scammed and what to do if they get scammed and how to identify the scams. So I've been doing these and usually it's like sponsored by a wealth management firm or something like that. And one of the things I'll do in those workshops is I will I will deep think. So whoever introduces me, the emcee, I will record that.
and on my iPhone and then I will in front of the audience duplicate that voice over the microphone for the to show them and so I walk them through how that's being used in these different like grandparents scams and things like that. So I do think
Butchering and the only gosh all that the romance have you?
Have you had Aaron West on yet?
I've not. We need to. You should.
Speaker 2 (56:36.568)
If you want me to connect you, can. she helps me. I will send him. I'm sending the screenshot of your book.
I would love that.
Speaker 1 (56:45.902)
That's great. you will do that live for them and replicate their voice so that you can get it to... because it used to require hours and hours of sample in order to...
It's like 10 seconds, 15 seconds now and it's super crazy. Yeah. And I think the point of doing that wasn't just to do, you know, like a parlor trick, like you said, it is to say when, the person who calls you, who says they're the Las Vegas police department and they've got your grand kid, you know, in, custody and you hear your grand kid in the background, me out of here. All they need is 10 seconds of your grand kid's voice. can they get that? Tick tock.
Instagram.
I saw a voicemail. Get it from a voicemail when you set up your own box, your own inbox, for your own voicemail. They say not to even use your voice now. Because somebody could just call it, grab that, and use that sample to replicate your voice.
So the point is to show how easy it is to do this and as an older person, I don't think you fully grasp that this is real unless you see it. So I do in front of them.
Speaker 1 (58:04.942)
That's phenomenal. Yeah, that's Curtis, thank you so much for your time, sir. We really, genuinely appreciate it. for all you do. Great story. Excellent book. We will have links in the show notes to group sense, your socials, as well as a link to grab a copy of the book. I strongly recommend it. It's phenomenal. What's on the horizon for you? What are you doing next? Public speaking. You've got things going. I know you were out at
Black Hat or Def Con.
Yeah, we sold out of books at Black Hat. was great. I'm just doing some, taking a little bit of time off, but I'm a big motorcycle guy, so I'm riding across the country on my motorcycle right now and doing book signings along the way. I'm going to be doing the CXO Forum next month in Atlantic City and doing a talk there and some book signings. So just trying to enjoy what's left of the summer.
Very cool.
Speaker 1 (58:59.822)
That's great. So there's not enough risk in your life. You're gonna get on a motorcycle and drive across Hey, that's what I so I don't write him plus my wife won't let me because I would die if I did that You're more skilled. So hey, thank you so much. We really
Like my dad.
Speaker 2 (59:16.43)
Thank you for having me. Nice to meet you, Dr. Sanchez.
Thank you.
Thank you guys.
