The Cybersecurity Podcast
Welcome to The Cybersecurity Podcast by EC-Council, where those shaping the future of cybersecurity take the center stage.
Created to raise awareness & spark meaningful dialogue about cybersecurity, this podcast dives into the stories, behaviors, and first-hand experiences that shape our digital world.
Hosted by EC-Council Group President Jay Bavisi, each episode unpacks not just what’s happening in cybersecurity, but why it matters to all of us.
From ethical hacking to social engineering, cyber policy to personal journeys, this podcast brings together leaders, practitioners, and individuals shaping the industry for conversations that are bold, insightful, & impossible to ignore.
Get fresh and exclusive perspectives, insights, and stories straight from the experts shaping cybersecurity today.
Whether you're a practitioner, a policymaker, or just cyber-curious, this is your front-row seat to real talk from those on the frontlines.
The Cybersecurity Podcast
The Business of Ransomware: How Attacks Are Planned and Negotiated- Part 2
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
What really unfolds once a ransomware attack hits?
In this episode of The Cybersecurity podcast by EC-Council, host Jay Bavisi sits down with Kurtis Minder — a ransomware negotiator and cyber intelligence specialist who operates inside the ransomware underground.
With years of experience observing, engaging, and negotiating with ransomware #groups, building human intelligence networks, and guiding organizations through active attacks, Kurtis reveals how ransomware truly works.
This episode explores:
- How ransomware gangs are organized and why they run like companies
- What real ransom negotiations sound like behind closed doors
- Why these talks often last weeks instead of hours
- How automation and #ai are reshaping ransomware campaigns
- What happens when double extortion and data leaks come into play
- You’ll also hear stories from Kurtis’s earliest negotiations, incidents that went off track, and why understanding attacker psychology is essential to defending against cybercrime.
This episode delivers an insider’s view of ransomware, built on real-world incidents, hard decisions, and the realities organizations face under pressure.
So take us through um an organization that gets ransomware, right? Um and you get a call. I assume it's probably the attorney or I doubt it'll be the PR agency. I I surely hope is the attorney that calls you, right? Or the CSO. Cyber insurance sometimes is sometimes cyber insurance that they call you and say, okay, look, uh, help us out here, right? What typically transpires? I mean, you can't just go in and say, all right, you know, give me the browser and I'm I'm ready, right?
SPEAKER_01Well, there's some I this Thomas, I'm glad you asked that because this gets overlooked a lot. There's a lot of sort of complex and sometimes subjective and emotional decisions that need to be made before we ever even communicate with the bad guy. You know, making the decision to communicate with the threat actor is a big decision. It especially you I mentioned, you know, some of these groups are quite large. They may have a hundred victims at a time, right? So they've they they've pushed the button, the software's done its thing and left the ransom note. And this this attack that just happened to you as a victim is the most important thing in your life right now. It isn't to them, right? They don't they've got the 99 other victims. And so in that case, if you if you're if you look at the sort of the decisions to on whether to negotiate or not, those involve is it against my values to pay a ransom actor? And that's a big one for me. Um and we can talk about that if you want later, but um, is is it against the law? There's there are things that make it illegal. It's not typically illegal, but there are in scenarios where that's true. Um is uh do we have is is this threat actor, based on the intel we have, going to ask us for an amount of money that we know we'll never be able to pay? Because if you get to the conclusion that it's unlikely that we're going to get to a number that's that's gonna end up in a transaction and a solving of the case, you might not want to raise your hand.
unknownRight?
SPEAKER_01You might not want to show up on their radar. It's one of the things they do with the double extortion is they threaten, you know, they lock your files, but they threaten to dump the data they've taken. And there's been multiple cases where we we decide, okay, we're just going to restore from backup and we're not going to say a thing.
SPEAKER_00Just leave it. Just leave it. Because that's if you have backup, but there are many cases where the backups get encrypted too. No, they're good at that. Right? Yeah. And that's the problem, right? You have an S and then that's gone. Yep.
SPEAKER_01Right? Yep. But let's say you you you do have some way to recover the systems, you may decide not to not to engage at all. And so part of the first things I do is helping a client get through all of those decisions. And before we talk, before we even talk to the bad guy. Because once you say, Hey, I got your ransom note, you're like, Bing, you're on the radar, right? All right. Money, money. Yep, they're not gonna go away now. They're gonna you they're gonna pay attention, right?
SPEAKER_00Wow. So let's talk a little bit about that, right? About paying a ransomware. All this while that we've been talking to you know to each other, uh, uh, we are almost determining that paying a ransomware is the way to go, right? But then that raises a lot of ethical issues because you're gonna fuel the industry even more. The more ransom notes are being paid, the more the criminal gangs are gonna get empowered. Right. At the same time, there are also legal ramifications, right? Um, so should companies pay a ransom note?
SPEAKER_01I get asked, that's one of the questions I get asked, you know, by the victims. You know, is should we pay? And the answer is I don't know. I mean, that's a very complex decision that they need to make. It's a business decision, it's a values decision, like you said. Um the the situation, like you mentioned, the situation some of these businesses are in, especially if the bad guys have also disrupted the backups, is it is pay a ransom or go out of business. Right. So that that puts them in a pretty tough spot.
SPEAKER_00That puts you actually in a pretty clear spot. Yeah. Right. Uh because the in in that circumstance, you just don't have a chance. You you you just have to pay or or just perish.
SPEAKER_01Right. But I do agree, and I, you know, I don't want to pay these folks either. Um the that you know, we we are perpetrating the problem if we pay. Um, but we may also be saving lives if it's a hospital, we may be saving people's, you know, thousands of people's jobs. That's an that's an economic impact. So there's there's pros and cons. Um but it's and we are seeing now more and more companies walk away from you know the table and and not pay. But the but a lot of these people are in this sort of, they've got two choices. And one of the things that I have been you know sort of hammering on publicly, and you know, I've I've testified to committees in Congress and stuff on this, and that is, you know, maybe maybe our best bet is to give these victims another option, a third option. And and help them with the prevention. Because I also I also believe in this concept of the cyber poverty line. I don't want to go down a rabbit hole with that, but some of these companies just can't technology is absolutely fundamental to every s every business and everyone's lives. But to expect you, for example, to understand and mitigate the risks associated with everything that's inside that tablet is ridiculous. That's ridiculous to expect you to understand all that. Right. And so I feel the same way about some of these businesses. They they really are just not gonna, it's not a fair fight. And um, you know, I've I've been pro you know, the then there's this debate on whether the government should make these illegal. Well, keep in mind that all of this stuff is being done over, you know, unattributable tour, you know, dark web communications and the transactions over at least anonymous, it's not not untraceable, anonymous cryptocurrency. Those, those, those payments are gonna get made anyway.
unknownRight.
SPEAKER_01In the in the situations where somebody's gonna go out of business or or pay a ransom, if you made it illegal, it's gonna get paid. You're just not gonna know about it. And as the government, right? So I I feel that you know diving in and helping companies mitigate and and you know, sort of sort of defend uh, but then also recover would be there's there's probably a logical ROI for the government to do that.
SPEAKER_00So, you know, I I was gonna ask you a little bit about cryptocurrency in a second, but let's let's let's deal with that now. Yeah, and then I'll come back to ransomware for a second, right? The only reason, in my opinion, and I I this might be an unpopular statement, the only reason why ransomware exists is because you have cryptocurrency. You have untraceable method. If there's no cryptocurrency, how are you gonna pay the ransom? Yeah, it's all traceable. Yeah. Well, would you not agree?
SPEAKER_01It it existed, versions of this existed well before cryptocurrency, but you're right, it it didn't have the scale that this had. I mean, you know, the early versions of this, maybe going back even to like late 80s, there were versions where you might get a three and a quarter floppy in the mail, right? Or a three and a half floppy or whatever in the mail, and you you put it in and it locks your machine and it gives you a little note and says, send, you know, a money gram to this address, and then they'll they'll give you the key or whatever. Right. Um, you know, what what made ransomware as pervasive as it is is uh the dark web marketplaces that came the and that started to really become popular about the same time that cryptocurrency came out, and then cryptocurrency and the way that everything is connected, those three things, you know, and then you know, COVID and remote work sort of just sprinkled a little spice on there for them, you know, because everybody quickly moved to remote work and didn't necessarily lock it down properly. And that's when we really saw it take off.
SPEAKER_00So then if that's the case to control ransomware, all the government's gotta do is just clamp down on cryptocurrency, and there you go. You know, I would say 99% of the problems gonna go away.
SPEAKER_01Yeah, also billions and billions of dollars of investment on the cryptocurrency side. But and also cryptocurrency is a decentralized system. So that's extremely difficult to do, to to clamp down on.
SPEAKER_00Fair enough. Tell me when, let's get back to ransomware again. Um, out of all of the negotiations you've done, when was the appointment realize, uh-oh, this is not gonna go well?
SPEAKER_01I mean, that happens pretty frequently. Now keep in mind, by the way, I'm not the only person at Group Sense that does these. There's there's we have a team that we've trained up. Um, I get usually pulled into the more stressful ones, and I do get pulled into ones where it is taking, you know, a turn that doesn't seem good or has like what we would refer to as sort of a log jam. Um, it it does happen pretty frequently where you know the the bad guys are unreasonable or they're they're not coming off of their number, and and the company truly can't afford it, and they the bad guys have somehow their their information about what the company can afford is is wrong, is incorrect. And what by the way, where they get this information, because we ask, right? We ask, like, okay, well, you you're asking for four million. Why? You know, where'd you get that number from? Because it like you can just ask for any number you want, but if we don't have the money, we don't have the money. So you're asking for you know this crazy number that you you should know we don't have. Well, they they'll give they'll typically answer um and they'll sometimes just paste it in the window. They use business intelligence tools, they'll they'll use Zoom info, right? So they'll paste in a Zoom info article about your company that shows top line revenue, you know. And and so in you know, those cases, we sometimes have to give them a kind of an impromptu business class. Like, yeah, oh yeah, our top line revenue is four million, our margin is two percent. You know, so and they don't know what that means. Like they're they're not business people, so I have to explain to them, like, hey, look, we make tires, there's like this much of money left over, um, that sort of thing. Yeah.
SPEAKER_00Wow. Yeah. That's uh that that's amazing. Are these gangs? Uh you said they have a playbook, you say they run just like organizations, in your opinion, and but they're all run by humans. Do they have human sentiments? Like when they get a corporate victim, do they feel like, oh my god, it's a hospital, you know. You know what? This is a bad thing. You know, the kids there might be affected, people might die. You know what? I'm sorry.
SPEAKER_02Yeah.
SPEAKER_00Do they have a change of heart or are they like, I'm sorry, it's a business, I don't care what you do, just pay me.
SPEAKER_01Yeah. Yeah. I mean, some of them do. And some some of the organizations have made rules, you know, around that that we're not going to hurt, you know, critical infrastructure or or hospitals. Some of them are a little more ruthless. Also, they're they're not, you know, they're individuals involved as well. And so, for example, John DiMaggio, I mentioned earlier, he's doing a talk tomorrow at DEF CON about one of the R Evil gang members that he's been interrogating and has gotten to know. And in that story, he's because I've got to preview it for him. Um, that guy has a couple of incidents like you talked about, where he's like, hey, this is not okay. This is not an okay way for me to make money. I'm harming people. So they're they're individuals. Um, but you know, in in most cases, they're either afraid to, it's a gang, right? There is some it it's they behave like a company, but they in some ways it's still a gang. They could get harmed. Um, and the there is a lot of money uh at stake for these people. So in in a place where they may not have you know the the means that we have or the opportunities that we have. So it's i it's hard for them, but I I I want to give one story if you if I can. So we uh example of what you were talking about was um uh it was a cancer charity that did um breast cancer screenings. And uh it was a nonprofit and uh the bad guys uh locked them down, uh all their operations stopped, and we were pulled in, and the bad guys were asking for two million dollars. And they had you know donations in the range of of that. And I wasn't the lead negotiator, one of my colleagues was, and and uh he said, Hey guys, this is this is not okay. You know, these these guys are uh you know helping prevent breast cancer to underprivileged people. And yeah, they they get donations in this this range, but that money it's not sitting in a bank account somewhere. This is this is being used to send vans out and to pay people to do these screenings and and the equipment and the radiology and all this other stuff. And the bad guy said, Okay, uh, what do you think of fair prices? And some of my guys are like, well, zero zero dollars is a fair price. Just give us the decryptor. And uh this just speaks to the business nature because they say they said, Okay, well, our cost of goods is five thousand dollars. It costs us five thousand dollars to get access to that organization, so pay us five thousand dollars, we'll give you the key back.
SPEAKER_00Wow.
SPEAKER_01And and it worked, but it also speaks to the business nature. It's like, okay, so we're we're hurting people, I get it, but we've spent $5,000, we need that money back. And it's likely that they spent it with like an initial access broker or something like that. That's somebody who breaks in and then sells that access to someone else. Yeah.
SPEAKER_00Right. Yeah. So let's talk a little bit about the initial access broker, right? These are people that actually uh find vulnerabilities in systems, uh, but don't have either a means or the desire to go out and do the ransom and they then sell the access to say, here's the key, right? Is that uh a highly uh popular market? Is this something that is being done a lot?
SPEAKER_01Very much, yeah. And it and it also, you know, we talked about what's making ransomware more and more pervasive. Those technologies certainly are, but the fact that you've got these ransomware as a service platforms and you've got initial access brokers, the sophistication it would require for the average person to carry out an actual attack is quite low.
unknownRight?
SPEAKER_01You can buy the access, so you don't have to be a hacker. You have you have to basically have to know how to use Tor. So if you know how to use Tor and you know how to make a cryptocurrency payment, you just need to buy the access and then point the ransomware as a service platform at the access and hit a button.
SPEAKER_00So why would ransomware as a service access uh owners not just do it themselves? Why even create a business model?
SPEAKER_01I mean it's scale, it's just scale, yeah. It's like a franchise.
SPEAKER_00And they earn a percentage of it?
SPEAKER_01They take a percentage off the top, yep.
SPEAKER_00So everyone do your own negotiations in whatever language, and I'll just take a percentage and I'm just gonna be the for the platform itself. Yeah, I'm gonna be the entire platform. Yeah, fantastic. So, so uh Curtis, what's what's the single most uh underestimated skill in negotiating with cyber criminals?
SPEAKER_01I mean it's uh skills kind of a tricky way to describe it, but there I think uh empathy is it's it's more of a a trait than a skill, I guess, because it's hard to tra you can't train someone in empathy, which is why it's hard to hire and and scale an organization that does this work. It's very difficult to find people who have the right sort of um emotional intelligence to do it. But and when I say empathy, I'm not saying sympathy, like you don't have to sympathize with the bad guys, but being able to understand their why, you know, and maybe how they're like maybe at least have a bit of a lens uh from their side as to their worldview is super critical.
SPEAKER_00That's yeah, that's interesting. Let's talk about your book. Okay, you wrote a book, How to Stop Ransomware. Yeah, so how do you stop ransomware?
SPEAKER_01The the book isn't really saying how to stop it as much as it it takes uh at least parts of the book take all of the lessons that we get from all of these cases. And we we do get, by the way, the bad guys when we pay them, or when when we help you know facilitate the payment, that we get the decryptor. Uh we'll we'll get you know uh a deletion file log of them deleting the data, but don't don't assume they actually did that.
SPEAKER_00Because they backed up somewhere else.
SPEAKER_01Yeah, storage is cheap. So yeah, um, we'll we'll often get a some kind of promise that they won't attack again. But one of the other things we often get is a report on how they gained access. And some of these guys will will you know be very flippant about it. They'll be like, oh, you use stupid passwords. But some of them give us an actual report. Now it's not like PWC quality, right? But they'll say, hey, you know, we bought this access from this initial access broker and we ran Mammy Cats on your domain controller, and we that got us access to this credentials, which we then pivoted using Cobalt Strike to do that. Like they'll just map out how they did the thing. And so we've taken all of that. So the sort of the incident response reports, the reports from the bad guys, and we've distilled it down into some you know best practices that if every company just did these, you know, half a dozen things, it would reduce their risk significantly. And I've I've really, you know, tried to there's a whole chapter on that in the book where I try to explain, you know, two main things. If you do these things, the likelihood of your attack goes down. Um, but you should also prepare for an attack. So that's the other part of the book is uh what is your response plan and do you practice it? And do you know does it work?
SPEAKER_00So if a company does not have a response plan, yeah. I mean, I mean, with this, think about it. I mean, just forget North America, look at the entire world, right? It is the the CISOs and the cybersecurity sophistication and the tool span is all down in very large corporations. Right. But is the is the mid-sized firms and the small and medium businesses that generally don't have cybersecurity, and sadly that's where the economy most is the backbone, it's the backbone of the economy. That's the backbone. Yeah. And that's where the largest amount of vulnerability exists. So if someone did not have a playbook, right, and they're listening to this podcast right now and they're talking to Curtis Minder and the the expert in this, what should they do? What would their plan be?
SPEAKER_01You know, at least in the US, and I'm I'm guessing this is uh you know accessible globally, Sissa um has a has a pretty good template, and it also has basically very similar, you know, sort of uh instructions that I have in the book on those basic tools to protect yourself. So that's a that's a place to start is is just going to someplace like SISA who've who've seen the same like volume of attacks I have and come to the same conclusions, right? If you do a few things, you're gonna defend yourself better and you should plan for an attack inevitable anyway, right? And and have something in place.
SPEAKER_00What are the top three things that small businesses should do to prevent a ransomware?
SPEAKER_01Uh I believe that, well, it's pretty well known. If you read the DBIR, the the Verizon DBI report, for example, the password reuse is like one of the biggest issues, right? So just don't do that. Use password managers, uh, multi-factor authentication. I mean, how many times we have to talk about that? Just turn it on on everything you possibly can. Um, and then you know, the the other way the bad guy's gonna, so it's it's password reuse uh and credential stuffing, and they just log in. The bad, by the way, the bad part about that from a technical perspective is just logging into an organization doesn't set off your intrusion detection system, does it? Right. That's the normal behavior. So you they they get in unnoticed. Um and then you'll the last part is just uh the social engineering aspects where they trick people. So the the I think if you if you do uh credential management better um and and sort of password management better, you do multi-factor authentication on all the systems, and you do user awareness training, you is gonna go a long way. A long way.
SPEAKER_00So let's talk about senior executives of large corporations, right? You said you did tabletop exercises. Um what what are the mistakes that have been done in tabletop exercises? Because a lot of people do tabletop exercises, but they're not all the same, right?
SPEAKER_02Yeah.
SPEAKER_00What are the common flaws of tabletop exercises that you know render it a waste of time and money?
SPEAKER_01Oh man, so many. We could do a whole podcast on that. You should do that. Yeah. So first, a lot of I've seen I've sat in on uh the tabletop exercises done by by other companies, some of the larger brands. They get the scenarios wrong uh right off the bat. So, for example, when we were talking earlier about this decision on whether to talk to the bad guy or not, that may be one of the most pivotal decisions in your response altogether, right? And and when you get attacked, this is important for everybody to understand the ransom notes, they it says a bunch of stuff, but what it doesn't say is the amount. So you're making a decision on whether to engage the bad guy, you don't even know what they're asking. Now, I when I talked about it earlier, I said you might have intelligence about what they typically ask, right? So they might you might know that Akira asks for 5% of total revenue based on whatever Google says you have, but you you don't know what they're actually going to ask for until you talk to them. And so one of the things that I've seen in some of these other tabletops over and over again, to the point that I've called some of the people in these firms and said, stop doing that, um, is they they put the amount in the ransom note. I've never had a ransom note that has uh in six years. I've never had a ransom note that has the amount in it.
SPEAKER_00So they'll just say it's locked if you if you want something contact.
SPEAKER_01They start the scenario uh completely in an unrealistic fashion. So right off the bat, you're not even in a real scenario. You know how much they were already asked for, all these things that you skip a decision that's really important. Um, they they don't uh here's a here's an operational thing that they do wrong. They don't have a scribe. So there's nobody in the room writing down what needs to be fixed. So they it's like almost like they're they're playing a game and the game is over and they go on another, you didn't fix anything. Um and so having someone there that their sole purpose is to document what is missing, or somebody says they don't know who owns that system or how we get access to that thing, or who who the backup for this person is, that all has to be documented and then followed up on to improve the plan. Um, and then there's a lack of focus on uh communication, which if I was gonna pick, you know, maybe I'm jumping ahead. Um you imagine you might be asking something like this, but if I was gonna talk about what the biggest like mistakes in the actual response work is, and that's it, like communication is one of the number one uh areas that companies screw up.
SPEAKER_00And can you give us an example?
SPEAKER_01So the best the I think the best way to describe this is what this this incident is going to get out. People are gonna learn about. It they're either gonna learn about it from the media eventually, um, or uh they're they're gonna feel the impact of it and start making assumptions about it if they're your business partner or employee or whatever. And that eventually this is all gonna be over, hopefully, and and you're gonna be back in business. Um that period after the attack, you you're gonna need a tremendous amount of uh sort of goodwill from your community. And the quickest way to squander that is to make them think that you misled them intentionally. So being as transparent as you can with your constituents, your employees, your your business partners in the in the in the general community around you, without making it, you don't have to speculate. I always say like be as transparent as you can be within your knowledge boundary. Um that that gets screwed up a lot. And that's how you end up in a clash action lawsuit. That's how you end up in court.
SPEAKER_00But the but but the problem is, I mean, I just want to challenge you a little bit. The problem is sometimes you're trying to be transparent, but you don't have all the facts, number one.
SPEAKER_01That's why I say don't speculate. Right?
SPEAKER_00And your and your community wants the information now, now, now, and you're like, you know, the standard uh uh you know comment will be uh, you know, we we we receive uh you know, we have been compromised and we are investigating. And then it goes on for a week or two and everyone starts writing and say, Yeah, what are you investigating, right? Uh, why is it so long? Well, it takes time because the organization is large, there's so much to find out the legal ramifications, uh, you know, and that's when companies make blunders and they start you know uh saying things out. So saying too much is a problem, not saying anything is it's it's a problem. But you're right. I mean, being transparent is uh it's a very important uh uh element to it. But sometimes, even though you're transparent, it's not enough.
SPEAKER_01Well, I mean, I I'm I'm a big fan of stoicism. Uh you can't control how those people are gonna react. But you can try to do the right thing. And and and hopefully, especially these larger firms, they have some some guidance from their law firm and some crisis PR people on how to keep a heartbeat of information to make sure people know, hey, we're we're not ignoring you, but we we are we're dealing with something right here, you know. And so there's a way to do it. Um, and if you don't plan for it, if you're on your heels, uh during the incident is not the time to plan what you're gonna say. So all this stuff needs to be done in advance and discussed in advance, you know.
SPEAKER_00So let's talk one final thing and then we'll move off from uh that's so much to talk about, right?
SPEAKER_01Sure.
SPEAKER_00Um when you finally do get your data decrypted, and they say, I swear, I take the oath that I'm not going to you know uh uh put out your information out there or sell it to another criminal gang, or yes, you know, I've told you everything I know how I got in, although I know you might have 20 other pots that are open, right? Companies take this up from your experience. Do companies actually make disclosures or are there some that say, just guys, we got back, no one knows about it, it's not in the press, just keep your mouth shut and just move on. You probably signed confidentiality agreements before you get on.
SPEAKER_02Yeah.
SPEAKER_00So, you know, out of 10 cases that you do, how many of them actually go out and make a disclosure and say, look, I want to be transparent?
SPEAKER_01Most of them do. And most of the well, keep in mind also, a lot of our cases are fairly large companies. It's it's difficult for them to sweep that under the rug. So they a lot of them are making the disclosures. Have we had cases where they've done the other one? Yeah, but it's usually more in the mid-market side.
SPEAKER_00Right. Yeah. Have you seen cases where ransomware is paid and then the decryptor key is not provided back?
SPEAKER_01And then I haven't had one where they did not give us a decryption. So there's two two ways that that has gone, you know, taking a left turn. And one is there are groups that we call string alongs. Uh I'm sure there's another name for it, but we call them string alongside they will decrypt or they will encrypt the data with different keys. Multiple more than one. So you you negotiate, negotiate, and they give you a key and it encrypts one domain controller. They're like, hey, it's not working on these others. Oh, that's that's a different one. That costs different.
SPEAKER_00And do they negotiate that all upfront?
SPEAKER_01No, they don't tell you that there's multiple keys. And but you can with a good incident response firm, they're gonna be able to tell you that. And so that's one of the things that you need to make sure that your incident response, one of the things they need to be looking at is is this being encrypted with a single key across all the data sets? Um, now, of course, they only get away with that once, and then they get a reputation, right? So we know which groups do that, and we we warn the clients like, hey, this is something we need to look at and make sure we negotiate for all the keys at once. Um, the other way is the decryptor software is junk. So they give it to you, it just it's really crappy. And so it can be crappy in a lot of ways. It can it can crash or it can not, you know, it it just doesn't work sometimes. And to most of their credit, the group's credit, they'll give you some tech support and try to help you with that. The worst cases are where it works fine, it's just really slow. Like really slow.
SPEAKER_00Is that deliberate?
SPEAKER_01I don't think so. I just think they're not great at then they have no, there's no incentive for them to be great at the decryptor, right? Like that's just uh, you know, yeah. So they just write crappy software.
unknownWow.
SPEAKER_00And who makes these payments, these ransomware payments? Because they're all in I I assume Bitcoin.
SPEAKER_01Not all, but I'd say most still is Bitcoin. They do they use other privacy tokens like Monero, Zcash, stuff like that.
SPEAKER_00But so okay, they call you, you negotiate, they agree to 10%. Everyone said a great job, God is you know, this is amazing. All right, who pays? Insurance company, lawyers, you? Who makes the actual crypto payment? Who who actually makes the actual actual crypto payment? Yeah.
SPEAKER_01Um, so that's usually done with a some crypto broker that you're you're you're giving them fiat capital, they're converting it into the cryptocurrency, and then you're they're they're gonna make the payment on your behalf. Um, some of those brokers, we have you know, we know a bunch of them, will front the bill and send you an invoice so you don't have to transfer a large amount of money.
SPEAKER_00It could be $10 million. Yeah, no problem.
SPEAKER_01I don't think any of them will pay $10 million, but I I do know some that will pay up to two up front. So they have that much in their crypto reserve.
SPEAKER_00Because you're a public company, so they're like, all right, no problem. I'll invoice two.
SPEAKER_01Yeah. And I I think that's important to understand too, is part of the response process is that if let's say you decide you're going to pay, the the financial logistics part of that process needs to also be, you know, operating in parallel to the to the negotiation and the and the incident response. Because if we're talking about millions of dollars, it may be non-trivial for you to transfer that money out of your bank to a crypto broker. Not because it's illegal necessarily, but you're I I found more and more banks have policies against it. Like, oh, we're we can do 50 grand a day.
SPEAKER_00Well, no, I'm on the I'm on the hour.
SPEAKER_01That's gonna take a while, yeah. So so you need to know this stuff in advance. You need to know your bank's policies in advance and have a plan and and a partner that'll help you do it. And so we, you know, for the most companies don't have a crypto broker on hand, some do. Um, we will help them select one and start that process as well.
SPEAKER_00Well, that's that's really um that's really amazing. Thank you, Curtis, for such an insightful conversation. I truly enjoyed it. That was Curtis Minder, author, hacker, hunter, negotiator, cyber defender. If that conversation did not scare you, it should have at least armed you. If you like that conversation, don't forget to like and subscribe to EC Council's YouTube channel, the Cybersecurity Podcast. This is where we bring some of the sharpest minds in cybersecurity and to bring you hard facts completely unfiltered. Until then, this is JBC checking out. Thank you for listening.