The last time this guy called me, I ended up traveling across the United States 4 times hunting an allegedly CIA trained con artist. He’d been skipping across the Caribbean with 3.5 Million dollars stolen through a less than honest law firm he ran. So yes, I was very excited when his callsign, “Triceratops,” came blinking in on my Blackphone2. My journeys had landed me on the beaches of the Carolinas trying to get a foothold on a story. So in that regard, this call was bittersweet.
“Robo, I’ve got 2 games for you to play in if your interested. One, I know, is not your cup of tea anymore. But, I’m going to run it by you anyway.” I knew it was bait. But I didn’t anticipate what what was in store for me next.
As it turns out, a law firm in Missouri fell victim (if that’s what we are going to call it) to a relatively low brow ransomeware attack. It seems that in the land of goons, there’s a geek not far removed from any situation. In this particular one, the Managing Director of this law firm was taking Krav and Self Defense lessons from a guy, who knew a guy, who knew me. Don’t get confused. There is a guy that knows me, who knows another Marine Force Recon guy who worked with Triceratops on things overseas. This Marine called Triceratops on behalf of his Personal Training Client. This client happened to be the Managing Partner of this law firm that got hit by Ransomware.
Pay close attention to proximity of “gangsta” about to take place. You come in contact with the tough guy persona on a daily basis. And as a personal rule for anyone in the Cyber Operation, Incident Response, Crisis Mitigation field, no matter how tough you are or how bad you think you are, there’s always a bigger and badder dog out there. In this case, the criminals on the other side of this Ransomware had the upper hand. But this lawyer had dose of “tough talk,” which I found comical. It’s said, “it’s not the Gangsters that you should be worried about, but the ones trying to be one that you should pay attention to.” Not having the mental cut, discipline, or rhythm of the streets makes you a ticking time bomb for anything in your proximity. That said, let us begin.
I gave the Managing Director a call to inquire about this Ransomeware circumstance. Immediately, I felt involuntarily subscribed to this man’s rendition of an Oceans 11 mental heist. Light introductions with tones and inferences of how he comes from a particular neck of the woods peppered the call. Mentions of how these “crooks” had no idea of who they were (as he so eloquently put it) “fucking with,” because of who he knew and the kind of people he represented. I allowed this to go on for about 15 minutes while wondering why I took Triceratops bait.
“There has to be something he needs outta this guy to put me through this,” I silently thought to myself taking notes about the details of the ransomware situation. I shifted through all of this gentleman’s machismo to get his IT phone number for the gist of the situation. As it turns out, he was hit with a Dharma Variant solid in its construct. No viable keys out there. The encryption is tight. And without going all techie here, your only option is to pay the ransom or restore from backup. There are other options which will not be discussed here, but they are hit or miss. After reviewing the Ransom File and doing a bit more of research on the nature of the infection this story took a big turn even I didn’t anticipate.
Twelve hours after our first conversation, the Managing Director (we will call him Sam) calls me. With little hesitation, he asks, “So what are we gonna do about this situation? I’ve been up all night thinking of ways to get at this guy. But I guess, I should let the pro do what the pro does ha?” Quite surprisingly, his tone was a bit more humbled. But I did note the undercurrent of sauce in his speech, almost mischievous even. Before I could reply, the truth of the situation started to reveal itself, as do most situations in life, the quieter you become the louder the answers are (Kali Linux Pun semi intended).
“We tried to contact this hacker, and this fucker wants $15,000. There’s no fucking way we are paying it. I’m so glad we got you to fix this for us.” Much to my dismay, Sam was under the impression I had access to some special sauce that would unlock his files. That I also maintained a super power that would make all his power go away. To boot, his gangsta tone was more matured at this point. Typically, this is where I would interject with disclaimers like your general crisis manager communication protocol, riddled with disclaimers and the like to give a certain level of discomfort only to allow for an exit if the mission goes south. But I didn’t, this guy I smelled something on and I wanted to know what it was.
“You know what, Sam? Give me a few hours, and I should have something for you. I’m going to do what I do. And I need you to let me handle all of the communications from this point forward. If we can handle them amicably, I see no need to get things unnecessarily unsettled.”
The line went quiet. He seemed disappointed I didn’t spew out some super hacker techno jumbo about the RSA Decrypter keys I had stashed from my days at (name the 3 letter agency). But his reply was simple and calm, “Ok, Bro, let’s get em.” (I hate bro from people who are not really in my circle.) Over lunch, I did my normal recon on the situation evaluating the level of infection of his firm. Not only was it not surprising that his entire law firm was using an out dated and EOL version of Windows 7, but there were NO protections on them at all. No antivirus, no Firewall, No Updates, No VPN, No Network Segmentation. (You know, where you separate your client networks from your servers. Access control lists in place to help prevent spreading network attacks, etc.) Yeah, none of that.
I allowed myself to put on my old white hat for just a second and inquire about the details of the SLA between his law firm and the IT Consulting firm. He stated they had been “very helpful” and “been with them since day 1,” but my mind digressed. I was already dealing with a very unique individual and didn’t want to pick at any scabs “this time.”
The conclusion was simple. All of this firm’s Windows Workstations and Servers were wrapped in very tight encryption. Very few options presented themselves outside of soft skill play. I opened up my Epic browser from within my Virtual Machine Parrot OS. I fired up my VPNs and my makeshift Anonabox and popped up my ProtonMail (because it’s secure lol). Taking the ransomeware note and doing all the OSINT one could do on the email, the domain, the registrar the RansomeNote all of it in the past now. I decided to reach out to the person behind the ransomenote. As it turns out, my “tough client” had already done some fuckery that I was not privy to. I’m going to keep this part to the point.
As it turns out, the client already tried to negotiate, barter, and even with the client. The volume of tough talk sponsored by the actor behind the ransomeware remains unseen in the screenshot above. Him wondering if I were just another one of my clients “thugs” trying to hustle their way out of paying the ransom.
This made my life harder as one can imagine. Working with 2 egos is never easy. Once they’ve already been jousting at one another while trying to out play the other. But what’s interesting was that neither of them were as to the fray as what they came out to be. The actor behind the ransomeware was more naive than anyone could imagine. He’d allowed for me to hold both Decrypters on the “humble” for the uninitiated. That means without any collateral, just my word. As for the lawyer, I think I’ve said enough about him. But in this game, favors are king. That’s what this entire operation was.
For the life of me, I could not understand why Sam had selectively omitted parts of the conversation. Especially, where he tried to bully his data back from the Ransomware Actor. Akin to when you’re fighting a case and your legal representation asks you to give your side of the story. And you selectively omit the fact that you were at the scene of the crime. And you were in possession of the firearm because you actually used it to commit the crime in question. Oghh.
This situation never works out for the best, even with the best intentions in mind. If you’re going to go all gonzo, it’s probably best you do it when it’s not on your dime. Similar cases are charged by the hour. But in all honesty, I didn’t take payment. Lines were crossed. And to be perfectly honest, it was more of a favor at this point. Taking money from Sam, felt like a contract he would use again and again. It slowly dawned on me in my out-brief why Triceratops indicated I wouldn’t like this case. He wasn’t wrong.
In closing, we were able to negotiate the ransom down to $1,500, instead of the 15k initially asked for. Soft Skills and dealing in the grey sometimes does a client good. But who knows what would have happened if things went sour. Don’t play tough, don’t try and hustle a hustler.