Interview: Raj Samani – ‘The first thing companies should do is have a ransomware policy’

The first thing is self-preservation.

Most companies ask: Shall we pay? Can we recover? Where is the data? What’s been stolen? How do I know what our rules are? Which company should we use?

I had the CEO of a multibillion-dollar conglomerate, and he said to me: “Well, I’m just going to pay – I just can’t let the data come out.” He asked: “How do I get bitcoin?” And I said: “Dude, are you seriously thinking of doing the negotiation yourself?”

He wanted to pay whatever it takes. And I told him his expectations were unreasonable.

VIEW ALL

Cyber Daily: So, what are the best practices when a company does enter into negotiations like these?

Raj Samani: Ironically, the advice that I would give, which is a bit of an oxymoron because I work for a technology company, is … it’s low-tech best practice.

The first thing companies should do is have a ransomware policy so you can make those decisions without the threat of a digital loaded gun against the forehead of your business. So, in other words, will you pay? Is there a company policy?

If the answer is unequivocally “No”, OK. If the answer is “These are the circumstances where we may consider it,” then the question becomes “What does your legal counsel think? Will there be scenarios in which you cannot do that?”

So, for example, if the threat actor is coming from a region in which there are export controls – can you legitimately do that? And then, can you validate whether you’ve done so? And then, of course, who are the experts that we will call upon in the event that this kind of thing happens? And so, you know, incident responders, negotiation firms, PR firms, crisis management firms.

Who’s the security vendor that you have, who’s your managed security partner, and what are the telephone numbers you’re going to call? Will the CEO be awake? These things need to be decided beforehand so that you’re not having to – I guess in the American analogy – play defence as well.

Cyber Daily: Is it best policy to get an external negotiator?

Raj Samani: Always.

People also need to consider: am I likely to get my data back? Am I likely to get a [decryption] key that actually works? This may be in the category of bleeding obvious, but criminals aren’t the most trustworthy people.

The best analogy I could use is: I’m pretty good at cyber security. I’m a pretty decent painter, too, but if you look at my house, I get the experts in to do the painting of the house because they do a really good job – I just can’t do it. I’m a smart guy, but I don’t really have the skill to do it, and it’s the same thing with anything in life.

If you go out and get people who, this is their job, day in and day out, they can give you guidance, they can give you advice. They can give you the feasibility of whether you’ll get your data back. And, also, they can tell you if there’s a decryption key actually available already, so you don’t even need to pay. And all of that data and information is just there, with experts literally waiting for you to engage with them.

Cyber Daily: So, when that process does actually begin, how does it usually play out?

Raj Samani: Typically, with absolutely no remorse from the criminals.

There isn’t a typical process, I think, is probably the best way to put it. FunkSec, which is this new group that came up in 2024 – they’ve done 40 attacks since December 2024, some targeting Australia – they market themselves as a disrupter. But from their perspective, they’ll just say, “Pay us. If not, we don’t really care because we’ll just auction your data off to third-party criminals.”

We’re seeing a kind of change whereby they’re going to get paid no matter what. And if it’s you, great, and if it’s not you, somebody else will pay. It’s evolving and changing constantly. And I think that’s the scary part. We’re all bored of talking about ransomware, but we scan the attack surface of companies within a couple of blocks of our office in Melbourne, and people still aren’t getting the memo.

Cyber Daily: You saw we’re all bored of ransomware, but the fact is, it’s not going anywhere. Just in Australia alone, my colleague and I sometimes cover a half dozen attacks in a week, and all the time, a lot of these victims, when we talk to them – because we talk to the victims after the case – in many instances, they’re utterly surprised. They wonder why they’ve been targeted by hackers.

Raj Samani: They’ve been targeted, but they’re not targeted – that’s the irony.

It is like they’re literally just driving; they’re just walking down the road. And there’s a bunch of buildings with open doors, security cameras switched off, and the guard is half asleep. And the hackers can just help themselves. That is literally the analogy that I would use.

The number of people that have said to me, “Well, I don’t worry about cyber security because I’m too small to be targeted,” and I tell them the most likely victim of ransomware is a company only clearing between 5 [and] 10 million US.

It is literally small- to medium-sized enterprises or businesses that are most likely to be hit.