The World of Negotiating with Cybercriminals

If your favorite asset—money, car, jewels, art, data—were stolen and held for ransom, what would you do? Would you call the FBI?

What if this were such a common occurrence in our society that there were professional ransom negotiators for hire? Well, it turns out there are—at least when it comes to data theft.

As more and more computers have been held for ransom (when malware gets on a computer and locks it up until bitcoins are paid) the act of negotiating the ransom has become a serious business. This niche service evolved mostly from companies who were hired to retrieve data from computers or storage devices that failed—or when an angry employee tried to wipe data from a laptop and it had to be recovered.

At least that’s how one such company got involved in negotiating with cybercriminals.

“The ransom-negotiating part of the business started when people began sending us files which had been deliberately encrypted, where paying a ransom was the only option” said Mark Congionti of Proven Data. “Our goal is to use negotiation tactics to reduce the cost. We help people get their data unencrypted and their operations up and running again.”

Proven Data also does a healthy business in data forensics for sensitive data like medical or financial records—to determine whether data was transferred out of an organization during a breach.

I reached out to Mark after speaking with one of Proven Data’s customers—a corporation whose IT personnel arrived one Tuesday to find their entire operation locked down by ransomware. The demand was for 30 bitcoins (about $240,000 at the time).

Proven Data looked at a sample of the code, which was sent to them and was able to tell the company three things immediately:

1. The encryption could not be broken (AES 256);
2. Proven Data believed they could negotiate a lower sum (based on their experience with previous cases);
3. The “signature” of the group who was likely behind it was fairly dependable, meaning they usually provided an unlock key once a ransom was paid.

This last point highlights one of the big challenges with any type of criminal: once a company is locked down, the hackers have all the power, and paying in bitcoin (which they insist upon) means there’s no way to recover the money if they don’t unencrypt for you.

In this instance, Proven Data was able to settle with hackers for $60,000 and the un-encryption codes were received.

Two cautionary notes: first, depending upon several factors it can take days or even weeks to fully unencrypt and get the company operational again. Second, as Mark said, “We have discovered things get much more difficult for us if the victims try negotiating with hackers before they get us involved.”

He explained why this was true.

“If the victims try to be clever and send important files to be decrypted (as proof that the hackers are capable of decryption) cybercriminals may get angry and raise the ransom. Or, any indication that clients are thinking of paying the full ransom without question, that’s an issue too, obviously.”

This makes sense: if your Picasso was stolen and the hackers asked for $100K and your response was “is it okay to pay in large bills?” The master negotiator you bring in thereafter would not be well received.

I asked Mark if they work with the FBI. “Proven Data cooperates completely with the FBI for any requests related to ransomware,” he said.

When the Feds Get Involved in Cybercrimes

The feds only come calling when a report has been filed by the victim, which happens in less than 5% of cases. This, of course, makes sense to everyone in the cybersecurity field, because telling anyone you were breached puts a big target on your back in multiple ways.

Speaking of which, do hackers ever go back for more money from the same victim a few months later?

“From what we’ve seen, not very often,” Mark said. “But we also try to help customers by providing a list of things they can do to protect themselves better. The answer is layered security, because there’s no one thing that can keep any company safe.”

As a last comment on negotiations, Mark said, “There’s only so much you can do when the hacker on the other side is extremely unpleasant to deal with. We’ve seen hackers raise the ransom after they agreed to a negotiated price, and they can also disappear with the money once they’ve been paid.” In these instances, Proven Data does not accept a service fee.

An IT guy who works for one of Proven Data’s customers voiced some suspicion to me about the whole idea of negotiating with hackers. “It seems like a shady business,” he said dubiously. “I mean, how did they make that negotiation work? Seems they might know the guys involved.”

This reminded me of my early days in cybersecurity, when the occasional doubter would suggest that anti-virus companies were surely cooking up malware in the back room just to build demand for their products.

It’s easy to see how that would make (unethical) business sense, except that it was entirely unnecessary. The idea isn’t very different from accusing firemen of starting fires to keep themselves in a job. From the inside of our cyber-intelligence companies looking out, we saw new malware cropping up all the time. We also paid attention as our analysts deciphered the code and watched as attacks sophisticated; but an outsider who had only rarely experienced a virus didn’t have the same perspective.

Mark acknowledged that they experience similar skepticism in their business. “It’s all about perspective, and ransomware is so heavily underreported that clients can be dubious at first about trusting a company who has extensive experience with ransomware,” he said.

But, I couldn’t help asking if they get to know any of the criminals personally.

He laughed at the idea. “Definitely not. In fact, we do everything we can to remain anonymous and we only interact with these actors when we must…we aren’t interested in becoming targets ourselves. Most negotiations are done through anonymous email.”

They are smart to be cautious when working with what has increasingly become global organized crime. Of course, ideally we avoid this scenario altogether.

Anti-Ransomware Suggestions:

1. It’s critical to have backups of your most valuable data OFF THE NETWORK. Ransomware has had the ability to encrypt backups, which are on the same network for years now. Try USB, cloud, or hard drive (for cloud they recommend Carbonite).
2. If you suspect your system has been compromised but you haven’t seen the ransomware note yet, immediately disconnect the device from Wi-Fi and the network. This should limit the damage since the encrypting process is not yet complete.
3. Motivate employees to follow security policies since 90% of breaches start because of employee errors. The best way to do this is on-site, hands-on training.
4. Encourage employees to start using password manager applications so they can keep track of unique passwords for every site and application.

One last note of caution for businesses. In 2019, Proven Data saw a significant increase in RDP targeted attacks, higher ransoms, municipality attacks, and social engineering to larger organizations.

Ultimately, Cybercriminals are making too much money to stop, so take precautions and be sure your BC/DR (Business Continuity/Disaster Recovery) plans are up to date.

Be safe.

-Cynthia James, Product Management