Kurtis Minder has spent the past year negotiating six-figure ransom demands from gangs of ruthless criminals.
Not for the safe return of kidnap victims, but for the release of valuable data that is being held hostage by hackers.
Ransomware attacks, which see hackers lock up data or computer systems until they are paid off, have been one of the biggest cyber security headaches for the private and public sectors in the past year.
Gangs of ransomware hackers made more than $350m in 2020, a 311 per cent jump on the previous year, according to the software company Chainalysis. The true figure is likely to be far more given many victims do not disclose when they have been attacked and made a payout. Some analysts estimate that the cost to businesses from the disruption is now as high as $20bn a year.
In response, an industry of negotiators has sprung up to help the thousands of companies, schools, local authorities and even hospitals navigate the aftermath of a crippling attack. Minder said his cyber intelligence company, GroupSense, started offering negotiation services, for $350 an hour, after requests from desperate clients.
“You have to approach [the negotiation] mechanically and effectively as a transaction,” he said, adding that there was little point in hurling invectives at the hackers. “We don’t need to tell the threat actor that they’re a bad person,” he said, with a laugh. “They know that. It does not help us achieve our goal.”
The FBI discourages paying ransoms, arguing that it does not guarantee that data will be released, and that it incentivises hackers to continue. But most organisations feel they have little choice.
The aim for Minder is to try to haggle down the ransom demands “as low as possible as quickly as possible” and then handle the payment of any funds, often in cryptocurrencies.
And it also requires some soft skills. “The second part of my job that does not get talked about much is counselling companies that are very, very angry or small businesses where it’s very emotional for them,” he said.
Ransomware attacks have boomed during the pandemic, as a transition to remote working left businesses more vulnerable to hackers.
It has also become an industry, as teams of hackers offer “ransomware-as-a-service”, renting out their viruses and exploits to people who might not have the coding ability to build their own.
“On the ransomware operator side, it’s so profitable that there’s literally customer service capabilities,” Chris Krebs, the former head of the US Cybersecurity and Infrastructure Security Agency, told the Financial Times in a recent interview.
“They sit over there and they take a payout, and they go hire another 10 developers . . . It’s a service. They run profits.”
Andrei Barysevich, chief executive of Gemini Advisory, which also offers negotiation services, said ransomware was “the hottest business for criminals right now” and so there was a “lucrative market” for the best negotiators. He boasted that his group typically managed to reduce ransoms by 25-35 per cent when negotiations were successful.
Gemini, Arete Advisors and Coveware are among the dozen or so boutique negotiation outfits, many of which also offer to highlight dangerous threats for a subscription fee. But there are also several in-house teams at cyber insurance groups, such as Coalition, and larger cyber security groups are also developing negotiation expertise as part of their overall offering.
Some negotiators have backgrounds in hostage negotiation or military intelligence; others have technical cyber security backgrounds.
Either way, they must be prepared to deal with increasingly slick hackers. Some attackers will initiate the process through their own websites or instant chat windows, and some set up automatic countdown timers that begin when a victim reads a ransom message.
A starting figure is not plucked out of thin air. Once inside a company’s systems, hackers tend to scour through financial data, emails or cyber insurance policies to come up with a demand, according to Vincent LaRocca, chief executive of CyberSecOp, who claims his consultancy can reduce a ransom by 40-50 per cent on average.
“Sometimes they know how much that customer is losing per day by not being able to operate,” LaRocca said.
Meanwhile, many hacking gangs have also shifted from merely holding data hostage to also threatening to publicly leak information, known as “double extortion”. In late 2020 certain attackers also started crashing their victim’s public websites as additional leverage.
Negotiators are tight-lipped about effective tactics, wary of showing their hand to criminals. Some pose as the victim so as to avoid being profiled themselves; others make clear they are hired third parties as a demonstration of seriousness.
But one common first step is to see if any data can be recovered from backups — which in itself can play into the negotiation. “You try to drag the negotiations out so that you can figure out if you can recover or not,” said Eric Friedberg, co-president of the cyber security group Stroz Friedberg, which is owned by the insurer Aon.
Bret Padres, who was the chief executive of the incident response firm The Crypsis Group until it was bought recently by Palo Alto Networks, describes negotiating a $1m ransom demanded of a manufacturing company down to $400,000 by making clear that if the criminals wanted money fast, they would have to accept less.
“We let them know we can’t get that much money that quickly,” said Padres, currently a group vice-president at Palo Alto’s Cortex Security Services.
Many negotiators have assembled their own dossiers on the ransomware gangs, such as whether they honour their commitments, to inform their decision making.
“Once we’re ready to discuss the amount of ransom . . . we have a good understanding of what the bad actor will accept based on our historical data and experience dealing with that group in combination with our threat intelligence,” said Marc Bleicher, managing director of incident response at Arete.
According to his figures, the median ransom paid to those wielding the prevalent Ryuk ransomware stands at more than $355,000, though this is typically on average 44.2 per cent lower than the original request, for example. The median ransom payout in the fourth quarter stood at $49,450, according to Coveware.
Negotiators must also have the technical knowhow to make large payments in volatile cryptocurrencies when a final amount has been agreed.
“For the payment itself, there’s a layer of financial operational security that we provide the client,” said Minder, who uses disposable crypto wallets to make payments.
Negotiators face mounting pressure to conduct extensive due diligence on criminal gangs before handing over any cash to them. The US Treasury department warned in October that anyone that facilitates payments risks severe penalties if they pay groups that are on economic sanctions lists.
“You also have to be very careful about [Office of Foreign Assets Control] compliance,” said Friedberg. “One reason a lot of the boutique shops shot up is that the big publicly listed companies do not want the regulatory exposure of whether they are properly conducting due diligence on the Ofac issues.”
But he warns that even with meticulous planning, there will be elements of surprise simply due to the nature of the adversaries. “[Our clients are] directors and officers that negotiate a thousand deals — but they’ve negotiated these with investment bankers and lawyers and everybody plays by the same rules.”
“Lots of these guys are young criminal hackers riding around in Lamborghinis . . . This is not a rational set of negotiations often,” Friedberg added.
Additional reporting by Kiran Stacey in Washington