How to Negotiate with Ransomware Hackers

Original Article: How to Negotiate with Ransomware Hackers

Convert your long form article to podcast? Visit SendToPod

Follow me on Twitter to find out more.
----

---

Minder soon found more work. Sometimes it was a prominent company facing a multimillion-dollar ransom demand, and the negotiation took weeks. Sometimes it was a small business or a nonprofit that he took on pro bono and tried to wrap up over the weekend. But GroupSense rarely made money from the negotiations. Some ransomware negotiators charge a percentage of the amount that the ransom gets discounted. “But those really profitable approaches are ripe for fraud, or for accusations of fraud,” Minder said. Instead, he charged an hourly rate and hoped that some of the organizations that he helped would sign up for GroupSense’s core product, security-monitoring software.

Last March, after GroupSense’s office shut down, Minder paced in circles in his four-hundred-and-seventy-five-square-foot apartment. “I was, like, I need to go hike,” he said. He towed two motorcycles to a rental house in Grand Junction, Colorado. As the world fell apart, the ransomware cases kept coming. Minder handled the negotiations himself; he didn’t want to distract his employees, and he found that the work required a certain emotional finesse. “Most of our employees are really technical, and this isn’t a technical skill—it’s a soft skill,” he told me. “It’s hard to train people for it.”

The initial exchange of messages was crucial. People advocating on their own behalf had a tendency to berate the hackers, but that just riled them up. Minder aimed to convey a kind of warm condescension—“Like, we’re friends, but you don’t really know what you’re doing,” he explained. His girlfriend, who speaks Romanian, Russian, Ukrainian, and some Lithuanian, helped him find colloquialisms that would set the right tone. He liked to call the hackers kuznechik, Russian for “grasshopper.”

Occasionally, Minder was called in to try to rescue negotiations that had gone off the rails. If hackers felt that a negotiation was moving too slowly, or they sensed that they were being lied to, they might cut off communication. Following the advice of Chris Voss, a former F.B.I. hostage negotiator who is now a negotiation consultant, Minder tried to establish “tactical empathy” by mirroring the hacker’s language patterns.

Most of the time, Minder found himself dealing with a representative from one of the syndicates. “The first person you talk to is, like, level-one support,” he told me. “They’ll say something like ‘I want to work with you, but I have to get my manager’s approval to give that kind of discount.’ ”

GroupSense partnered with CipherTrace, a blockchain-analysis firm, which allowed Minder to see that a particular cryptowallet had been created and to trace its transactions. Determining the average payments flowing into a wallet gave him a sense of the going rate, so he could avoid overpaying. He came to understand that syndicates were working from a script. “Oftentimes, we can go to the client and say how it’s going to go before it starts,” he told me.

The clients themselves could be more challenging. Minder ran all communications by them, through a secure portal. Some wanted to edit every message to the hackers. “It’s like a spy game to them,” Minder said. Others erupted in anger or frustration. “Sometimes you’re negotiating in two directions at once—with the hacker and with the victim,” he said. “You have to have a personality type where you can be empathetic but also give directions in a way that isn’t confrontational.”

Minder has already seen pressure tactics and ransom demands escalate. In 2018, the average payment was about seven thousand dollars, according to t...