Kurtis Minder has some advice about how to negotiate with criminals who extort millions of dollars by crippling companies’ computer systems and stealing their data: Don’t call them “bad guys.”
“The bad guys know they are bad guys—they are trying to pretend to be businesspeople,” says Minder, who, as CEO of cyber-intelligence specialist GroupSense, has negotiated on behalf of at least two dozen organizations targeted with so-called ransomware. “As long as you pretend with them that this is just a normal business transaction, it goes better.”
Imagine the nightmare scenario: You start work one day but can’t access crucial customer information on your computer because hackers have encrypted your files and are demanding big money in exchange for the decryption key. In most cases, the attackers also steal sensitive company data and threaten to publish it.
At best, the extortion demands could severely disrupt your company’s operations for days. At worst, they could ruin its reputation and put it out of business.
Companies that fall victim often seek help from a mini-industry of ransomware negotiators who are experienced at responding to such attacks. Their job is to talk with the hackers, ideally securing a hefty reduction in the ransom in the process. They also arrange payment in Bitcoin or another cryptocurrency, the hackers’ preferred form of payment because it’s hard to trace.
Ransomware attacks have thrived during the COVID pandemic, their numbers rising 62% globally last year to 305 million, according to cybersecurity firm SonicWall. Another security firm, Cybersecurity Ventures, predicts that global ransomware damage costs will reach $20 billion by this year, up from $11.5 billion in 2019.
The work-from-home trend during the pandemic, when many employees used personal devices to access company systems, has given cybercriminals a host of new vulnerabilities to exploit. All it takes is to get employees to unwittingly download malicious software by opening an email attachment, clicking on an ad, or following a link.
Small companies, without dedicated IT security staff, have traditionally been seen as easy targets for ransomware gangs. But experts say hackers are now going after larger companies, including oil, logistics, and manufacturing businesses, along with government agencies, hospitals, and schools.
In one of the most serious ransomware attacks yet, hackers linked to a Russian-speaking gang forced the closure for several days in May of a pipeline that transports nearly half the gasoline used on the East Coast, leading to panic buying and empty pumps at some gas stations. Colonial Pipeline, the company attacked, said it decided to pay a ransom because tens of millions of Americans rely on the pipeline. (The Wall Street Journal reported that Colonial paid $4.4 million in Bitcoin, a figure the company would not confirm.)
The University of Utah said it paid a ransom of just over $457,000 last July to avoid private information being released online after attackers cut its computer access. The university worked with its cyber-insurance provider and law enforcement, and consulted with a professional ransom negotiation firm, which it did not name. “All intelligence and guidance we received indicated that the threat actor would follow through on their threat if ransom was not paid,” the university said.
With many companies reluctant to talk about security breaches and ransom payments, some experts wonder if the scale of the problem is much bigger than publicly disclosed. “We’ve seen ransom negotiations worth $50 million—publicly acknowledged negotiations—and I can only imagine how many of them remain unreported and undisclosed purely because the insurance company is paying off the ransom,” says Andrei Barysevich, CEO of fraud-tracking firm Gemini Advisory, who has led a number of ransomware negotiations.
The attacks often originate from countries like Russia and former Soviet republics including Belarus, Ukraine, and Moldova, as well as Turkey. Because of their international nature, and tools used by shadowy scammers to avoid being tracked, successful prosecutions of ransomware gangs are rare.
Calls for tougher international action to counter the threat are growing. A group of tech companies and law enforcement from the U.S., the U.K., and Canada in April advocated for an aggressive international effort to combat ransomware, including punishing countries that fail to crack down on the problem. Around the same time, the Justice Department created a task force to take on ransomware gangs.
The FBI advises against paying ransom, on the grounds that it encourages more cyber theft and because the profits may be used to fund organized crime and terrorism. But paying ransom is legal as long as it doesn’t involve sending money to countries like Iran and North Korea or paying cybercriminals who are on the U.S. Treasury Department’s sanctions list.
The first sign that a company has been hit by a ransomware attack often comes only after employees are unable to log in to their computers or use email. An unencrypted file—the only one—delivers the bad news and often directs victims to a website embedded with a clock counting down the minutes until a deadline.
“There’s usually a threat attached to that clock,” says negotiator Minder, either that the ransom will double when the seconds count down to zero or that the hackers will dump the stolen data online. But he adds that it’s often just a false deadline intended to create a sense of urgency.
If an affected company or organization has backed up its data, and is confident it can resume operations quickly after a ransomware attack, it may decide against talking to the hackers. A company that is unprepared, as many are, or has had its sensitive data stolen, may have little choice but to negotiate—usually through a live chat window that the hackers provide.
Negotiators advise companies hit by ransomware to seek help from an insurance company or law firm specializing in data breaches (those firms will decide whether it makes sense to bring in a ransom negotiator). They also generally recommend that victims contact law enforcement.
The average ransom payment in the first three months of this year was $220,000, up a staggering 43% from the previous quarter, according to ransomware negotiating firm Coveware. The rise resulted from a handful of extremely active gangs hitting large victims with high ransom demands.
Minder’s ultimate aim is to get the eventual ransom payment down to just 10% of the original demand. The most he ever paid on behalf of a client, a large engineering company that he did not name, was $2.75 million—a result of that business wanting minimal negotiations so that it could get back to work quickly.
Minder’s company charges an hourly rate for its services with a cap depending on the size of the client. Most businesses end up with a bill of $20,000 to $25,000, although he says his company has, occasionally, worked for free for a small business or nonprofit. In one such negotiation, Minder tried to persuade the hackers to forgo any payment because the target was a cancer charity, but the gang didn’t like that. “They still made them pay,” he says.
One recent wrinkle in ransomware is the advent of “ransomware as a service,” in which software developers lease their ransomware to others in exchange for a share of the ransom proceeds or a subscription fee. This has made it easier for criminals who have little technical expertise and who are less predictable to enter the field.
“It’s kind of like the Mafia versus a street gang. The Mafia has a code, they behave in a very specific way,” Minder says. “These smaller actors that are just buying the platform, they have no rules, and they don’t really care about long-term outcomes, so they don’t necessarily always honor the deal.”
Organizations can insure themselves against ransomware attacks by taking out cyber insurance with an insurance company such as AIG or Coalition. Policies typically cover the cost of ransom and of getting computer systems running again.
As Coalition’s incident response lead, Leeann Nicolo is the first to get the call when a client is hit, although the company brings in outside experts to handle the negotiations. She says ransoms have gone up 10-fold since she began working in the field in 2015, when a $50,000 demand was a big deal. “As of late, it’s pretty common that the demand is in the millions,” she says.
Among the risks of paying, she cautions, is “double extortion,” when cybercriminals double-cross their victims. Says Nicolo matter-of-factly, “After the first payment is made they will go back to the original ask, so it’s like paying twice.”
Update (June 16): This article was updated with information from Cybersecurity Ventures about the annual cost of ransomware attacks. An earlier mention of PurpleSec, a company that had provided similar information, was removed.
Ransomware casualty count
Hackers have held the data of countless organizations hostage. Here are some of the most notorious examples.
Colonial Pipeline (2021)
The company paid a reported $4.4 million in ransom after an attack forced a shutdown of its pipeline, which supplies nearly half the gasoline used on the East Coast.
University of California, San Francisco (2020)
The campus, busy with vital COVID-19 research, paid $1.14 million in ransom after hackers encrypted important academic data.
Norsk Hydro (2019)
This Norwegian aluminium producer took weeks to restore its systems after being attacked and refusing to pay up. It suffered losses of around $50 million.
This devastating cyberattack that the U.S. blamed on North Korea infected more than 300,000 computers in 150 countries, disrupting large organizations including the U.K.’s National Health Service and China National Petroleum Corp.
Sony Pictures (2014)
Hackers demanding the movie studio pull a forthcoming comedy, about a plot to assassinate North Korean leader Kim Jong-un, stole a trove of films and emails, and then wiped the studio’s computers.
Companies should follow these steps to avoid becoming ransomware victims.
1. Train employees to spot phishing emails, which are often used to deliver ransomware.
2. Don’t open attachments or click on URLs in unsolicited emails.
3. Use unique passwords to access corporate systems and two-factor authentication.
4. Monitor remote access logs to spot unauthorized access to corporate networks.
5. Regularly back up data. Keep backups separate and offline from normal operations.
6. Ensure all devices on your network use up-to-date operating systems and applications.
7. Make sure antivirus software is set to automatically update and run regular scans.
8. If hit by a ransomware attack, have a plan ready for how you will respond.
Sources: FBI, cybersecurity experts
This article appears in the June/July 2021 issue of Fortune with the headline, “The negotiator you hope you’ll never need.”
Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.