“$1.1m. We will never go lower and this offer is valid for 48 hours. Keep it or leave it.”
That’s the message a small retail business on the East Coast of the U.S. received earlier this summer when it realized it was being held up by a Russian-speaking ransomware gang.
At first the hackers demanded more than $2 million—an overhead that would have left the victim company reeling, according to transcripts of the negotiations with the ransomware gang The Daily Beast obtained. It wasn’t going to work, even with the hackers’ dangling offer that the millions of dollars would be accepted in exchange for unlocking the business’ systems and a promise to not publish or sell their stolen files.
So instead of coughing up the demand right away, the victims started groveling. They pleaded with the hackers, noting they didn’t have cybersecurity insurance and couldn’t afford the demand.
The hacking gang, known as Conti, appeared to acquiesce slightly, and offered a minor discount. But they balked at the victim’s next suggestion that they only cough up several hundred thousand dollars.
“We have reviewed all the documents we have on file,” the hackers wrote, arguing that the counteroffer was “too low,” according to the transcript.
The victim ended up opting to pay the updated offer of just over $1 million, after verifying they had the correct bitcoin payment address with the hackers. Much to the company’s relief, the hackers quickly sent over the decryptor, the tool that would allow the victims to regain access to their systems, which they’d been locked out of for days.
But reassurances the hackers would delete the stolen data and not publish it did not come so quickly.
That’s when the panic set in.
“Per our agreement, please provide a copy to all of our data,” the negotiators pleaded, before following up a few hours later: “Please confirm that you will delete it everywhere and give us proof of deletion. Thanks.”
Several more pleas were sent to the hacking gang, but they were met with days of silence. In all, the company waited seven days before hearing back.
Dave Wong, who worked with the victim in this case to recover from the ransomware attack, told The Daily Beast he thinks the company got nervous as soon as they paid because the reality set in that the future of their company was in the criminals’ hands, and they had no way of knowing if the gang would follow through.
“A lot of companies are a little bit nervous because they’re handing over a million dollars and you’re trusting the criminal is going to keep his end of the bargain,” Wong, a vice president at FireEye’s Mandiant, told The Daily Beast. “I think that’s when the victim in this case got a little bit nervous.”
The victim, whom the transcript does not identify and Wong declined to identify, ultimately got what it wanted—the decryption tool and some reassurances (although no guarantees) their data had been deleted, says Wong.
The negotiation offers a rare view into the secretive negotiations ransomware gangs use to hold businesses for ransom and extort them for millions of dollars—and just how tricky the negotiation process can be. On top of balancing concerns that they may be running afoul of U.S. sanctions by paying the hackers, the victims must contend with the reality that even if they cough up millions, they may not get their data back, the hackers might disappear into thin air, and they could be held for ransom by the same hackers again despite assurances their stolen files won’t come back to haunt them.
The negotiators’ surge of panic after paying is not uncommon among ransomware victims, negotiators tell The Daily Beast.
Raising the stakes in this case? Conti hackers in particular have been known to stiff their victims after receiving payment.
Kurtis Minder, the CEO and co-founder of security firm GroupSense, whose team also negotiates with Conti, says the gang is one of the more capricious ones on the block.
”They’re assholes,” Minder said.
“I think the reality is nobody trusts a criminal,” Wong told The Daily Beast. “But what you’re trusting is their greed and that if an organization like Conti expects people to pay them in the future, they’re going to follow through with what they said they’re going to do. But it still makes you nervous.”
Thousands of companies around the world have been grappling with a ransomware attack from a Russian-speaking ransomware gang known as REvil this month, just as the Biden administration has been working to get Russia to hold hackers accountable for their ransomware schemes. Multiple companies hit in high profile ransomware attacks this summer, including Colonial Pipeline and JBS, a major U.S. meat supplier, have opted to negotiate with Russian-speaking hackers to get operations back to normal.
The Biden administration has kicked off multiple ransomware task forces to try to clamp down on the scourge of ransomware. But in the absence of any concrete solutions, victims are continuing to get hit and negotiate ransoms. To get an inside look at what the status quo is like—and what it takes to deal with the gangs in the meantime—The Daily Beast spoke with several negotiators that have been serving as intermediaries between ransomware gangs and their victims to facilitate payments in recent months.
The negotiators’ persistence in pressing the hackers to follow through on their promises right after payment in this particular case is something Tom Hofmann, whose firm negotiates with ransomware gangs, encounters all too often.
But it can be a bad idea, he says.
Refraining from sending panicked messages to the hackers is especially important to avoid tipping your hand, especially for victims who are worried the hackers don’t know the true value of the data they’ve stolen, says Hofmann, the senior vice president of intelligence at security firm Flashpoint. In several cases where Hofmann’s clients realized the hackers didn’t know the true value of the files they stole, Hofmann says his team worked to divert the ransomware gang’s attention elsewhere, like on the decryption tool, so the hackers wouldn’t think twice about offering discounts.
“If… they actually understood the value of the data, the ransom would have been much higher,” Hofmann told The Daily Beast. “This was one where you had to play somewhat coy.”
Even if victims get their ransoms down, feelings of hopelessness can set in after they pay because there’s no guarantee the hackers won’t just take the money and run or delete stolen data. But it’s simply not possible to have any guarantees with these kinds of hackers, says Minder.
“There’s never going to be any real proof” that the hackers have deleted what they say they’ve deleted, Minder says. Sometimes hackers will send a video that shows them ostensibly deleting all the stolen goods—but they could have fabricated it or stored a copy somewhere else to extort the victim later.
Victims also run the risk of gangs going dark as soon as they pay, even when dealing with gangs that have a reputation for following through, warns Hofmann. Especially as law enforcement attention to ransomware gangs ramps up, or if the hackers decide they want to rebrand and start fresh with a new name, victims might be left without answers.
“They’ll tell you this is a business and their reputation matters—all of that is absolutely valid, up until the point the group [no longer] exists,” Hofmann said.
The Russian REvil hackers behind the latest ransomware spree went dark earlier this month but in recent days have appeared to regroup under the name BlackMatter, researchers say. They also appear to have linked up with other hackers, including DarkSide, the hacking group behind the Colonial Pipeline incident. The threat group behind DoppelPaymer ransomware has also appeared to rebrand just last week.
“Now the question is what happens with all those groups who did have that stolen information who are no longer in business,” Hofmann warned. “Does this information show up in five years, six years, seven years?”
The uncertainties of paying are only likely to get worse, experts say. In recent months ransomware gangs have been getting savvier with their extortion schemes and breaking into victims’ financial records, so that if victims claim they can’t afford ransom demands, the gangs can fact check, according to Minder.
“In many cases, you can’t [lie] because they have all the information,” Minder told The Daily Beast.
Wong says he’s seen ransomware gangs use this tactic to catch victims in lies when they’ve suggested they couldn’t afford the hackers’ ransom demands when in reality, they could.
“They sent a bank statement they had stolen that showed this company had $5 million in [the bank],” Wong told The Daily Beast, referring to a different ransomware gang negotiation. “They’re like, ‘you have the money, don’t lie.’ … They’re getting a lot more sophisticated.”
The FBI has long advised that it doesn’t support victims paying ransom demands, while the Treasury Department has warned victims may violate U.S. sanctions and have to pay the price if the criminals are subject to them. The U.S. government has also counseled victims against paying since it can embolden hackers to continue attacking.
But banning payments altogether is not the right move, according to Hofmann.
“What happens if the business goes under?” Hofmann said. “How does that benefit society if the business goes under and now 500 are unemployed because someone wanted to take a moral stance against payments?”
And while some states have been glomming onto the idea that banning payments might be helpful to throttle ransomware gangs’ funding, the FBI is warming to the idea that there’s some wiggle room here. The FBI’s assistant director of the cyber division, Bryan Vorndran, told lawmakers last week it would be shortsighted to ban payments—he fears the hackers would use it to further punish victims.
“If we ban ransom payments now, you’re putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities,” Vorndran said in testimony before the Senate Judiciary Committee.
It’s also just not prudent, says Minder.
Have “you put yourself in the shoes of a small business or a hospital that’s going to go out of business or someone’s going to die if you don’t pay the ransom?” Minder said. “Anyone who has a strong stance on not paying does not know a victim.”
For the time being, the grind continues; Minder and his team just started another Conti case in the last several days, and for now, they’re sticking to their guns.