Inside the mind of a ransomware negotiator: what it’s really like to deal with cybercriminals

Sleepless nights, high pressure and millions of pounds at stake – the insider’s view of ransomware negotiation

241101 Jeffwichman


Ransomware attacks can have a devastating impact on businesses. The financial hit can be so severe that some organisations never recover. When the situation looks dire, businesses can bring in ransomware negotiators to stall for time and, if no other options remain, to bring down the price of the ransom. 

Jeff Wichman is a one-time professional ransomware negotiator who is currently director of incident response at security company Semperis. He reveals what it’s like to work on the cyberwarfare frontlines and provides advice on how to deal with ransomware attackers.

Q
How did you first become a ransomware negotiator?
A

I was in the wrong place at the wrong time. I worked in digital forensics at a small company called Crypsis, which was acquired by [cybersecurity company] Palo Alto Networks. We helped clients through ransomware attacks. One day, a director came in and said: ‘We need someone on our team. Do you want to help out with ransom negotiations?’

I agreed as I thought it sounded fun. This was early on, when negotiations were easier, and I quickly got hooked. Eventually, I started running the ransomware group’s negotiation team.

Q
Walk us through a typical scenario: you’re hit by ransomware, you’re panicking. How does the negotiation process start?
A

The hackers start by leaving a ransom note. This gives you the ability to make communication, typically through an online chat platform on Tor [an encrypted web browser that protects users’ privacy].

Once in a while, you’ll have to email them. You start the communication asking how to get your data back.

There are times where you have to play the dumb IT person and others where you have to play smart and show you know what’s going on.

Typically, we always try to avoid saying we’re a negotiator on behalf of the client because, if the attacker knows they’re dealing with a negotiator, they become harder to deal with, in my experience.

You have to understand how to take what the attacker says and feed information to your incident response team to better assist the client in recovery.

Q
What do negotiations typically look like from the response side? 
A

There’s a specific process that the negotiator follows and there’s a reason for that.

First, you establish contact. Determine what’s been taken and what the attacker’s demands are.

After that initial setup, we want to get proof of exfiltration and a file listing everything they took. I choose specific files and ask the hackers to send them to me to prove they took the information.

You never want to point them to sensitive documents because they’re going to read them. I’ve had clients request a particular file, only for the attacker to say: ‘No, that describes your recovery process and your codes. We’re not giving you that.’

Once we have sample files, that helps the investigators who are trying to repair systems and get the business operational again. This is one of the most important parts of being a negotiator.

If you can determine where these files came from, you can start assessing the systems as a priority. Look for large file transfers from specific directories. This will often lead you to financial information.

Next, ask for proof of life by sending them encrypted files and asking them to decrypt them.

Once we have all of these pieces together, you can start negotiating and I work out what I can use as leverage to bring the price down.

Q
What are your goals while you’re in negotiation? Stalling for time so you can try to restore things on your own, getting the price down, or both?
A

It depends. Sometimes the client says they won’t pay. But we still have to talk like we will, because you want to speed up the investigation and help the business get back on track. If we have an environment that’s got 100,000 systems in it, I don’t want forensics teams combing through every system if they’re not all in scope.

I want them to figure out really quickly what is important. We triage every system, but you only dig into the systems that are important. Getting the hackers to play ball, so you can get the information you need, is crucial.

Sometimes you’re delaying just to validate what the risk exposure is. Did they really get a lot of information?

There are also cases where I helped with external communications, explaining what we know and advising on what to say. Usually clients have a PR firm, but sometimes they need to be coached.

You don’t want to say anything that’s not factual and you don’t want to say anything that upsets the attacker. If they get upset, there’s nothing to stop them from attacking again.

Other goals of the negotiation are actual recovery, getting the business operational again and trying to reduce the payment.

Q
How open to price negotiations are the ransomware groups?
A

Some groups negotiate well, others are very hard and fast. They think they know everything. If they know they have really valuable data, they’re not going to move much on the price either.

Q
The advice from authorities in the UK is you should never pay a ransom. Some would argue that’s not realistic advice for a lot of businesses.
A

It’s a business risk decision. I considered myself a mediator. I was not telling a client to act one way or another. That was completely down to them, based on the information I was providing and my understanding of the attackers.

If I had a wish, it would be for organisations that pay hackers to be able to recover their data. But it often wasn’t the case.

However, if you tell someone that their business is going to shut down if they can’t pay the ransom, any business owner is going to try to pay the attacker. That’s their livelihood. If they have employees that are relying on the business, they’re going to try to save them.

Q
What about retrieving stolen data as part of the ransom? Is that even possible?
A

There are no guarantees. Any organisation that truly believes an attacker is going to keep their word and destroy the information they stole is foolish. I’ve seen too many cases where the same data pops up again.

Organisations need to do a better job of protecting what their data. Once the data has been taken, it can then be sold on. Sometimes attackers try to convince you they’ve taken it down by sending a screenshot showing they wiped a folder but you don’t know if there was anything in that folder or if there’s another copy of it.

Once in a while you’d encounter what I considered more of an honest criminal but it was very rare.

Q
So you really have to hammer home to the customer that they need to improve their security and build in resilience and preparedness?
A

You have to assume you’ve been breached, either now or after recovery. Organisations set themselves up for it too often.

Sometimes, everyone in the finance department has access to everything, even when it’s not necessary.

You also have domain admins who have access to everything, even if they don’t need it. There are ways to reduce your exposure to an attacker getting a domain admin account and wreaking havoc. If you don’t use a domain admin account on your regular system, and you have a separate system for that, there’s less chance that an attacker is going to be able to take over the domain.

Q
How do you communicate effectively with attackers? What kind of techniques do you use to keep attackers on the hook?
A

I would often get a pre-approved stall message. These would say something like: ‘Our board is going to be meeting, but not until Thursday. We can’t get them together. They all have to meet face-to-face.’

There are a few things that typically would buy us time, such as the board meeting excuse. But then the hackers would say, you have until Thursday to provide an update, so you have to be prepared. You have to warn the client that these messages can speed up the timeline.

I’d use other types of delays. There have been times where I’ve said my mum’s sick and I have to take her to hospital. We typically tried to pull at the heartstrings, because they all have mothers and fathers. You hope that human element is still there and that they care. Even if it was a complete bluff on my side, I’ll use it and take what I can get.

Q
Dealing with ransomware groups sounds challenging enough, but what are the common challenges from the response side?
A

When I first started, I communicated with the attacker and then filled in the client and the legal entity helping the client afterwards. We had to get screenshots of every back and forth just to show we were not doing something under the table or making an agreement a client wasn’t comfortable with.

By the time I left negotiations, I had to get the blessing of the client, the legal team and the insurance company before speaking to the attacker. Everyone wanted to have a say. If I shared a statement with an attorney outlining what I wanted to say, they would rewrite it and it would immediately reveal there was a lawyer involved to the attacker. We wanted to avoid this as much as possible.

There were many times where I pushed back on attorneys who wanted me to say things that would make the job harder. Then we would spend a day going back and forth, trying to massage what we’re going to say to the attacker – it was a waste of time.

There were also times when the client would inject themselves into the conversation with the attacker and it screwed everything up. If an attacker understands that the client is very motivated to get back to being operational, they’re not going to negotiate.

Q
There must have been a lot of pressure.
A

When I first started, ransom demands were around $150,000 (£116,000). When it started getting into the multi-millions, I started losing sleep.

Even though there’s insurance from the company side, I was still very paranoid that things would fall back on me.

When I first started, I heard of another ransomware negotiation firm that paid the wrong attacker $1m by mistake – that’s a lot of money and the attacker isn’t going to pay you back.

I no longer do full investigations. I stepped back and I’m healthier because of it. I have a better mental state. Working 16-hour days for months on end, juggling multiple ransomware cases wrecks your mind.

The pressure comes from all sides, from CEOs and executives and stressed IT staff.

Getting out was the best decision I ever made. Sometimes I consider getting back into it, because it was fun and exciting and challenging, but from a mental health standpoint, I never will.

Q
Where do you see ransomware heading next?
A

If you don’t communicate with attackers or respond to phone calls, there’s nothing stopping them from printing data out and sending sensitive information to victims to prove information was stolen. What stops them from sending that to the press?

That’s an evolution that runs through my head. What are they going to do to up the ante? Business may be getting harder for them, but they’re going to evolve. They always do.