Skip to main content
Clear icon
56º

Cracking the code on negotiating with a cyber extortionist

JACKSONVILLE, Fla. – It’s a chilling realization that researchers say happens 97 times an hour: a cyber attacker finds another victim, which could result in thousands or even millions of dollars in damage, not to mention the loss of sensitive personal data.

One of the latest incidents of a high-profile cyberattack came Thursday, when the hospital group Ascension, which has several facilities in northeast Florida, announced it had a cyber security event the previous day. Ascension said the incident did have an impact on clinical operations, and the organization is still trying to determine what information was impacted. Details of the nature of the cyber security incident have not yet been released.

From Social Security numbers to banking information, both private and public entities are being targeted and are receiving the same message: “We have your personal data. Pay up, or you’ll face the consequences.”

The dramatic increase in cybercrimes is posing serious threats to the economic security of both the public and private business worlds, government agencies, hospitals and businesses big and small.

In Florida, however, it’s illegal for government agencies to pay a ransom to cyber hackers to have their stolen personal data returned.

The News4JAX I-TEAM is finding out what it’s like at the virtual negotiation table, going behind the curtain of the process with Billy Steeghs, the co-founder and Chief Operating Officer of On Defend, a Jacksonville cybersecurity company.

File photo (WJXT)

He said clients most often panic when they aren’t prepared.

“Usually when they don’t have any backups and they cannot restore their data,” Steeghs said.

Steeghs said knowing exactly how much data and intellectual property was stolen is one of the first critical factors in determining the next steps.

Steeghs said clients have to decide whether they will ignore the requests or pay the ransom, and what might happen if they decide to comply.

He said what he does is like any advisory service, but accelerated.

Steeghs said typically, the faster the response to the cyber thief, the better the overall outcome.

Steeghs said many times cyber extortionists don’t have an exact ransom figure right away, and instead tell their victims to contact them, through email, encrypted apps, or chat rooms on the dark web.

“I think they need time to find out who the customer is… so they can essentially come up with a number later because a company that has a large amount of funds, they would obviously ask for more money than the company who might not be able to pay for those ransoms,” Steeghs said. “So we’ve seen a lot of variety in that.”

File photo (WJXT)

Steeghs said some $7,500 ransom payments might seem cheap, but then they will escalate later into more payments.

Another common tactic victims must contend with is public and private intimidation. Cyber experts say extortionists publicize their hack through social media sites and even inform the media before the company is aware their customers’ information has been compromised.

“If the FBI can’t scare me, my partners will respect me. The business works and always will work,” said the kingpin of a Russian-based cyber gang called LockBit during an interview with “The Recorded Future: ‘Click Here’” podcast, conducted over an encrypted messaging app, and translated from Russian.

The LockBit member known as “LockBitSupp” recently took credit for holding the information of nearly 50,000 Beaches Energy customers in Jacksonville Beach hostage.

The attack successfully crippled the city’s computer system for months. City leaders said in late April that they are still working to restore their systems and services.

The city of Jacksonville Beach did not pay the ransom demand.

This week, the Department of Justice announced a 26-count indictment against LockBitSupp, a Russian national whose name is Dimitry Yuryevich Khoroshev. It accuses him and the ransomware group of attacking more than 2,500 victims in at least 120 countries, including 1,800 victims in the U.S, resulting in at least $500 million in ransom payments from victims.

Steeghs said even though it’s illegal in Florida for government agencies to pay ransoms, many private companies still do it -- or risk going out of business.

File photo (WJXT)

Kurtis Minder, the CEO of Group Sense, has also negotiated with cyber extortionists on behalf of businesses and municipalities large and small.

“You have to really think about the impact to the company. If the company has no files and has no means to be able to operate and serve their customers, they’re going to get desperate and they’re going to go and pay those organizations” said Minder.

Minder said the typical negotiation time from threat to resolution is roughly seven days. And he doesn’t think existing laws outlawing paying ransoms are fair to the governments that have been targeted.

“So when you pass laws that make it illegal to pay a ransom, I believe, in some ways, that’s punishing the victim,” Minder said.

Minder added that operational impacts for companies -- like being unable to ship products, take orders, or even pay employees -- are factors businesses are considering in real-time.

He said negotiating isn’t always about the money. It’s also about gathering information about the cybergang for law enforcement.

File photo (WJXT)

Minder said engaging with cyber criminals doesn’t necessarily mean paying a ransom.

“We may decide to engage, for example, to gather intelligence about the threat actors to give to law enforcement,” Minder said.

Both cyber negotiators told News4JAX that in almost all of the cases they’ve negotiated, the cyber thief returned the stolen data once they received the ransom money.

They say the thieves are honoring their agreements because they want the business model to continue.

Even though they stole the data, in their eyes, this is simply a business, and paying up is the outcome they desire for years to come.


About the Author
Tarik Minor headshot

Tarik anchors the 4, 5:30 and 6:30 p.m. weekday newscasts and reports with the I-TEAM.

Loading...

Recommended Videos