"Oops all your files have been encrypted, follow these instructions to get the encryption software."
This note, left on a computer or server, is the haunt of any business right now: it means it has fallen victim to the most devastating computer attack around - ransomware.
The principle is simple: cybercriminals have managed to paralyze the computer system and have probably siphoned off the data they threaten to disseminate on the Internet, if the victim does not give in to their extortion.
A race against time then begins, at the same time as a standoff with cybercriminals. Put under tremendous pressure, the leaders of the pirated companies find themselves faced with a dilemma: resist the blackmail of these strangers or pay and hope for a restart in a few days.
“Paying a ransom is a heresy that feeds a mafia system without any guarantee of recovering its data or preventing their disclosure,” recalls Jérôme Notin, the Managing Director of the Cybermalveillance.gouv.fr platform.
The official instructions are, for two years and the arrival of the first ransomware, to refuse any transaction.
"By paying, you enter the files of
good customers
and
cash cows
of criminals who have no words", deplores this Cyberdefense reservist of the gendarmerie.
A virtual hostage-taking
Yet some companies are balancing the staggering cost of remediation - that is, rebuilding from scratch - against the hard payment of a ransom. They sometimes decide to embark on secret negotiations on their own, but more regularly call on specialists. “Negotiating with cybercriminals cannot be learned by doing online training, you need to have a good knowledge of hackers' habits, their language and especially their skills,” said Thomas Roccia, cybersecurity researcher at McAfee.
"We first analyze the extent of the damage to see if a negotiation is really necessary before starting it because some hackers try to bluff without having been able to encrypt the systems or extract the data" explains Leeann Nicolo, negotiator at Coalition , a cybersecurity consulting firm based in Denver (United States).
"Time is of the essence: negotiations go quickly if the client has a vital need to quickly resume his activity, or if, on the contrary, he has backups of his data, because we can use that to our advantage," explains this specialist in incident response that negotiated over 150 extortion attempts.
Final objective of the negotiators: to lower the amount requested in cryptocurrency to an amount unfortunately acceptable for the victim.
"But a negotiation is not limited to a payment, it can also be used to assess what hackers have in the stomach, to save time or to ask to decrypt files which are like proof of life" nuance David Corona, former negotiator of GIGN, whose company In Cognita is called to the rescue by victims of online extortion.
The contact is made by e-mail or via an encrypted and ephemeral chat created by the hackers on a site of the TOR network where they publicly claim their actions and have sometimes put a countdown.
“We speak to them in simple, easy-to-understand English to avoid misunderstandings.
The message must be easy to translate by Google Translate, ”describes Leann Nicolo.
Tense negotiations
The negotiation then begins as in a game of poker where the cards are already distributed to the advantage of the attacker. It lasts on average a week to 10 days. “They see themselves as businessmen in a classic commercial exchange and want to go quickly, and we don't have a lot of negotiating levers anyway,” notes a French cybersecurity consultant who carried out a few negotiations that quickly ended between 200,000 and 2 million euros.
"Initial requests are around $ 2 million but most are affiliates, so amateurs who rent ransomware and ask for a fanciful amount that leaves the door open to negotiations," analyzes the American expert. "We manage to bring them down by 50% but it depends on whether more experienced cybercriminals have been able to access the company's accounting documents and therefore whether they are aware of the financial income, in which case they make a tailor-made request and unfortunately almost fair, therefore accepted, ”testifies the negotiator who accompanied the payment of $ 6 million by a manufacturer of pet food.
Sent in Bitcoin or Monero, a reputedly untraceable “crypto”, payments are made, according to the experts consulted, via a service provider that has an electronic wallet.
By taking a percentage on these discrete transactions.
“We are in fact essentially there to ensure that the payment is made by installments because the discounts are easy to obtain” indicates our French expert.
“The vast majority of forwards understand that sometimes it's better to get a smaller amount than nothing at all,” confirms the Colorado consultant.
The negotiator, useful but criticized
Without faith or law, cybercriminals sometimes do not respect the verbal agreement they find.
"Some lead us by boat by accepting half of the ransom and then attack again behind in order to obtain the second half", tells, a little annoyed, Leann Nicolo of Coalition.
His company is one of 7 American firms such as Gemini, Arete Advisors or Coveware, which act as intermediaries as part of a complete cybersecurity service.
Useful for limiting the damage after such a cyberattack, negotiators nonetheless have a murky reputation.
"It's a controversial role in cybersecurity because it fuels a bad system and some get paid by recovering a percentage of the ransom paid," said Thomas Roccia of McAfee.
Who are these shadow negotiators?
"This is a somewhat taboo role that enriches the black market and they are often cybersecurity experts whose functions are occasionally diverted" he says.
"It is a profession still not very widespread in France but some former negotiators of the GIGN or the police are starting to do so", points out the French consultant who assures that he no longer offers this option to his clients.
The market for negotiating with pirates is however taking root and opening up economic opportunities for these intermediaries.
In France, 65% of companies affected by ransomware in 2020 agreed to pay, according to the annual study on cyber risk management by insurer Hiscox.
"In France, we pay ransoms too easily"
“Today, France is one of the most attacked countries in terms of ransomware.
And it is probably because we pay the ransoms too easily: insurers too often guarantee the payment of the sums demanded by cybercriminals ”, denounced in mid-April during a hearing in the Senate Johanna Brousse, the vice-prosecutor in charge of cybersecurity files at the Paris prosecutor's office.
By pointing to the growing role of insurance, the magistrate put in the spotlight the real contractors of the negotiators mandated to facilitate transactions.
"They are often part of the package provided by cyber insurance, covering these costs and the intervention of an expert to redeem the data," according to Gilles Sarquiz, cybersecurity consultant at Sophos.
Guillaume Poupard, the boss of the National Agency for the Security of Information Systems (Anssi), was angry with "the troubled game of some insurers" who encourage their customers to pay immediately rather than suffer the consequences - lawsuits, loss of patents or bankruptcy - which would cost much more… to indemnity insurers.
Towards a regulation of activity
Scared by critics, Axa France recently announced the suspension of its “cyber ransom” option, support in the payment of ransoms offered since mid-2020 to customers of its Cyber Secure insurance policy. "Those who pay are often not insured for these risks or have started negotiations without warning their insurer", relativizes for his part Frédéric Rousseau, Cyber manager at Hiscox, a specialized insurer. "They take risks on their side because a direct payment of a ransom is also not refundable a posteriori by the insurer" he specifies.
Supported by the deputy for Aisne (LREM) Aude Bono-Vandorme, a bill on the fight against cybercrime intends, according to our information, to regulate, or even prohibit as quickly as possible, ransom payments and the activity of negotiators . Designed with the Ministry of the Interior, the legislative text will be on the menu for the start of the parliamentary term in September.
"We must supervise these practices but in a progressive and intelligent way" recognizes David Corona of In Cognita who advocates professional support for victims to "prevent them from paying at the first threat and eventually shutting down the systemic payment tap". And to warn in the event of excessively brutal restrictions: “A business manager, cornered with the economic fate of hundreds of families at stake, could turn to foreign insurers and negotiators who would act like mercenaries. "
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/H6SX4JB4HJIOMBO3FUP6IGGLUI.jpg)
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/JLX4IXAS25BVBICTHHWJ3AT5IY.jpg)
