'You Can't Just Concede.' How One Expert Explains Negotiating With Cybercriminals
Colonial Pipeline reportedly paid nearly $5 million worth of bitcoin to recover its data from cybercriminals who had hijacked the company's computer systems. The shutdown disrupted gas supplies across large parts of the South and East Coast.
The hackers used ransomware, which takes control of a victim's computer and locks them out of their data unless they agree to pay an anonymous hacker, usually in cryptocurrency. Hackers may also threaten to leak a company's sensitive data to the public unless paid to keep quiet.
Thousands of institutions fall victim to ransomware attacks each year in the U.S., including local governments, small businesses, schools, hospitals, airports and more. Law enforcement discourages paying the extortionists, but many businesses do. Surveys suggest at least a quarter of victims pay up, with payments often in the tens or even hundreds of thousands of dollars.
Data is spotty, though, because many companies don't report attacks. And even if they pay, there's no guarantee they'll recover all their data.
So when businesses are attacked with ransomware, one of the people they call is Bill Siegel, CEO of Coveware. The company collects data on ransomware attacks, helps victims respond to attacks and often negotiates with hackers.
"It's not a foregone conclusion that a company has to pay a ransom," he says. Large companies may need days to figure out whether their data is safely backed up. They can start talking just to buy time. "We'll kick off negotiation, knowing that a very likely outcome is that we actually don't end up paying."
Siegel talked with Rachel Martin on Morning Edition about what it's like to help companies respond to attacks. Here are excerpts:
So you can be negotiating just to buy time so the company can figure out if they have a backup and they can say, "Sorry, your threat's not good here because we're safe."
Yeah, that's the goal. The cost for a large company being down is so substantial that hours can mean the difference in millions or tens of millions of dollars of lost profit. Or in the case of a hospital or something, it can mean the difference between life and death. So you don't want to waste any time. You want to basically get to the finish line and be ready, even if the conclusion is, well, we don't need to do anything. And that's the best conclusion.
What happens when it becomes clear that a company really is at risk and they don't have adequate backup and the hackers really do have all the power? What do you and your clients have in terms of leverage in a situation like that?
The answer is you have very little, but you still have to find ways to negotiate successfully on behalf of your client. You can't just concede. You can't look desperate. And so you have to find ways to draw the negotiation to some semblance of a successful conclusion.
If a cyberattack happens and the company is forced to pay ransom, what's to prevent those same hackers from six months, a year later, just coming back and doing the same thing again?
Absolutely nothing is the answer. One of the biggest fallacies and misunderstood aspects of these attacks is that they are like lightning strikes — it's like, "Well, it happened once. It's not going to happen again." That's just, that's not the way it works. The groups that are carrying this out are part of a very well-organized and a very large industry.
The power laws of economics dictate how they behave. If there's one thing I've observed over doing a few thousand of these over the last couple of years is that economics rule how behavior runs in this space. If it is cost-effective — i.e., cheap — to attack a company and has a high likelihood of being profitable at low risk, they will do it. And they will do it over and over and over again, just like any other business would do the exact same thing if they found a very cheap way to sell very high-profit products. ... If a company does not take it seriously and they don't fix the vulnerabilities that allowed it to happen in the first place, there's a 100% chance it happens again.
Are you able to tell us the origin country of most of the cyberattacks that you see?
We don't do very detailed attribution. What I would say is that the contributory factors that have led us to where we are today are as much socioeconomic as they are other things. There are such low barriers to entry to cybercrime, and there are lots of well-educated, sometimes STEM-educated individuals in lots of parts of the world. They don't have the job prospects that will pay them the money that they aspire to make.
And sometimes their local jurisdictions are kind of out of the reach of Western law enforcement. And while it may be sort of frowned upon, it's sort of condoned by wherever they live. Because the local economy actually benefits from the laundered proceeds of these attacks filtering back in. And these people are buying houses and buying Starbucks and buying cars. And that's a good thing for the local economy. So they sort of look the other way.
As a facilitator of these payments, are you concerned that you are actually helping perpetuate this cycle?
Of course. And I think if you're going to be in this industry, you have to have a pretty big altruistic chip on your shoulder. And we founded this company to try and solve the problem. That may seem weird, but the reality is when we founded the company, there was no centralized data on how these attacks happened. And we felt that the first thing you have to do to solve the problem is to collect the data. And I think we've done that very well. ...
We share information with law enforcement. We share information with the public. And we have absolutely no problem winding up our company and closing it down if ransomware ceases to exist as a problem.
Scott Saloway edited the audio interview. James Doubek produced for the web.
Copyright 2021 NPR. To see more, visit https://www.npr.org.