Ransomware Negotiations Revealed: Flattery and Empathy Works
Details of a week-long negotiation between the University of California and a NetWalker ransomware gang have been revealed by Bloomberg.
The University’s School of Medicine was working on a vaccine for Covid-19 in June this year when seven of its servers were locked down by the hackers. Against the advice from FBI, the university took matters into its own hands and conducted private negotiations.
The university negotiator used flattery, appealed to the hackers sense of sympathy and ethics, and managed to reduce the ransom amount from as much as $6M, down to just over $1 million in Bitcoin (BTC) and successfully restored the systems.
Right off the bat, the negotiator ensured they had the hacker’s ‘operator’ on their side, calling for respect from both sides, “I’m willing to work this out with you, but there has to be mutual respect. Don’t you agree?”. Before waiting for a response, they also appealed to the attacker’s pride:
“I have read about you on the internet and know that you are a famous ransomware hacker group and very professional. I know you will honor your word when we agree on a price, right?”
This appeared to work with the operator responding: “We are 100% about respect, and never will we disrespect a client who talk to us with respect.”
Negotiations shifted to feeling out how dedicated each side was, with the negotiator crying poor and stating that all funds had gone into the research with none left to spare.
Calling the apparent bluff, the operator replied that a school who collects over $7 billion in annual revenue should have no trouble paying a few million:
“You need to understand, for you as a big university [...] you can collect that money in a couple of hours. You need to take us seriously.”
The first offer by the university was $780,000 and was also scoffed at by the operator. “Keep that $780k to buy McDonalds for all employees. Is very small amount for us,” adding, “I am sorry.”
More time — for both sides
As is typical in ransom situations, the negotiator then asked for two more days in order to allow “the university committee that makes all the decisions” to meet again. The operator agreed on the condition that the $3 million ransom be doubled to $6 million.
A ransomware negotiator from Tel Aviv, Moty Cristal, told Bloomberg the extension might have proved useful for the attackers too, giving them time to identify the value of their stolen data.
The Netwalker Group is a large-scale criminal enterprise and leases its software in a franchise style program. The group posted a recruitment ad in March this year, adding new affiliates to their network.
Getting personal
At this point, either out of desperation or as a psychological strategy, the negotiator started appealing to the operator’s sympathies. “I haven’t slept in a couple of days because I’m trying to figure this out for you,” they said, “I am being viewed as a failure by everyone here and this is all my fault this is happening.”
“The longer this goes on, the more I hate myself [...] All I ask is that you be the only one in my life right now to treat me nice. You’re the only one in the world right now who knows exactly what I’m going through.”
The operator seemed responded: “My friend, your team needs to understand this is not your failure. Every device on the internet is vulnerable.”
Four days into the attack, the negotiator eventually came back with an offer over $1 million, saying they were bending their internal rules to accept an additional $120K donation on the grounds that the negotiations come to a close. They even added a time pressure:
“We normally can’t accept these donations, but we’re willing to make it work only if you agree to end this quickly.”
The university spent 36 hours organising the purchase of 116 Bitcoin ($1.14 million) and sending the funds to the attackers. Two more days were required for the hackers to confirm the deletion of all sensitive data and give access back to the university.
After more than eight days without access, the university successfully gained complete access back to all their servers. However the servers remained offline while they investigated the incident with the FBI and other cybersecurity consultants. In the most recent update on June 26, the university stated that the investigation was still ongoing.