Ransomware Negotiations Revealed: Flattery and Empathy Works

Published at: Aug. 20, 2020

Details of a week-long negotiation between the University of California and a NetWalker ransomware gang have been revealed by Bloomberg.

The University’s School of Medicine was working on a vaccine for Covid-19 in June this year when seven of its servers were locked down by the hackers. Against the advice from FBI, the university took matters into its own hands and conducted private negotiations.

The university negotiator used flattery, appealed to the hackers sense of sympathy and ethics, and managed to reduce the ransom amount from as much as $6M, down to just over $1 million in Bitcoin (BTC) and successfully restored the systems.

Right off the bat, the negotiator ensured they had the hacker’s ‘operator’ on their side, calling for respect from both sides, “I’m willing to work this out with you, but there has to be mutual respect. Don’t you agree?”. Before waiting for a response, they also appealed to the attacker’s pride:

“I have read about you on the internet and know that you are a famous ransomware hacker group and very professional. I know you will honor your word when we agree on a price, right?”

This appeared to work with the operator responding: “We are 100% about respect, and never will we disrespect a client who talk to us with respect.”

Negotiations shifted to feeling out how dedicated each side was, with the negotiator crying poor and stating that all funds had gone into the research with none left to spare.

Calling the apparent bluff, the operator replied that a school who collects over $7 billion in annual revenue should have no trouble paying a few million:

“You need to understand, for you as a big university [...] you can collect that money in a couple of hours. You need to take us seriously.”

The first offer by the university was $780,000 and was also scoffed at by the operator. “Keep that $780k to buy McDonalds for all employees. Is very small amount for us,” adding, “I am sorry.”

More time — for both sides

As is typical in ransom situations, the negotiator then asked for two more days in order to allow “the university committee that makes all the decisions” to meet again. The operator agreed on the condition that the $3 million ransom be doubled to $6 million.

A ransomware negotiator from Tel Aviv, Moty Cristal, told Bloomberg the extension might have proved useful for the attackers too, giving them time to identify the value of their stolen data.

The Netwalker Group is a large-scale criminal enterprise and leases its software in a franchise style program. The group posted a recruitment ad in March this year, adding new affiliates to their network.

Getting personal

At this point, either out of desperation or as a psychological strategy, the negotiator started appealing to the operator’s sympathies. “I haven’t slept in a couple of days because I’m trying to figure this out for you,” they said, “I am being viewed as a failure by everyone here and this is all my fault this is happening.”

“The longer this goes on, the more I hate myself [...] All I ask is that you be the only one in my life right now to treat me nice. You’re the only one in the world right now who knows exactly what I’m going through.”

The operator seemed responded: “My friend, your team needs to understand this is not your failure. Every device on the internet is vulnerable.”

Four days into the attack, the negotiator eventually came back with an offer over $1 million, saying they were bending their internal rules to accept an additional $120K donation on the grounds that the negotiations come to a close. They even added a time pressure:

“We normally can’t accept these donations, but we’re willing to make it work only if you agree to end this quickly.”

The university spent 36 hours organising the purchase of 116 Bitcoin ($1.14 million) and sending the funds to the attackers. Two more days were required for the hackers to confirm the deletion of all sensitive data and give access back to the university.

After more than eight days without access, the university successfully gained complete access back to all their servers. However the servers remained offline while they investigated the incident with the FBI and other cybersecurity consultants. In the most recent update on June 26, the university stated that the investigation was still ongoing.

Tags
Related Posts
New Ransomware Uses a Banking Trojan To Attack Governments and Companies
A new type of ransomware attack emerged in recent months, raising red flags among the cybersecurity community and authorities such as the FBI in the United States. Cybersecurity firm Group-IB has warned that it comes in the form of a Trojan, according to a report published on May 17. According to Group-IB’s study, the ransomware is known as ProLock and relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in BTC to decrypt the files. The roster of victims includes local governments, financial, healthcare and retail organizations. Among them, …
Bitcoin / May 19, 2020
Bloomberg Analyst Gives a Simple Reason Why BTC Is Better Than Gold
Mike McGlone, Bloomberg’s senior commodity strategist, in his latest Bitcoin report remains bullish on the “first-born” crypto and points to the advantage it holds over its hedging rival gold: “Unlike quasi currency brethren gold, higher prices won't be an incentive for more supply.” Is BItcoin’s supply inelastic? McGlone alludes to the fact that in most commodity markets, greater demand leads to higher prices, which in turn leads to greater production of the commodity and price stabilization. However, Bitcoin’s supply is controlled with code. Moreover, the rate of production of new Bitcoin will be halved next week. Although an argument could …
Bitcoin / May 5, 2020
German Programmer ‘Hacks Back’ After Bitcoin Ransomware Attack
German programmer Tobias Frömel (also known as “battleck”) has “hacked back” the perpetrators of the Muhstik ransomware who forced him to pay 0.09 Bitcoin (BTC) to recover access to his files. In a Bleeping Computer forum post on Oct. 7, Frömel revealed that he had hacked the attackers’ database, sharing almost 3,000 decryption keys and a free decryptor with fellow victims. Illegal but sweet revenge Bleeping Computer previously reported that publicly exposed QNAP NAS devices have been targeted by ransomware dubbed Muhstik. The attackers extorted a fixed “fee” of 0.09 Bitcoin — roughly $740 at publishing time — from victims …
Bitcoin / Oct. 9, 2019
‘Bitcoin’s No Longer Boring,’ Price Heading Towards $1.5K, Say Bloomberg Analysts
Analysts at Bloomberg Intelligence predict that Bitcoin (BTC) “has further to fall,” Bloomberg reported Nov. 16. “Bitcoin’s no longer boring” declares Bloomberg, before stating that analysts predict the price could fall as low as the $1,500 point, a further 70 percent drop in the coin’s price. Bloomberg cites hedge fund founder Travis Kling saying that he “didn’t sleep well” because of the potential turmoil in wider crypto markets due to the recent Bitcoin Cash hard fork: “There’s a small chance that, it’s difficult to estimate, that something really bad could happen related to Bitcoin Cash that could then impact the …
Bitcoin / Nov. 17, 2018
Skewed data: How could a new US law boost blockchain analysis?
2020 was a record year for ransomware payments ($692 million), and 2021 will probably be higher when all the data is in, Chainalysis recently reported. Moreover, with the outbreak of the Ukraine-Russia war, ransomware’s use as a geopolitical tool — not just a money grab — is expected to grow as well. But, a new U.S. law could stem this rising extortionist tide. United States President Joe Biden recently signed into law the Strengthening American Cybersecurity Act, or the Peters bill, requiring infrastructure firms to report to the government substantial cyber-attacks within 72 hours and within 24 hours if they …
Blockchain / April 1, 2022