'You Can't Just Concede.' How One Expert Explains Negotiating With Cybercriminals

May 18, 2021
Originally published on May 18, 2021 8:17 am

Colonial Pipeline reportedly paid nearly $5 million worth of bitcoin to recover its data from cybercriminals who had hijacked the company's computer systems. The shutdown disrupted gas supplies across large parts of the South and East Coast.

The hackers used ransomware, which takes control of a victim's computer and locks them out of their data unless they agree to pay an anonymous hacker, usually in cryptocurrency. Hackers may also threaten to leak a company's sensitive data to the public unless paid to keep quiet.

Thousands of institutions fall victim to ransomware attacks each year in the U.S., including local governments, small businesses, schools, hospitals, airports and more. Law enforcement discourages paying the extortionists, but many businesses do. Surveys suggest at least a quarter of victims pay up, with payments often in the tens or even hundreds of thousands of dollars.

Data is spotty, though, because many companies don't report attacks. And even if they pay, there's no guarantee they'll recover all their data.

So when businesses are attacked with ransomware, one of the people they call is Bill Siegel, CEO of Coveware. The company collects data on ransomware attacks, helps victims respond to attacks and often negotiates with hackers.

"It's not a foregone conclusion that a company has to pay a ransom," he says. Large companies may need days to figure out whether their data is safely backed up. They can start talking just to buy time. "We'll kick off negotiation, knowing that a very likely outcome is that we actually don't end up paying."

Siegel talked with Rachel Martin on Morning Edition about what it's like to help companies respond to attacks. Here are excerpts:

So you can be negotiating just to buy time so the company can figure out if they have a backup and they can say, "Sorry, your threat's not good here because we're safe."

Yeah, that's the goal. The cost for a large company being down is so substantial that hours can mean the difference in millions or tens of millions of dollars of lost profit. Or in the case of a hospital or something, it can mean the difference between life and death. So you don't want to waste any time. You want to basically get to the finish line and be ready, even if the conclusion is, well, we don't need to do anything. And that's the best conclusion.

What happens when it becomes clear that a company really is at risk and they don't have adequate backup and the hackers really do have all the power? What do you and your clients have in terms of leverage in a situation like that?

The answer is you have very little, but you still have to find ways to negotiate successfully on behalf of your client. You can't just concede. You can't look desperate. And so you have to find ways to draw the negotiation to some semblance of a successful conclusion.

If a cyberattack happens and the company is forced to pay ransom, what's to prevent those same hackers from six months, a year later, just coming back and doing the same thing again?

Absolutely nothing is the answer. One of the biggest fallacies and misunderstood aspects of these attacks is that they are like lightning strikes — it's like, "Well, it happened once. It's not going to happen again." That's just, that's not the way it works. The groups that are carrying this out are part of a very well-organized and a very large industry.

The power laws of economics dictate how they behave. If there's one thing I've observed over doing a few thousand of these over the last couple of years is that economics rule how behavior runs in this space. If it is cost-effective — i.e., cheap — to attack a company and has a high likelihood of being profitable at low risk, they will do it. And they will do it over and over and over again, just like any other business would do the exact same thing if they found a very cheap way to sell very high-profit products. ... If a company does not take it seriously and they don't fix the vulnerabilities that allowed it to happen in the first place, there's a 100% chance it happens again.

Are you able to tell us the origin country of most of the cyberattacks that you see?

We don't do very detailed attribution. What I would say is that the contributory factors that have led us to where we are today are as much socioeconomic as they are other things. There are such low barriers to entry to cybercrime, and there are lots of well-educated, sometimes STEM-educated individuals in lots of parts of the world. They don't have the job prospects that will pay them the money that they aspire to make.

And sometimes their local jurisdictions are kind of out of the reach of Western law enforcement. And while it may be sort of frowned upon, it's sort of condoned by wherever they live. Because the local economy actually benefits from the laundered proceeds of these attacks filtering back in. And these people are buying houses and buying Starbucks and buying cars. And that's a good thing for the local economy. So they sort of look the other way.

As a facilitator of these payments, are you concerned that you are actually helping perpetuate this cycle?

Of course. And I think if you're going to be in this industry, you have to have a pretty big altruistic chip on your shoulder. And we founded this company to try and solve the problem. That may seem weird, but the reality is when we founded the company, there was no centralized data on how these attacks happened. And we felt that the first thing you have to do to solve the problem is to collect the data. And I think we've done that very well. ...

We share information with law enforcement. We share information with the public. And we have absolutely no problem winding up our company and closing it down if ransomware ceases to exist as a problem.

Scott Saloway edited the audio interview. James Doubek produced for the web.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

RACHEL MARTIN, HOST:

The operators of the Colonial Pipeline now say things are back to normal after a ransomware attack led them to shut down the pipeline. They reportedly paid upwards of $5 million to the hackers who had infiltrated their network. But not all cyber extortion attacks end this way. Bill Siegel runs Coveware. It's a company that responds to ransomware attacks and often negotiates with hackers. I asked him to explain the objective for these kinds of negotiations.

BILL SIEGEL: Well, at the end of the day, the goal is to find a way for the company to recover without having to pay at all. But that'd be...

MARTIN: Does that ever happen?

SIEGEL: Oh, yeah, absolutely. It's not a foregone conclusion that a company has to pay a ransom for sure. A lot of times when an attack happens, it's very difficult for a big company to determine immediately what the situation is because if you're a large company and you've got, you know, 10,000 servers globally and you've got backups at, you know, 15 different locations throughout the globe, it can take days sometimes to actually safely check the integrity of those backups. And so when we're managing a large, you know, enterprise incident, you don't want to start negotiating when you realize you need it; you want to be done. And so we'll kick off negotiation knowing that a very likely outcome is that we actually don't end up paying. But we want to...

MARTIN: So you can be negotiating just to buy time? So the company can figure out if they have a backup, and they can say, sorry, your threat's not good here because we're safe.

SIEGEL: Of course, yeah. That's the goal, right? You know, the cost for a large company being down is so substantial that hours can mean the difference in, you know, millions or tens of millions of dollars of lost profit. Or in the case of, you know, a hospital or something, it can mean the difference between life and death. So you don't want to waste any time. You want to basically get to the finish line and be ready, even if the conclusion is, well, we don't need to do anything. And that's the best conclusion.

MARTIN: So what happens when it becomes clear that a company really is at risk and they don't have adequate backup and the hackers really do have all the power? I mean, what do you and your clients have in terms of leverage in a situation like that?

SIEGEL: The answer is you have very little, but there - you still have to find ways to negotiate successfully on behalf of your client, right? You can't just concede. You can't look desperate. So you have to find ways, you know, to draw the negotiation to some semblance of a successful conclusion. What we do, in as much as there is a lot of skill and tactics and experience and data brought into actually the how of how we perform negotiation, there is as much experience and skill used in just the overall project management of the incident and helping the company think through these decisions and manage their own time and decision-making.

MARTIN: If a situation occurs, a cyberattack happens, the company is forced to pay ransom, what's to prevent those same hackers from, six months, a year later, just coming back and doing the same thing again?

SIEGEL: Yeah, there's absolutely nothing, is the answer. One of the biggest fallacies and misunderstood aspects of these attacks is that they are like lightning strikes, right? It's like, well, it happened once; it's not going to happen again. That's just - that's not the way it works. The groups that are carrying this out are part of a very well-organized and a very large industry. The power laws of economics dictate how they behave, right? If there's one thing I've observed over doing a few thousand of these over the last couple of years is that economics rule how behavior runs in this space. If it is cost effective - i.e., cheap to attack a company - and has a high likelihood of being profitable at low risk, they will do it, and they will do it over and over and over again, just like any other business would do the exact same thing if they found a very cheap way to sell very high-profit products. And so it's...

MARTIN: You've seen this?

SIEGEL: Yeah, of course. If a company does not take it seriously and they don't fix the vulnerabilities that allowed it to happen in the first place, there's a 100% chance it happens again.

MARTIN: Are you able to tell us the origin country of most of the cyberattacks that you see?

SIEGEL: You know, we don't do very detailed attribution. What I would say is that the contributory factors that have led us to where we are today are as much socioeconomic as they are other things. There are such low barriers to entry to cybercrime, and there are lots of well-educated, sometimes STEM-educated individuals in lots of parts of the world. They don't have the job prospects that will pay them the money that they aspire to make, and sometimes their local jurisdictions are kind of out of the reach of Western law enforcement. And it's - you know, while it may be sort of frowned upon, it's sort of condoned by wherever they live - right? - because the local economy actually benefits from the laundered proceeds of those attacks filtering back in. And these people are buying houses and buying Starbucks and buying cars, and that's a good thing for the local economy, so they sort of look the other way.

MARTIN: Have you thought about your company's role in all of this, I mean, especially when you consider those repeat offenders and how paying ransom, agreeing to pay a ransom to a group of hackers, doesn't prevent them from coming back? I mean, you as a facilitator of these payments, are you concerned that you are actually helping perpetuate this cycle?

SIEGEL: Of course. And I think if you're going to be in this industry, you have to have a pretty big altruistic chip on your shoulder. And we founded this company to try and solve the problem. That may seem weird, but the reality is, when we founded the company, there was no centralized data on how these attacks happened. And we felt that the first thing you have to do to solve the problem is to collect the data, and I think we've done that very well.

MARTIN: So what that means is any time you're in a negotiation, yes, you're helping your client, but you are learning things. You're learning things about the attackers. You're learning things about the process. And then you make those more publicly available or available to law enforcement, perhaps, or other entities within the U.S. government so that they can work on cracking down on the issue of cyberattacks.

SIEGEL: That's correct. We share information with law enforcement. We share information with the public. And we have absolutely no problem winding up our company and closing it down if ransomware ceases to exist as a problem.

MARTIN: And that would be the goal, presumably.

SIEGEL: A hundred percent.

MARTIN: Bill Siegel - he is the CEO of Coveware, which responds to ransomware attacks. Thank you so much for taking the time to explain all this. We do appreciate it.

SIEGEL: Thank you so much for having me.

(SOUNDBITE OF SYNTHETIC EPIPHANY'S "THE ART OF WAR") Transcript provided by NPR, Copyright NPR.