Negotiating Ransom Down from 500 Million to 300 Million... The 'Shadow Negotiator' Who Cuts Hacker Demands [Cover-up ④]

Getty Images

Companies that fall victim to ransomware but do not report the incident are confronted with two choices: they can either negotiate directly with the hackers or seek assistance from a professional negotiation team. Seo Hyunmin, Director of the Business Center at cybersecurity firm S2W, explained, "When hackers leave a ransom note (message) for the victim company, they provide very detailed instructions on how to contact them and how to exchange Bitcoin." He added, "However, because companies are inevitably thrown into panic when hacked, most of them end up relying on experts."

The term 'experts' refers to those who negotiate with hackers on behalf of victim companies. These experts usually work in teams of about five members. A simple search for 'ransomware data recovery specialist' on a portal site yields a long list of such firms. This is a market that has emerged as a result of hacking incidents targeting companies.

However, it is rare for victim companies to call just any company at random. Because their wariness of hackers is extremely high, they typically reach out to security consultants who are known only to a select few. One security consultant, who requested anonymity, said, "My role is to connect hacked companies with trustworthy negotiation teams," and added, "If I get a call from an unknown number, there is a 99% chance it is from a company hit by ransomware." Despite being the CEO of a reputable security company, he is also known by another nickname: "the fixer in the shadows." He is even more famous under this name among small and medium-sized businesses.

"At first, we tried to do as the hackers instructed, logging into the site with our staff and attempting to communicate. It was our first time experiencing this, and we were so shocked that our minds went blank. I secretly sent out an SOS to two trustworthy friends who run businesses. One of them handed me a business card, saying, 'This is a security consultant. Try contacting him.'" This is how the CEO of a bio-materials company that suffered a ransomware attack in September 2023 got in touch with the fixer in the shadows and ended up signing a contract with a negotiation team based in Busan.

Negotiator Kim, who handled the case at the time, showed messages exchanged with the hackers two years ago. The negotiations took place via chat and email on a site created by the hackers on the dark web (a secret network accessible only via specific programs). The hackers initially demanded a ransom of about 15 bitcoins (approximately 560 million KRW at the time).

"The amount you are proposing is too high. We cannot pay that much. Is there room for negotiation?" (Kim) "Negotiation is always possible. Can you pay today or tomorrow? If so, I can offer an additional discount. But do not lie about not having the money. You are a large company with over 100 employees and annual sales of at least 50 million dollars." (Hacker)

After a day-long negotiation, Kim managed to bring the ransom down to about 9 bitcoins (approximately 340 million KRW at the time), which is around 60% of the original demand. Kim explained, "Hackers usually set the price 1.5 to 2 times higher, anticipating negotiations," and added, "Negotiation is usually possible, but since hackers have access to all of the company's information, it is difficult to bargain for a much lower price."

The negotiation team's revenue comes from a commission, which is about 30% of the amount by which they reduce the ransom. As the number of data recovery specialist firms has increased in recent years, some now offer flat-rate contracts or promise not to charge a cent if negotiations fail.

The negotiation team's responsibilities also include exchanging and sending Bitcoin to the hackers. This is because, under current law, Korean corporations are not allowed to purchase virtual assets directly. The victim company hands over cash to Kim, who then converts it to Bitcoin and sends it to the hacker's wallet. This transaction is recorded in the victim company's accounting books as a "recovery expense" or similar entry.

The negotiation team is seen bargaining the ransom through chat on a dark web homepage created by hackers. The hackers initially demanded a ransom of about 15 bitcoins (approximately 560 million KRW at the time), but as a result of the negotiation, it was reduced to about 9 bitcoins (approximately 340 million KRW at the time), which is around 60% of the original ransom. (Photo by the victim company)

There have been cases where companies paid the hackers, but the decryption was not provided as promised. Last year, a hacker group took 100 servers of a robot parts manufacturer hostage and demanded 12 bitcoins (1.8 billion KRW). The negotiation was successful, and the ransom was reduced to 4 bitcoins (600 million KRW). However, the password provided by the hackers only restored 2 out of the 100 servers. When Kim requested the remaining passwords, the hacker replied, "My boss scolded me for giving too much of a discount," and demanded an additional 4 bitcoins. Kim said, "Hackers are becoming increasingly malicious these days, sometimes giving out incorrect passwords after receiving payment. In such cases, we have to contact them again to renegotiate," and added, "If the hacker gets offended during negotiations, they may upload confidential information to the dark web even after being paid, so one must be extremely cautious."

Even negotiation teams that deal directly with hackers can pose a risk to victim companies. There have been cases where they colluded with hackers to extort money from companies twice. In some cases, the victim company's frustration has led to lawsuits. A logistics company in Seoul lost money to both the hackers and the negotiation team in 2020. The hackers demanded 6 bitcoins (about 180 million KRW at the time) to unlock the servers, but during negotiations, the ransom was reduced to 5.5 bitcoins.

However, the negotiation team concealed this fact from the client company and presented a forged email, claiming they were unable to reduce the ransom from 6 bitcoins. The negotiation team diverted the 0.5 bitcoin difference for their own debt repayment. The victim company, suspecting nothing, transferred the purchase amount of 180 million KRW as well as a 40 million KRW commission, which was to be paid regardless of the negotiation outcome. As things proceeded smoothly, the negotiation team became greedier. They even sent an email to the hacker first, saying, "Let's try to demand 2 more bitcoins. I will negotiate well and we can split the profit."

This fraudulent group eventually went so far as to impersonate hackers themselves. They created malicious software that encrypted files with the '.enc' extension. During the process of repairing client computers, they secretly installed the program and falsely claimed the computers had been infected with ransomware. Over the course of a year, they extorted a total of 30 million KRW from six companies that had requested negotiations, under the pretext of recovery fees. Ultimately, in 2022, the Supreme Court sentenced the ringleader of the negotiation team to two years and six months in prison. The court ruled, "The defendant committed the crime of defrauding victims of money under the pretext of ransomware recovery or distributing malicious software under the guise of computer repair, and the nature of the crime is particularly egregious."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.