Hacked - Negotiations 101
Episode Date: August 31, 2021Hacked Presents a JB solo adventure, in which Scott takes a much needed vacation and Jordan does all the voices as he dives into the world of ransomware negotiators. If you like the show and want to m...ake sure we can keep making it, please subscribe and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
All right, so let's go ahead and start this podcast about cybercrime with what I know you've all come here for.
A brief history of the economics of kidnapping in southern and central America in the 1970s.
Obviously.
So it's 1971 and there's this British-owned meatpacking plant in Argentina.
And the manager of the plant, British guy, upper management at the company, gets kidnapped by a local guerrilla group.
And the guerrilla group says, this is a...
of kidnapping. If you ever want to see your British meatpacking manager friend again, you're
going to have to pay a ransom. And they go back and forth with the company, and they decide on a sum.
$250,000. Now, adjusting for inflation, that's like $1.6 million. So this was a very profitable
enterprise for these Argentinian guerrilla fighters. And soon, word starts getting out.
The next year, an executive for an electronics company in South America gets kidnapped,
and the electronics company pays a ransom that is twice as much.
And with that, the value of a kidnapped executive just starts to inflate rapidly.
In 1973, in ransom for kidnapped executives, Coca-Cola paid a million dollars, Kodak paid 1.5,
British American tobacco paid $1.7 million, and Firestone paid three.
One of these guys gets kidnapped, and the price tag ends up coming into $2.3 million.
And then, two years later, the same guy gets kidnapped again.
And this time, they charge the company $10 million.
In a kidnapping operation that involved an entire theatrical production involving actors in fake cop outfits and telephone workers and custom printed street signs,
Juan and Jorge Bourne, heirs to one.
multinational food processing empire were kidnapped and held ransom for what ended up coming
out to a $60 million price tag.
And when there's this much money floating around, an economy starts to be born.
Because somebody has to negotiate these things.
In 1975, a company called Control Risks is founded by two former British Special Forces guys to help
insurance companies deal with this growing problem because they're the ones footing the bill.
And then that ecosystem of kidnapping negotiators itself becomes a hotbed of scandal and deception.
Because if you make a lot of money negotiating kidnappings, you kind of have an incentive for people
to get kidnapped. When an illegal thing becomes profitable enough, a whole secondary economy is
birthed around it. And when that illegal thing involves ransoms, the players tend to be the same.
The kidnapper, the kidnapped, the insurer, and the subject of this episode, the negotiator.
Because recently, I started to notice these same four players in a different show.
Tonight, President Biden is urging Vladimir Putin to rein in the ransomware attacks emanating from
inside Russia.
The United States expects when ransomware operation is coming from his soil, even though it's not
not sponsored by the state, expect them to act.
We talk about ransomware a lot here on HACT, and the world is talking about ransomware a lot
right now too.
And this question kind of got stuck in my head.
In that little ransomware chat box, when one of these giant,
giant companies is negotiating with some ransomware hacker over the fate of millions of dollars
worth of data, who is that negotiator?
Because when there's this much money on the line, you don't do it yourself.
You hire the people.
Last week, a transcript from one such negotiation at the University of California at San Francisco
was published in part.
And it shows us a peek into one of these negotiations and it is fascinating.
June 5th the last year, a negotiation started in a little text box between two parties, neither
of which knew who they were really talking to.
And the starting point for that negotiation was $3 million.
So that's this episode, the story of one negotiation and the whole weird world of recovery
companies and criminal bureaucracies and multi-million dollar negotiations that invites
us into.
Scott is taking a very well-earned month off, so this is going to be a strange one.
This is going to be a J.B. Goes Solo episode.
We're going to call it Negotiations 101 here on Hacked.
This is going to be an interesting one because A, we only have partial transcripts of this negotiation.
And bigger thing is B, it's kind of an unreliable narrator situation.
And that unreliability is super interesting.
So in order to get into one of these ransomware negotiation, chat box things, you get given a key by
the hacker. And these keys then get handed out to different members of the internal response team,
law enforcement, external negotiators. And once that conversation is starting, once the countdown
clock has begun, multiple people can get into the chat, which means that the hacker or hackers
never really know who they're talking to, same as the negotiator or negotiators, don't really know
who's on the other side of the box. And someone with one of these keys, with actually,
access to this transcript at UCSF was who leaked it.
University of California, for what it is worth, has not denied that they were hacked.
They have not denied that the transcript is real, but they did make a really interesting
clarification, saying, quote, the statements made by either party were made in the context
of negotiation.
And it's interesting that they wanted that known.
It also makes telling this whole story kind of prickly.
For example, normally, I would set the scene by saying something like, in one of the earliest messages with the hacker, the negotiator tells them what was going on at UCSF at the time of the hack, and it couldn't have come at a worse time.
They suggested that June 5th of last year, University of California at San Francisco was in the middle of a research rush to help develop a vaccine or treatment for COVID.
The negotiator suggests that some of this research wasn't backed up, which meant that.
hackers were essentially holding ransom potentially life-saving information.
The negotiator wrote, quote, we've poured almost all funds into COVID-19 research to help cure this
disease, which makes holding it ransom a pretty messed up thing to do.
Here's the thing.
That's a really smart thing to say in the context of a ransomware negotiation, but it doesn't
really mean it's true.
It's kind of what I would say if I was a medical research hospital negotiating with my own hacker.
I'm trying to solve COVID.
You should give me all this back.
It's very clever.
And UCSF was doing COVID-19 research.
At the time of writing, they were doing 36 ongoing clinical trials related to COVID-19.
A fact that has zero bearing on whether a $7 billion operating budget has $3 million
sitting around to pay off a hacker.
But like when you hear it, you feel it.
It's kind of a smart chess move in the context of a negotiation.
And that's really this whole thing.
Everything that gets said during this drama has to be taken with a huge grain of salt.
It's in the context of a negotiation.
So when I read these lines, I'm not telling you what happened.
I'm telling you what's being said between these two parties.
Negotiator and hacker.
And here's what it said.
June 6, 650 p.m., hackers locked down a bunch of servers in the biostatistics and epidemiology departments at UCSF.
In order to give the keys to unlock the data, they're demanding $3 million from the school.
That's their opening bid.
This little chat box where the negotiation is going down kind of reads visually almost like a customer service portal.
Except there's a little red flashing timer that reads two days, 23 hours, zero minutes down in the corner.
And the ransom message up top above the text box explains that if that countdown hit zero, the price,
doubles. It's a little sales pressure for you. To my mind, there's like two thoughts on this.
In a negotiation, you should either wait for the other side to say the first number or that you
should always say the first number so as to anchor the conversation where you want it.
So the hacker has already said that their number's $3 million. They know what they're very
clear about what they're asking for. They've beaten the negotiator the punch. It's kind of an
interesting question just to imagine like what is your counterproposal to $3 million for some data
and we'll get to this later, no one knows what's in it.
It could be worth $10 million.
It could be worth none.
So the negotiator comes back with their number.
And the negotiator starts by hitting Hacker with compliments,
which according to negotiators is like one-on-one-level negotiating strategy.
Negotiator says, quote,
I'm willing to work this out with you.
There has to be mutual respect.
Don't you agree?
I've read about you on the Internet,
and I know you are a famous ransomware hacker.
group and very professional. I know you will honor your word when we agree on a price.
And this tactic, Negotiations 101, flattery, it works. The hacker replies,
We are 100% about respect. Never will we disrespect a client who talks with us with respect.
But he adds, do not offer anything ridiculous. The negotiator's response is next to ridiculous.
The negotiator replies,
I can submit a request for the maximum amount of $780,000,
but I would be lucky if I got even half of it.
So that's his response to a $3 million opening salvo, $390,000.
And the hacker replies poorly.
Quote,
I suggest you reconsider another offer, at this time a serious one.
The hacker then threatens to blow the whistle
on UCSF's loss of student faculty data to the Federal Trade Commission.
but the negotiator, the sly boots, calls the bluff.
The FDC is not a concern for us.
We would just like to unlock our computers to get our data back.
I know you want to make a lot of money here.
I get it.
But you need to understand that we don't have this much cash sitting around.
So kind of like a car salesman, the negotiator goes away for a little bit to talk to their manager.
And they come back and they say, quote,
We are having a meeting with a few of the department heads to discuss finding more money.
The sense is that it's not looking good.
The more I ask around, the more I hear about how all the departments are hurting for funding.
I ask that you keep an open mind.
To which the hacker replies.
Keep that $780,000.
Buy McDonald's for all your employees.
So counterproposal.
Just shut down.
In reading through this, I kept trying to pause.
And before I would go ahead, think about what my next move in this would be.
Imagine I'm sitting in the car dealership.
I'm typing in the box.
What would I say?
There's this guy named Curtis Minder.
He's one of the better known ransomware negotiators.
It's got a traditional cybersecurity background,
but he's carved out this niche in this space
as a go-to for big firms negotiating these things.
There's a really, really good profile of him in The New Yorker.
And he talked about two things that I found super interesting
and relevant at this point in the story.
First is that a lot of rookie negotiators tend to almost talk down to the hacker.
It comes from a place of anger, which is apparently a pretty big mistake.
And it's kind of intuitive.
You should be nice to the person that you're trying to make a deal with.
It should be a little bit flattering and empathetic.
But the big one was that you needed to avoid making counter offers in big round numbers.
This is apparently super important.
You should never give a new number without like a really solid,
justification. Because if you let the number just move randomly, if you just give another five,
another 10 here and there, it tells the other side that there's more money if they just wait.
And we see that philosophy everywhere in this conversation. Every new sense in play has a story
behind it. So the negotiator replies to the hackers, like, you know, use this little bit of money
you're offering to go buy your staff McDonald's joke in a pretty earnest way. They say, quote,
I hope you know this isn't a joke for me.
I haven't slept in a couple of days because I'm trying to figure this out for you.
I'm being viewed as a failure by everyone here, and this is all my fault this is happening.
The longer this goes on, the more I hate myself, and wish this were to end one way or another.
I know you must deal with people treating you bad all the time, but I'm really trying to figure this out, and I don't mean any disrespect.
All I ask is that you be the only one in my life right now to treat me nice.
You're the only one in the world right now
We know exactly what I'm going through
I guess we're both alike in this sense
Everyone hates us and blames their problems on us
We both want the same thing here
Which like, yeah, you feel that
I don't really believe it, but I feel it
And the hacker replies
My friend, your team needs to understand
That this is not your failure
Every internet device is vulnerable
I understand you, but your university has a lot of money
and I'm 100% sure they can get more than $780,000.
You need to understand us.
The initial price was $3 million.
How can I accept $780K?
It's like I work for nothing.
You need to understand, for you as a big university, our price, it's shit.
You can collect money in a couple of hours.
I wish we can make an agreement, but $780,000 is not good.
So like if empathy and relatability is the language of like a really good negotiation,
both sides speak it.
So the negotiator is able to trace the hackers back to their online presence on the dark web, this blog.
And he's able to learn some stuff about how they launched the initial attack against UCSF.
And it's here that we learn a little bit about the tool that this hacker used to launch the attack.
Something called Netwalker.
I don't know the absolute best way to describe what Netwalker is.
It's something between like an employer and a franchising opportunity.
Netwalker malware can be leased to like would-be hackers as kind of this like franchise program.
In March of 2020, the team that made Netwalker, this group called Circus Spider,
decided that they wanted Netwalker to become like a, just a household name.
They decided to expand through something that kind of worked like an affiliate network,
almost like the Mays Ransomware game,
that allowed them to operate at just this way bigger scale,
target way bigger organizations, and increase the size of the ransoms that were coming in.
But what's interesting is that in order to use Netwalker, you kind of have to apply for it like a job.
And there are qualifications to use Networker.
And the important ones are that you have to be a, quote, Russian-speaking network intruder, not spammers, with a preference for immediate, consistent work.
In June of the same year, they posted a second ad saying, if you're an English speaker, you cannot apply.
And our hackers here are using Netwalker, so we can infer some stuff about where they're coming from.
So we got this negotiation going on over how much money this is going to cost the university.
That's our A plot.
But then down here, there's like a B plot, which is that the negotiator wants to start getting assurances
that they're actually going to get their files back, that this hacker that they're talking to is actually telling the truth.
And the negotiator has also kind of shown their hand a little bit.
They've shown that they've been researching this hacking group.
They know that they're rushing.
They know that they're using Nell Walker.
And the negotiator has come back with the 780K is this number.
And the hacker says, we can agree on a price, but not like this.
I take this number as an insult.
And the negotiator replies, quote,
I'm also sorry.
I don't mean to insult you.
I know you work for this and need to make money.
I understand.
I've read about you on the internet.
I know that you're a famous ransomware hacker.
group and very professional. I know you'll honor your word when we agree on a price and you'll
provide a decryption tool in full list of files you stole. To which the hacker replies,
if you read about us, tell me you saw something that we didn't provide decryption tools. I'm 100%
sure. You will see. So if we agree on a price, which will be okay for both, don't worry. Everyone
will continue life like normal. So both sides have established that they're men of honor,
followers of a code. They're also not really getting anywhere. They're stalled out at
kind of that opening move.
Hackers want three million.
School wants to pay 780K.
There's two days, 22 hours, and 31 minutes left on the clock.
And the UCSF negotiator asks for a two-day extension.
So the quote,
the university committee that makes all the decisions could meet again.
I was kind of curious why he might do that.
I read a pretty interesting piece in researching this that talked about playing for time
as a pretty useful tactic in these negotiations,
in that it gives you a bit of a chance to evaluate
the actual scale of the threat that you're facing further.
A Canadian air ventilation manufacturer that was hit explained that after asking for more time,
they used that time to figure out what they could and couldn't restore from their system.
What had actually really been stolen that they couldn't get back some other way.
And they also figured out that they didn't really need what the hackers had.
So after asking for an extension, they just stopped talking to them altogether.
So buying that time saved them buying the data.
So UCSF starts using this time the negotiator bot to start kind of combing through the wreckage.
And they figure that their hackers had managed to encrypt data on about seven of their servers.
And that the attackers had copied about 20 gigabytes of data from the machines.
And it wasn't worth nothing.
They discovered with their extra time that they actually did really want this data back.
As with everything, there are pros and cons to this delaying tactic.
A pro of delaying is that you can go digging around to figure out what the hackers actually have
and kind of put a price tag on it.
A con is so can the hackers.
And maybe they find something in there that's worth a lot of money in that data.
Maybe so do you.
Maybe after holding strong at 780K for like four days, you buy time, you go investigate.
Instead of ghosting the hackers because they don't have anything good, you come back with a new offer.
because you kind of want what they've got.
$1,020,895.
But as we know, you never do round numbers.
You always got to come back with a story
every time you come back with a new number.
That story, right after the break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries.
human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model
entirely. What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your concierge security
team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy production
ready AI and security operations actually looks like, go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their
head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering. It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hackt.
Hacked solo. This is weird. I miss Scott.
So we've talked a lot about ransomware on this show.
This episode is specifically about the negotiation side of it.
But in researching it, I started getting curious about the history of this whole thing.
We started the episode by going back to the 1970s to track the heyday of physical ransoms.
So I was curious, how does the digital version of this start?
One of the earliest sort of iterations comes in 1989.
When 20,000 public health researchers around the world got a floppy disk in the mail
in a letter explaining that the disc contained new research and an information database on the AIDS epidemic.
What it actually contained was a malicious program that is now considered the first instance of ransomware.
So they put the disc in the computer and everything works normal for a while.
while, but after users rebooted their computer exactly 90 times, a text box would appear on the
screen informing them that their files were now locked. Then, this is a nice little bit of theater.
Their printer spat out a ransom note, instructing them to mail $189 to a post office box in Panama.
The malware, which came to be known as the AIDS Trojan, was created by a guy named Joseph
Pop, a Harvard-trained evolutionary biologist. Pop, who's behavior.
behavior grew increasingly erratic after his arrest, was then declared unfit to stand on trial.
He would eventually donate the modest profits he made from inventing ransomware to AIDS researchers,
and he would later go on to found a butterfly sanctuary in upstate New York.
So Joseph Pop contains multitudes.
So that's the first ransomware.
But it's kind of like a musician who invents a genre like 20 years before someone else comes along
and makes it blow up with that first big hit single.
because for a long while before Pops ransomware idea kind of comes back,
we've got broadly considered its precursor scareware,
which is essentially just when someone infects a system with a piece of malware that says,
you've heard it before, you love it, quote,
Security warning, your privacy and security are in danger.
Like a pop-up that tells a user to buy a certain antivirus software to protect their system,
and then a hacker posing as a software company could then receive a legitimate credit card payment,
which was unavailable to those deploying full-on ransomware.
So that scareware to ransomware transition
is really just waiting on someone
to be able to take untrackable payments.
There's this window of time where people are deploying early ransomware
using gift certificates or prepaid debit cards as payment methods,
but you really still need someone to then launder that money,
which means doing it at any kind of scale was tough.
The margins just aren't there.
Mill me like $189 to a PO box.
in Panama, it's not a great way to make a fortune.
So the whole thing really pops off with Bitcoin.
With Bitcoin, this relatively mature space of malware that locks down files that are worth a lot
of money to the owners meets a payment method that lets that hacker extract that value
from the owner anonymously.
Your files are worth a thousand bucks to you?
Well, now there's a way, you can pay me that thousand bucks that law enforcement cannot
track.
A jillion years ago in 2015, the FBI estimated that the U.S. was subjected to a thousand
ransomware attacks per day.
And the next year, that number had quadrupled.
Kind of like hostage ransoms in South America in the 70s.
Mike Phillips, the head of claims for the cyber insurance company resilience, says,
quote, now it's ransomware first and only, and everything else is a distant second.
Those cyber insurance companies are a really big part of where these negotiation companies
come from.
They're who pays those companies.
So, like imagine you get hacked.
Your first call, if you have it, is probably to your insurance company because they are kind of in this mess with you.
Ultimately, if you have cybersecurity insurance, it's in the insurance company's best interest to get that payment as low as possible because they're going to be paying a pretty big chunk of it.
And they're not negotiators.
They don't want to be in that text box.
And they don't want to have you negotiating it because you might suck at it.
So they hire a negotiator like Minder or the one in the UCSF combo that we've been following.
but that also creates this ripple in the economy as well
because the second word gets out
that insurance companies have opened the money spigots
to pay negotiators
a lot of people are going to want to come along
and maybe fill up their cup a little bit
not just the ransomware criminals
but people who want to get into the negotiations game
for example
minder the ransomware negotiator
there's a story that he's got of encounter
I guess you could call it one of his competitors, another negotiator of sorts.
So last November, one of Minders' colleagues, guy named Fowler, ex-narcotics detective from
North Carolina, and this is just an aside, but what a great name for a negotiating deal,
Minder and Fowler. It's awesome.
Fowler was designated negotiator for this construction engineering firm, and he goes on to log onto
the dark website and like the portal where the negotiation is set to go down. And he notices,
when he logs in for the first time,
the timer that counts down from the moment you log in the first time
had showed that three days had already elapsed.
And in the little chat box that he's about to start a conversation in,
there's already a conversation underway.
And a negotiator was not very good at it.
Whoever had been chatting on behalf of the engineering firm
was acting like a huge asshole
when the hackers demanded $200,000 to unlock the company's files.
The negotiator initially counteroffered $10,000 and then quickly jumped up to $14,000 and then quickly jumped up to $25,000.
They're immediately breaking rules one and two of this whole thing.
Fowler explained it as, quote, what that communicates to the threat actor is that there is more money here.
And Fowler is reading along and he's seeing that the hackers are getting angry with the negotiator.
The hacker says, quote,
You've reported an annual income of $4 million.
We are not expect small money from you.
The final message in the chat had arrived from the hacker two days earlier.
Are you ready to close with the cost of $65,000?
So someone had been negotiating on Fowler and the company's behalf,
and Fowler doesn't know who,
and the negotiators totally messed it up.
The hackers are set now on the 65K figure,
and they're not going to wiggle.
So Fowler and mine are trying to piece together
what exactly happened here.
And the client insists
they've never gone to the dark website,
much less interacted with the hacker.
And then Fowler reminded Minder
about a recent post that he'd read
on one of the large ransomer consortiums,
dark web kind of corporate blogs,
warning about this new player.
These, like, to use their words,
quote,
fraudulent middlemen.
Not quite negotiators like Minder and Fowler,
but something else.
The middlemen would claim
that for a fee, they could decrypt the files,
which they couldn't, because math.
But they would actually do is secretly negotiate with the hackers,
agree on a rate, before turning around and offering the files that they decrypted
back to the victim at a huge markup.
It's pretty funny to me that a ransomer gang would have a company blog
where they're warning about fraudsters attacking their clients
who are actually their victims because they are fraudsters.
But in any case, Minder goes back to his client and they admit, oh yeah, you're the only
negotiators we hired, but we also reached out to this company who claimed they could just
recover the data, that they could decrypt it.
This company called Monster Cloud.
Monster Cloud, a Florida company that advertises itself as quote the world's leading
experts in cyberterrorism and ransomware recovery.
Monster Cloud's website encouraged victims to use their ransomware kind of removal service instead
of paying a ransom.
And that whole premise is probably pretty appealing to a lot of people, including the heads of this big engineering firm who were, according to Minder, very, very patriotic and didn't like the idea of giving a ransom to a foreign criminal syndicate and would vastly prefer it to give it to a software company in Florida.
It was claiming to do this, unbeknownst to them, impossible thing of decrypting these files.
So Minder's sitting in the text box, just watching these hackers and Monster Cloud, agree on this price of 65.
And Monster Cloud doesn't know that anyone is in the negotiation with them.
At which point, a Monster Cloud rep comes back to the engineering firm saying, hey, we cracked it,
we can decrypt these files for the price of $145,000.
That's a pretty big markup.
According to an investigation by ProPublica, Monster Cloud has a long track record of secretly negotiating with hackers.
ProPublica spoke with a number of former clients who believed that their files had been decrypted,
without them ever paying a ransom,
even though the strains of ransomware in question
made this outcome,
if not impossible, then certainly very unlikely.
Monster Cloud is one of a handful of U.S.-based data recovery companies
that appear to follow this similar business model.
They claim to decrypt files using super high-tech tools,
which makes victims think that they can get their money back
without giving any money to a criminal syndicate.
And for, like, publicly funded clients, like a city that gets hacked,
or a law enforcement department.
That's a very appealing sales pitch.
And this now is becoming so common
that ransomware groups have actually recognized
that these middlemen data recovery firms
can be great partners.
They just want to close the deal quick.
And depending on what the hacker's doing,
maybe they do too.
One ransomware crew was found offering a promo code
just for these middlemen.
Monster Cloud declined to discuss their methods
with ProPublica, but their response was
Not that surprising.
Quote,
we work in the shadows.
So Harpenhasi, the company CEO, told the publication,
how we do it.
It's our problem.
You will get your data back.
Sit back, relax, and enjoy the ride.
And they do it, according to this report,
by negotiating secretly and then selling you the data that they negotiated in a markup.
According to this report,
there is no cool decryption tech insight,
and the criminals still made their money.
Minder has since reported Monster Cloud
to the Federal Trade Commission.
Back to our main story.
Back at the University of California, San Francisco,
the negotiator has just come back
with his new offer,
a very specific, not-at-all-round figure.
The hacker takes a minute,
and then comes back with a counterproposal.
Let's go through the numbers again.
Remember, we'd started at $3 million.
The negotiator at $7.8.
The negotiator had finally flinched and come back with his number.
$1,020,895.
And the hacker replies,
How about $1.5 million?
Well, that's a big round number.
And suddenly the negotiation starts to feel like it's kind of circling the drain a little bit.
These numbers are getting closer to each other.
But ever the professional, never giving a number without a story behind it,
The negotiator comes back the next day, writing, quote,
The good news that I wanted to share is that a close friend of the school knows what's going on
and is offered to help donate $120,000 to help us.
We normally can't accept these donations, but we're willing to make it work,
only if you agree to end this quickly.
Can we please end this so we both can finally get some good sleep?
And there's this delay, this lag between messages,
this long pregnant pause before the hacker comes back
after six days of negotiating in that little customer service window
and they say, quote,
when can you pay?
The negotiator had made a deal.
So the same way that your smartphone is like basically a mature product,
there's little tweaks to it every year,
but the basic architecture of it isn't really changing.
The manufacturers and operators of cybercrime products
have kind of circled in on a mature design that works.
ransomware has come of age.
In a June 7th press conference,
American President Joe Biden said,
quote,
I made it very clear to him,
him being Putin,
that the United States expects when a ransomware operation
is coming from his soil,
even though it is not sponsored by the state,
we expect them to act
if we give them enough information
to act on who that is.
So even though more eyes are on this,
it would seem that this ecosystem
is just going to keep growing and thrive.
And as it does, there are going to be services and providers that are necessary to keep the money flowing.
Just like in the 1970s, if a CEO is getting kidnapped every other day, if data is getting stolen every other minute,
eventually people are going to start looking for someone to solve the problem.
And they might bump into someone who, in the broad light of day, will negotiate that ransom for them.
We'll follow some simple rules of negotiation, be empathetic,
never work in round numbers,
and take advantage of the detachment that comes
from not having been the ones hacked.
Or they bump into a, to borrow the hackers' term,
fraudulent middleman,
will tell them not to worry about how they do it
or how they make their money,
just that the deal gets done.
Because that's what it is now,
what it was in the 70s.
It's just a deal.
Six days after,
University of California, San Francisco puts together
the 116 Bitcoin necessary to pay the 1.1.1.
$1.4 million payment.
Along with access to the decryption key,
the deal included a commitment by the hackers
to transmit all the data that they had stolen,
presumably so that UCSF could determine
what data the hackers had in their possession
and could possibly have sold.
We take the attackers almost two days
to decrypt transmit and show that they deleted their copies
of the files, but they would deliver
at 248 a.m. on June 14th.
And you can tell
for how personal the negotiator
made some of this.
I remember I'm saying, quote,
everybody hates me.
You're the only one who knows how it feels.
You can tell that this was just another deal.
This is what he does for a living.
Because when the payment goes through,
the hacker sends one last message asking,
so which recovery company are you with?
And the negotiator doesn't say a word.
Know how long is too long to talk into a microphone by yourself?
44 minutes is too long to talk into a microphone.
phone by yourself.
I hope you enjoyed this weird one.
Just me, just the J.B. Solo.
Scott was, as I said at the top of the show, Scott was enjoying a much needed break.
We were away last month because I was moving.
And that takes more work than I thought it did.
But I'm back.
We'll be back both of us next month in the interim.
Calling all Joey's and Irene's.
you're this month's new patrons.
What's up?
You actually get two months.
You get July and August.
Thank you so much for your support of the show.
It means the world to us.
If you want to support the show,
you find us up patreon.com slash hacked podcast.
It's normally a podcast hosted by two people.
It's even better.
We've been back next month.
This is the morning.
I'm tired.
And I just talk for 44 minutes.
So I'm a dip.
Thank you so much for listening.
And we'll catch you on the next one.