The Decibel - Who are the people hacking hackers?
Episode Date: April 16, 2026Ransomware attacks have become more prominent in recent years, with major breaches of hospitals, like Toronto’s Hospital for Sick Children in 2022, and companies like Indigo in 2023. In 2025, damage...s from ransomware attacks were expected to reach US$57-billion dollars worldwide. Alongside the rise of ransomware attacks came the emergence of a new kind of industry: ransomware negotiators. They communicate with attackers to try to convince them to lower the ransom fee. Today, the Globe’s financial and cybercrime reporter, Alexandra Posadzki, joins us to talk about what it takes to hack the hackers, and what’s at risk in these kinds of engagements. Questions? Comments? Ideas? Email us at thedecibel@globeandmail.com Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
So the first time that Curtis Minder communicated with a threat actor was actually at his first ever tech job at Sencom Internet, which was one of the earliest dial-up internet service providers in central Illinois.
Alexandra Pazatsatsky is the Globe's financial and cybercrime reporter.
And she's describing a situation that's becoming more common, a hacker in the system.
Essentially, his boss, who was the systems administrator, had been fired quite hastily,
and the president of the company asked Curtis to keep things running until they found someone to replace him.
And so he takes on this job, and then he finds something suspicious in the system logs,
which is essentially unusual logins from a router in a nearby town.
And so he engages with this threat actor, this person who had been logging in from this router,
and informed them that he knew that it was his recently fired boss who was lurking in the system
and that if he caught him again, he would report him to the authorities.
In that situation, Curtis learned how to deal with, quote, threat actors,
which led him to a new kind of job.
Curtis Minder's company GroupSense essentially engaged with threat actors in a different way,
and that is doing what's called threat intelligence.
So kind of lurking in the dark web, finding out what threat actors were doing.
And it was actually during the COVID pandemic that he engaged in his first kind of official ransomware negotiation
where a client of his approached him about doing a negotiation,
and he discovered that he had a real knack for it.
He managed to talk the hacker down from a demand for $2 million U.S. to a figure in the low six digits,
and he actually thought he could get the hacker down even further.
to a five-figure amount, but the insurance company was eager to move things along.
In 2025, damages from ransomware attacks were expected to reach 57 billion U.S. dollars worldwide.
So for many companies, the question becomes,
Who do you call when things go wrong?
Enter the ransomware negotiators.
They deal with threat actors and try to lower the ransom fee.
But how do you know whether you can really trust these middlemen?
Today, Alexandra is on the show to talk about what it takes to hack the hackers and what's at risk when you choose to engage.
I'm Cheryl Sutherland, and this is the Decibel from the Globe and Mail.
Hi, Alexandra. Thanks so much for coming on the show.
Thank you for having me.
So, Alex, we just heard about a man who works as a ransomware negotiator.
But before we get into what exactly that is, can you just walk us through what usually happens in a ransomware attack?
In a ransomware attack, the hackers,
will essentially break into a company's networks and steal their data, encrypt the data,
essentially holding it ransom, and then offer to sell the encryption key back to the company
for a price.
And so usually they'll say something like pay us X amount of money.
You'll get your data back.
And if you don't pay this money, then we're going to post all of this on the dark web
for sale.
What kind of companies are at risk here?
Well, all companies, and not even just companies, all organizations.
We've seen ransomware attacks against hospitals.
We've seen them against infrastructure, utility companies.
We've seen companies like Indigo get hacked.
We've seen Sick Kids Hospital get hacked.
Right now, what I'm hearing from experts is that it's a lot of small to medium-sized enterprises or SMEs because they don't necessarily have the same amount of resources to invest in the preventative security measures.
Okay, yeah. On the Indigo and Sick Kids, people probably were familiar with those because they're very big hacks that happened. And just to get some figures in here, apparently the group that hacked Indigo and Sick Kids called LockBit, U.S. officials alleged the group has made at least $100 million in ransom demands and extracted tens of millions of dollars from victims. So there's a lot of money involved here.
Absolutely. It's a massive industry. There's a company that puts out this report. They're called net diligence. And essentially what they look at is cyber insurance claims. So when you,
have to make a ransom payment. If you have cyber insurance, there's a possibility that that payment
gets covered by the insurance company. And so what they do is they look at these claims over the years.
And they're saying that some of the payments that companies are making are as high as $75 million US.
Wow. And that's actually below what the hackers are asking for, which can be as high as $150 million, US.
Wow. Lots of money we're talking about here. So ransomware attacks have been happening for a long
time. How exactly have they evolved? Well, in the early days of ransomware, it was pretty inefficient.
So the early ransomware attackers actually mailed floppy disks to their victims. You know in the
snail mail, as we call it. And you'd have to be compelled for some reason to put this mysterious
unsolicited floppy disk into your computer. Maybe it promises to have some kind of interesting
secret on it. Or you're just a very curious person. And then at that point, it would encrypt your data.
and then read one instance where it was the printer
that would spit out the ransom demand
saying, you know, please mail this money.
There's a kind of well-known incident in 1989
that's sort of publicized as the first incidents of ransomware.
And in that case, the attacker demanded the payment
be mailed to a post office box in Panama.
So not a very efficient way of hacking a system
and not a very efficient way of collecting payment.
Wow.
And just for our listeners out there,
that might not know what a floppy disc is because we're going back to the late 80s, early 90s.
What is a floppy disk?
Oh, you know, it was this disk that you would put in your computer with data on it.
I mean, there were the really big floppy disks, and then there was the kind of disks that were no longer floppy, but we still called them floppy disks.
They were a little bit smaller.
Yeah, yeah, exactly.
So they've evolved from floppy disks to now ransomware attacks usually deal with cryptocurrency.
Can you explain why that is?
Yeah, so essentially everything we do now is online, right? We've moved so much of our lives
online. We're doing so much commerce online, so many transactions online. And so that has made
ransomware attacks more appealing for attackers because there's so much more data that can be
stolen, so much more valuable data. And they no longer need a floppy disk to get into your system.
They can just get in through, you know, something like a fishing email or just, you know,
through some kind of hole in your security defenses.
And they usually demand, well, they pretty much always demand the ransom to be paid via
cryptocurrency, so something like Bitcoin or Ether.
And the reason for that is that cryptocurrency payments are not reversible.
So once you have sent that Bitcoin to the hacker's wallet address, you can't then phone
up your bank and be like, hey, can you please reverse this transaction because this was,
you know, extortion?
once you've made that payment, that money is gone and you can't get it back.
And the impacts of a ransomware attack are huge, right?
But let's spell it out.
Let's talk about what actually happens.
So what kind of impact can ransomware attacks have on companies?
Like, what's at stake here?
Oh, massive.
The impact can be quite catastrophic.
It, of course, depends on a number of things.
So, for example, our critical systems impacted.
So can they, you know, they can knock down.
Let's say you're a manufacturing company.
I'm hearing a lot about the manufacturer.
sector being hit with ransomware lately. So you can actually end up having to pause your operations
because your operations have been hit. So now you're not manufacturing. So now you're missing your
deadlines for the things you need to manufacture. In a hospital, that can mean having to cancel
cancer cancer surgeries. It can mean people's lives are at stake. And then, you know, for some
companies that can be really catastrophic. They can actually risk potentially going bankrupt.
And of course, a big factor is the state of the company's back.
So if the company has good backups and the backups are in a place where they have not been stolen by the hackers, then they could potentially rebuild their system from the backups.
If you don't have good backups, then I guess perhaps you feel you don't have much of a choice other than to pay the ransom.
Let's say a company was compromised.
What do they do next?
So normally they would engage someone called a breach coach at a law firm.
and that person would help to kind of connect them to a bunch of other people or entities that they might
need to deal with. So they might engage a cybersecurity firm that does incident response, which would
go in there and try to figure out the state of their backups, for example, and how to rebuild the system
and whether or not they're going to potentially need to try to obtain the data from the hackers.
that firm may bring in a negotiator who's going to negotiate with the hackers and try to talk them down to a more reasonable price.
Then they're going to have to liaise with their insurance company, provided that they have cyber insurance,
because that company is going to be very involved in the process in terms of what insurance is going to cover and what it isn't going to cover.
Okay. It's really interesting because it sounds like this is kind of a whole kind of professional world, right?
Like we're talking about crime, but then there's all these.
different layers that deal with an attack like this?
It's a $300 billion U.S. industry.
Wow.
Yeah, a lot of money there.
When a company gets hacked, do they know who the hacker is?
Not necessarily.
So they may figure out what ransomware software was used.
So, for example, we talked about Indigo earlier.
Indigo was hacked using ransomware created by a group called LockBit.
And that was the same software that was used in the attack.
on sick kits. So you can sometimes figure out, you know, it was lock bit software. But the thing
that's interesting about these ransomware groups is that many of them actually operate on an affiliate
model. And so they would create this ransomware that is being used to steal and encrypt your data,
but then they would bring in sort of affiliates to go out there and do the attacks. And then they
would take a cut of potential proceeds of ransom payments. We'll be right back.
Okay, let's get into these ransomware negotiators.
What exactly do they do?
Essentially, it's not that dissimilar to, in theory, a hostage negotiator because your data
is essentially being held hostage.
And this person comes in.
And what they're trying to do is negotiate with the attacker and try to get them to lower their ask.
How do they do this?
Like, how do they convince the hacker to lower their ask?
Apparently, according to Curtis Minder, who I spoke to for this piece, it's really just
a game of human psychology. And so a lot of the time people forget that these hackers on the other end
of the transaction, these like shadowy bad guys, like they are actually human beings. They're people
and they are, they have emotions. And so a lot of it is trying to kind of appeal to their emotion.
So for example, a lot of them want their sort of skills as hackers to be acknowledged. And so they
they will sometimes feel like, you know, they earned this size of ransom because of how
effective their attack was. And so one of the things that a negotiator might do is to acknowledge
the attacker's skill in successfully hacking this company. And then, you know, they might kind of
cry poor a little bit and say, well, you know, we don't have, this company doesn't have the means
to make such a large payment. One of the things that Curtis told me was that,
you want to kind of avoid getting into positional bargaining for as long as you can.
So positional bargaining is kind of like, you know, I throw out a number and then you throw out a number
and then we kind of keep throwing out numbers until we sort of meet somewhere in the middle.
The moment that you get into that, if you do it too soon, you're going to end up paying more.
Interesting. Can you explain that more? Like, why is it that you'll be paying more if you get into that type of bargaining?
You know, it's a good question. I guess just because now you've put out a number and so now we're already talking about numbers.
and the idea is to try to get them to come down a couple of times, ideally, before you have even
counteroffered.
So the first thing you might do is challenge how they came up with this number.
Like, why do you think that this is the correct number?
Why do you think the company has the capacity to pay this much money?
Wow, there's so much psychology involved.
And it's fascinating to hear you talk about how speaking to their ego, right?
Like, wow, what a great hack you've done actually will work in these situations.
I'm curious, does a hacker know that there's.
talking to a professional? You know, some of them do, and that can actually be problematic.
There are ransomware groups who have said, the moment that we find out that we're dealing
with a professional negotiator, we're walking away from the negotiation. So they don't want to
necessarily feel like they're getting played. Okay, very interesting. Who are these negotiators?
Like, what do we know about them? It seems like an unusual profession to fall into.
Yeah, so not very much because a lot of them will not talk on the record. Okay. And the reason for that is
largely, well, A, they want to protect the secret sauce. They don't necessarily want to give the hackers
all of their tricks because that would work against them in their effectiveness as negotiators,
but also for safety and security reasons, protecting their families, that sort of thing.
And I don't think there are that many who necessarily are negotiators as a full-time job.
So a lot of firms will offer negotiation as sort of a suite of packages that, you know,
includes other aspects of remediating a ransomware attack.
Okay. These negotiators are working on the dark web, right? And dealing with shady characters, can they be trusted? Like, how trustworthy are they?
That is a really good question. And there's actually a case I came across involving a negotiator working for a company called Digital Mint based in Chicago. And in that case, an employee of Digital Mint who was working as a negotiator was actually indicted in the U.S. for participating in ransomware attacks.
A double agent?
Allegedly.
Wow.
It's an interesting space because a lot of cybersecurity firms will actually look for talent in the dark web.
So there's something called black hat hackers and white hat hackers.
And so the black hat hackers are kind of the bad guys, the hackers who are going out there to steal your data.
And then you have white hat hackers who are just, you know, doing things like penetration testing,
helping companies figure out where the vulnerabilities in their systems might be.
And so if you think about it, it's the same skill set, right?
Because you're hacking.
Yeah.
And so there's cases where people who are black hat hackers do cross over into the sort of white hat
world.
And so it kind of makes sense.
If you're looking to hire a negotiator to negotiate with hackers, you might want someone
who understands the psychology of a hacker, perhaps because they themselves were once a hacker.
And so you do have these people that kind of cross over.
And I think companies have to be careful about this because then you have things like,
what happened at Digital Mint where, you know, you have someone playing both sides, allegedly.
I'm not saying that that individual was necessarily from the Black Hat Hacker world, but, you know,
look, you have these skills, right? You know how ransomware works. You know how ransomware negotiation works.
You could pretty easily put those skills to use for the wrong reasons as well as the right ones.
Yeah, same skill set just matters which side you're on here.
Absolutely.
Absolutely. Once the negotiators have done their job, you've paid your ransom. What reason does a hacker have to actually give you your data back?
So what the ransomware groups will say is that they have a reputation to uphold. And if they didn't.
That's very professional. You know, when you read these negotiations, they read like business negotiations.
A lot of these hackers, it's like they're trying to sell you a legitimate service of we will decrypt your data for you, your data.
that we stole and promise never to attack you again. Of course, that doesn't mean you're not going
to get attacked by a different ransomware group. But yeah, the negotiations read very professional.
They will say they have a reputation to uphold because if they didn't uphold their end of the
bargain on a regular basis, then nobody would ever pay the ransom. So that's kind of what
they'll say. But if you talk to law enforcement, for example, they will say, you know, you're
dealing with a criminal and, you know, there is no guarantee really that they won't.
sell your data on the dark web, that they won't re-attack you or that they won't re-extort you,
which is something that we're hearing about more lately, is these instances of ransomware attacks
where the attacker later comes back and demands a second ransom payment.
Oh, wow. Okay. I'm glad you brought up the fact that law enforcement says you shouldn't be
negotiating with ransomware attackers because they're criminals. But victims of ransomware
attacks have a lot to lose if they don't pay the ransom. Is there a middle ground somewhere?
Like how do experts say we should deal with ransomware attacks?
Yeah, that's a great question.
I mean, this is very much a live debate in many societies around the world, including in Canada,
where you do have advice from law enforcement that you should not be paying a ransom payment.
And the reason for that is not only can you kind of not trust that they're necessarily going to uphold their end of the bargain,
but you're also fueling an illicit marketplace.
So if we as a society keep on paying ransoms, we're creating a financial incentive for these criminal organizations.
to continue attacking companies and encrypting their data and extorting them.
If you look at, for example, the lock bit group, they were actually so successful that they
were able to reinvest the proceeds of their attacks into making the ransomware software
better.
So they would have newer versions, lock bit one, lock bit two, lock bit three, and, you know,
kept going.
So you're essentially fueling this criminal ecosystem.
But then like you say, yeah, companies have a lot to lose, especially organizations,
like hospitals where it could literally be a matter of life and death. So what some of the experts I
talked to suggested is that we need to kind of phase this out. You can't necessarily just ban
ransomware payments and go, yeah, you can't pay ransoms anymore because you would have
companies going out of business. You could have people dying in an absolute risk case scenario.
But what we could start with is, for example, every time that an organization pays a ransom,
they have to report that they paid a ransom to whom and the amount of the ransom to some sort of government agency.
And that's going to maybe create a disincentive for certain companies who are kind of like maybe on the cusp.
You know, maybe they don't really need to pay the ransom.
Maybe they have really good backups, but they've decided to pay the ransom just as like an incentive to kind of get the hackers to go away.
Well, maybe they don't want there to now be a public record of the fact that they've made this ransom payment to this criminal group.
So that might disincentivize some people from paying the ransom while still allowing the people who really need the decryption key to obtain that decryption key.
Then, you know, after doing that for, you know, a set amount of time, we could move to potentially having an oversight board or committee or something that would kind of review the payment.
So you would say, I would like to pay this ransom and here are my reasons why.
And they would go in and they would look at it and they would say, okay, we'll allow you to do it.
And that way we could sort of phase it out and companies would kind of get the message over a period of years that we are moving away from paying ransom.
So I better get my backups in order.
I better get my preventative security in order.
And it would also signal to the criminals that were closed for business.
So it sounds like there needs to be some sort of government involvement here if we wanted to sort of phase this out.
Yeah.
I mean, I don't think it would necessarily happen organically without some kind of rules.
Okay. Just lastly, what does it tell you that ransomware attacks and the industry that's cropped up to deal with them have become so professional?
Well, I mean, I think it speaks to the value of our digital economy and how reliant we have become on everything being online.
There's also, I mean, there's some interesting questions around things like personal identifying information.
There's so much of it that we've given to so many companies.
And so I don't know about you, but personally, I probably had my personal data leaked through many hacks.
At a certain point, it becomes a question of when and not if.
I mean, I think we're at that point.
It's a question of when are you going to get hacked and not if you're going to get hacked?
But yeah, I mean, like, look, it's a real problem.
And I think a lot of it is on companies, too, in order to, you know, take the preventative steps that they need to take.
Because there's, you know, there's a saying an ounce of prevention is worth a pound of cure.
And I think that, you know, in ransomware attacks, it's way more cost effective to prevent the attack from happening in the first place than it is to remediate these hacks.
Alex, that's been really fascinating.
Thanks so much for coming on.
Thank you for having me.
That was Alexandra Pazatsky, the Globe's Financial and Cybercrime Reporter.
That's it for today.
I'm Cheryl Sutherland.
Our associate producer and intern is Emily Conahan.
Our producers are Madeline White, Rachel Levy McLaughlin, and Mikhail Stein.
Our editor is David Crosby.
Adrian Chung is our senior producer, and Angela Pichenza is our executive editor.
Thanks so much for listening.