Ransomware negotiator explains process of haggling with hackers

ST. LOUIS – In a little more than a month, we’ve reported on three cyberattacks in St. Louis. Bi-State President and CEO Taulby Roach confirmed a ransom demand was part of the Metro transit attack. Hackers threatened to publish confidential data if officials didn’t pay up.

Tony Cook, the head of threat intelligence for GuidePoint Security, says ransomware attacks begin with hackers compromising their target’s computer network.

“And that can be a number of things. Vulnerabilities. Phishing attacks. Supply chain attacks,” Cook said.

Once inside the target’s network, Cook tells us the hackers unleash software that scours and collects data, often crippling IT systems and holding user information hostage. Hackers eventually reveal the information they’ve stolen and tell the victim what it’s going to cost to get it back or keep it from going public.

“Most of the time, you will find a ransomware note and inside that ransomware note will be a link to either be able to talk directly to these people via their portal on the dark web,” Cook said.

That’s when companies like GuidePoint Security step in. Surprisingly, Cook says ransomware negotiations can be just like the back and forth we experience haggling over everyday goods or services.

“A lot of the ransomware actors act like they’re doing you a favor, like this is actually a service we’re providing to you,” Cook said. “If it was somebody else, they wouldn’t give you this opportunity. They wouldn’t be able to talk back and forth with you.”

Cook says in some cases, the hackers will even provide a report, an inventory of sorts, detailing what they did.

“They’re more than happy to say, ‘Here’s the report of how we got in, exactly what we did, the user accounts that we touched, the various different machines we touched while we were inside the environment,’” Cook said.

Cook believes the frequency of ransomware attacks and news of their often-high-profile targets is forcing companies and organizations to get serious about cybersecurity.

“While it’s not a great thing to have terrorists essentially get into your network and do all these bad things to you, it does keep you on your toes to make sure these things are being taken care of and that all the vulnerabilities and other things are being patched in your environment, rather than just letting those things go,” Cook said.