Afew days after Thanksgiving last year, Kurtis Minder got a message from a man whose small construction-engineering firm in upstate New York had been hacked. Minder and his security company, GroupSense, got calls and e-mails like this all the time now, many of them tinged with panic. An employee at a brewery, or a printshop, or a Web-design company would show up for work one morning and find all the computer files locked and a ransom note demanding a cryptocurrency payment to release them.
Some of the notes were aggressive (âDonât take us for fools, we know more about you than you know about yourselfâ), others insouciant (âOops, your important files are encryptedâ) or faux apologetic (âwe are regret but all your files was encryptedâ). Some messages couched their extortion as a legitimate business transaction, as if the hackers had performed a helpful security audit: âGentlemen! Your business is at serious risk. There is a significant hole in the security system of your company.â
The notes typically included a link to a site on the dark Web, the part of the Internet that requires special software for access, where people go to do clandestine things. When victims went to the site, a clock popped up, marking the handful of days they had to fulfill the ransom demand. The clock began to tick down ominously, like a timer connected to a bomb in an action movie. A chat box enabled a conversation with the hackers.
In the past year, a surge of ransomware attacks has made a disruptive period even more difficult. In December, the acting head of the federal Cybersecurity and Infrastructure Security Agency said that ransomware was âquickly becoming a national emergency.â Hackers hit vaccine manufacturers and research labs. Hospitals lost access to chemotherapy protocols; school districts cancelled classes. Companies scrambling to accommodate a fully remote workforce found themselves newly vulnerable to hackers. In May, an attack by the ransomware group DarkSide forced the shutdown of Colonial Pipelineâs network, which supplies fuel to much of the East Coast. The shutdown, which pushed up gas prices and led to a spate of panic-buying, put a spotlight on ransomwareâs potential to disable critical infrastructure. A week after the attack, once Colonial paid a ransom of $4.4 million to get its systems back online, eighty per cent of gas stations in Washington, D.C., still had no fuel.
The F.B.I. advises victims to avoid negotiating with hackers, arguing that paying ransoms incentivizes criminal behavior. This puts victims in a tricky position. âTo just tell a hospital that they canât payâIâm just incredulous at the notion,â Philip Reiner, the C.E.O. of the nonprofit Institute for Security and Technology, told me. âWhat do you expect them to do, just shut down and let people die?â Organizations that donât pay ransoms can spend months rebuilding their systems; if customer data are stolen and leaked as part of an attack, they may be fined by regulators. In 2018, the city of Atlanta declined to pay a ransom of approximately fifty thousand dollars. Instead, in an effort to recover from the attack, it spent more than two million dollars on crisis P.R., digital forensics, and consulting. For every ransomware case that makes the news, there are many more small and medium-sized companies that prefer to keep breaches under wraps, and more than half of them pay their hackers, according to data from the cybersecurity firm Kaspersky.
For the past year, Minder, who is forty-four years old, has been managing the fraught discussions between companies and hackers as a ransomware negotiator, a role that didnât exist only a few years ago. The half-dozen ransomware-negotiation specialists, and the insurance companies they regularly partner with, help people navigate the world of cyber extortion. But theyâve also been accused of abetting crime by facilitating payments to hackers. Still, with ransomware on the rise, they have no lack of clients. Minder, who is mild and unpretentious, and whose conversation is punctuated by self-deprecating laughter, has become an accidental expert. âWhile Iâve been talking to you, Iâve already gotten two calls,â he told me when we video-chatted in March.
The man who reached out to him in November explained that the attack, the work of a hacking syndicate known as REvil, had rendered the companyâs contracts and architectural plans inaccessible; every day the files remained locked was another day the staff couldnât work. âThey didnât even have an I.T. person on staff,â Minder said. The company had no cyber-insurance policy. The man explained that he had been in touch with a company in Florida that had promised to decrypt the files, but it had stopped replying to his e-mails. He wanted Minder to negotiate with the hackers to get the decryption key. âThe people who reach out to me are upset,â Minder told me. âTheyâre very, very upset.â
As a child, Minder visited his father at the mill where he worked, in central Illinois, and watched him hoist fifty-pound sacks of flour. His mother, who worked for the state, sat in an air-conditioned office with a cup of coffee. He didnât quite understand what her job was, other than that it seemed to involve a lot of typing. âI was, like, whatever that typing job is, thatâs what I want,â Minder told me.
After college, in the early nineties, he got a tech-support job at a local Internet-service provider. Within a year, he was promoted to assistant systems administrator, a job that entailed keeping tabs on the server logs. He began to notice a strange pattern, which he eventually realized was evidence of hackers. âThey would use our routers as what we would now call a pivot pointâbouncing off them to attack someone else, so the attack looked like it was coming from us,â he said. The attackers were typically hobbyists who were more interested in showing off their skills than in wreaking real havoc; Minder found the cat-and-mouse energy of outsmarting them deeply satisfying.
By that time, hackers had proved that they could inflict serious damage. In 1989, twenty thousand public-health researchers around the world received a floppy disk purporting to contain an informational program about aids. But the disk also included a malicious program that is now considered the first instance of ransomware. After users rebooted their computers ninety times, a text box appeared on the screen, informing them that their files were locked. Then their printers spat out a ransom note instructing them to mail a hundred and eighty-nine dollars to a post-office box in Panama. The malware, which came to be known as the aids Trojan, was created by Joseph Popp, a Harvard-trained evolutionary biologist. Popp, whose behavior grew increasingly erratic after his arrest, was declared unfit to stand trial; he later founded a butterfly sanctuary in upstate New York.
Poppâs strategyâencrypting files with a private key and demanding a fee to unlock themâis frequently used by ransomware groups today. But hackers initially preferred an approach known as scareware, in which they infected a computer with a virus that manifested as multiplying pop-ups with ominous messages: âsecurity warning! Your Privacy and Security are in danger.â The pop-ups told users to buy a certain antivirus software to protect their systems. Hackers posing as software companies could then receive credit-card payments, which were unavailable to those deploying ransomware. In the early two-thousands, ransomware hackers typically demanded a few hundred dollars, in the form of gift cards or prepaid debit cards, and getting hold of the money required middlemen, who siphoned off much of the profits.
The calculus changed with the launch of Bitcoin, in 2009. Now that people could receive digital payments without revealing their identity, ransomware became more lucrative. When Minder founded GroupSense, in Arlington, Virginia, in 2014, the cybersecurity threat on everyoneâs mind was data breachesâthe theft of consumer data, like bank-account information or Social Security numbers. Minder hired analysts who spoke Russian and Ukrainian and Urdu. Posing as cybercriminals, they lurked on dark-Web marketplaces, seeing who was selling information stolen from corporate networks. But, as upgrades to security systems made data breaches more challenging, cybercriminals increasingly turned to ransomware. By 2015, the F.B.I. estimated that the U.S. was subjected to a thousand ransomware attacks per day; the next year, that number quadrupled. Mike Phillips, the head of claims for the cyber-insurance company Resilience, told me, âNow itâs ransomware first and only, and everything else is a distant second.â
Criminal syndicates are behind most ransomware attacks. In their online interactions, they display a mixture of adolescent posturing and professionalism: they have a fondness for video-game references and the word âevil,â but they also employ an increasingly sophisticated business structure. The larger groups establish call centers to help talk victims through the confusing process of obtaining cryptocurrency, and they promise discounts to those who pay up in a timely fashion. Some ransomware groups, including REvil, work on the affiliate model, providing hackers with the tools to deploy attacks in exchange for a share of the profits. (REvil also handles ransom negotiations on behalf of its affiliates.) âItâs way too easy to get into this,â Reiner, of the I.S.T., told me. âYou or I could do itâyou just hire it out. Thereâs been an incredible commoditization of the entire process.â
Hackers use various techniques to gain access to a companyâs computers, from embedding malware in an e-mail attachment to using stolen passwords to log in to the remote desktops that workers use to connect to company networks. Many of the syndicates are based in Russia or former Soviet republics; sometimes their malware includes code that stops an attack on a computer if its language is set to Russian, Belarusian, or Ukrainian. Some of the syndicates employ current or former members of the military, but they seem to care more about money than about geopolitical machinations. âWe are apolitical,â a man claiming to be an REvil representative said in an interview with a Russian YouTuber. âNo politics at all. We donât care whoâs going to be President. We worked, we work, and we will work.â
Phillips told me, âPaying a ransom, you worry about it being venture capital for this dark-Web Silicon Valley on the other side of the world.â Ransomware groups, like their Silicon Valley counterparts, move fast and break things. In May, 2017, the WannaCry attack infected three hundred thousand computers through old and unpatched versions of Microsoft Windows. In the United Kingdom, ambulances had to be diverted from affected hospitals, and a Renault factory stopped production. Just three years after that attack, though, the REvil representative called this scattershot approach âa very stupid experiment.â The WannaCry hackers had demanded ransoms of only three hundred to six hundred dollars, netting around a hundred and forty thousand dollars.
After WannaCry, ransomware groups concentrated on sectors where a combination of lax security and a low tolerance for disruption makes getting paid more likely and more lucrativeâindustrial agriculture, mid-level manufacturing, oil-field services, municipal governments. Groups timed disruption for periods of acute vulnerability: schools in August, right before students returned; accounting firms during tax season. Certain syndicates specialize in âbig-game hunting,â launching targeted attacks against deep-pocketed companies. The group deploying the Hades ransomware strain focusses on businesses with reported revenues of more than a billion dollars. Another designs custom malware for each job. In 2019, during a Webinar hosted by Europol, the European law-enforcement agency, a security expert mentioned that the cryptocurrency Monero was essentially untraceable; soon afterward, REvil began asking for ransom payments in Monero instead of Bitcoin.
When companies seem reluctant to negotiate, executives receive threatening phone calls and LinkedIn messages. Last year, the Campari Group issued a press release downplaying a recent ransomware attack. In response, hackers launched a Facebook ad campaign, using the profile of a Chicago d.j., whom they had also hacked, to shame the beverage conglomerate. âThis is ridiculous and looks like a big fat lie,â they wrote. âWe can confirm that confidential data was stolen and we talking about huge volume of data.â Last year, printers at a South American home-goods chain began spitting out ransom notes instead of receipts.
More recently, syndicates have added extortion to their playbook. They siphon off confidential files before encrypting systems; if their ransom demand isnât met, they threaten to release sensitive data to the media or auction it off on the black market. Hackers have threatened to publish an executiveâs porn stash and to share information about non-paying victims with short sellers. âIâve seen social-work organizations where ransomware actors threatened to expose information about vulnerable children,â Phillips said.
Before ransomware took over Minderâs life, he had settled into a routine. He walked to work, where he was usually the first to arrive and the last to leave. On the way home, he stopped at a coffee shop for a glass of wine and a salad. Back at his apartment, where he lived alone, he would work at his desk until he fell asleep. His major social outlet was the local motorcycle club, the BMW Bikers of Metropolitan Washington.
Early last year, GroupSense found evidence that a hacker had broken into a large company. Minder reached out to warn it, but a server had already been compromised. The hacker sent a ransom note to the company, threatening to release its files. The company asked Minder if he would handle the ransom negotiations. Initially, he demurredââIt never occurred to me as a skill set I had,â he saidâbut eventually he was persuaded.
To buy time, Minder suggested that the company acknowledge receipt of the ransom note. He began studying up on negotiation tips, watching MasterClass tutorials and reading books by former hostage negotiators. He learned that he should avoid making counteroffers in round numbers, which can seem arbitrary, and that he shouldnât make concessions without providing a justification. During the next few weeks, as the conversation with the hacker unspooled, Minder discovered that he had a knack for negotiation. He did his best to engage the hacker, who appeared to be unaffiliated with any of the major ransomware syndicates. When the hacker complained about how much time and effort heâd invested in breaking into the company, Minder complimented him on his skills: âI told him, âYouâre a very talented hacker, and weâd like to pay you for that. But we canât pay what youâre asking.â â
The negotiation became all-consuming. On a motorcycle camping trip with his girlfriend, Minder huddled by the campfire with his laptop, using a 3G hot spot to keep talking. Eventually, the hacker agreed to a price that the companyâs insurer found acceptable. â âI think I could get him even lower if you gave me a little bit more time,â â Minder recalls saying. âBut the cyber-insurance company said, âThis is good enough.â â
Minder soon found more work. Sometimes it was a prominent company facing a multimillion-dollar ransom demand, and the negotiation took weeks. Sometimes it was a small business or a nonprofit that he took on pro bono and tried to wrap up over the weekend. But GroupSense rarely made money from the negotiations. Some ransomware negotiators charge a percentage of the amount that the ransom gets discounted. âBut those really profitable approaches are ripe for fraud, or for accusations of fraud,â Minder said. Instead, he charged an hourly rate and hoped that some of the organizations that he helped would sign up for GroupSenseâs core product, security-monitoring software.
Last March, after GroupSenseâs office shut down, Minder paced in circles in his four-hundred-and-seventy-five-square-foot apartment. âI was, like, I need to go hike,â he said. He towed two motorcycles to a rental house in Grand Junction, Colorado. As the world fell apart, the ransomware cases kept coming. Minder handled the negotiations himself; he didnât want to distract his employees, and he found that the work required a certain emotional finesse. âMost of our employees are really technical, and this isnât a technical skillâitâs a soft skill,â he told me. âItâs hard to train people for it.â
The initial exchange of messages was crucial. People advocating on their own behalf had a tendency to berate the hackers, but that just riled them up. Minder aimed to convey a kind of warm condescensionââLike, weâre friends, but you donât really know what youâre doing,â he explained. His girlfriend, who speaks Romanian, Russian, Ukrainian, and some Lithuanian, helped him find colloquialisms that would set the right tone. He liked to call the hackers kuznechik, Russian for âgrasshopper.â
Occasionally, Minder was called in to try to rescue negotiations that had gone off the rails. If hackers felt that a negotiation was moving too slowly, or they sensed that they were being lied to, they might cut off communication. Following the advice of Chris Voss, a former F.B.I. hostage negotiator who is now a negotiation consultant, Minder tried to establish âtactical empathyâ by mirroring the hackerâs language patterns.