How to Negotiate with Ransomware Hackers

Minder soon found more work. Sometimes it was a prominent company facing a multimillion-dollar ransom demand, and the negotiation took weeks. Sometimes it was a small business or a nonprofit that he took on pro bono and tried to wrap up over the weekend. But GroupSense rarely made money from the negotiations. Some ransomware negotiators charge a percentage of the amount that the ransom gets discounted. “But those really profitable approaches are ripe for fraud, or for accusations of fraud,” Minder said. Instead, he charged an hourly rate and hoped that some of the organizations that he helped would sign up for GroupSense’s core product, security-monitoring software.

Last March, after GroupSense’s office shut down, Minder paced in circles in his four-hundred-and-seventy-five-square-foot apartment. “I was, like, I need to go hike,” he said. He towed two motorcycles to a rental house in Grand Junction, Colorado. As the world fell apart, the ransomware cases kept coming. Minder handled the negotiations himself; he didn’t want to distract his employees, and he found that the work required a certain emotional finesse. “Most of our employees are really technical, and this isn’t a technical skill—it’s a soft skill,” he told me. “It’s hard to train people for it.”

The initial exchange of messages was crucial. People advocating on their own behalf had a tendency to berate the hackers, but that just riled them up. Minder aimed to convey a kind of warm condescension—“Like, we’re friends, but you don’t really know what you’re doing,” he explained. His girlfriend, who speaks Romanian, Russian, Ukrainian, and some Lithuanian, helped him find colloquialisms that would set the right tone. He liked to call the hackers kuznechik, Russian for “grasshopper.”

Occasionally, Minder was called in to try to rescue negotiations that had gone off the rails. If hackers felt that a negotiation was moving too slowly, or they sensed that they were being lied to, they might cut off communication. Following the advice of Chris Voss, a former F.B.I. hostage negotiator who is now a negotiation consultant, Minder tried to establish “tactical empathy” by mirroring the hacker’s language patterns.

“You literally could not pay me enough to relive my twenties.”
Cartoon by Suerynn Lee

Most of the time, Minder found himself dealing with a representative from one of the syndicates. “The first person you talk to is, like, level-one support,” he told me. “They’ll say something like ‘I want to work with you, but I have to get my manager’s approval to give that kind of discount.’ ”

GroupSense partnered with CipherTrace, a blockchain-analysis firm, which allowed Minder to see that a particular cryptowallet had been created and to trace its transactions. Determining the average payments flowing into a wallet gave him a sense of the going rate, so he could avoid overpaying. He came to understand that syndicates were working from a script. “Oftentimes, we can go to the client and say how it’s going to go before it starts,” he told me.

The clients themselves could be more challenging. Minder ran all communications by them, through a secure portal. Some wanted to edit every message to the hackers. “It’s like a spy game to them,” Minder said. Others erupted in anger or frustration. “Sometimes you’re negotiating in two directions at once—with the hacker and with the victim,” he said. “You have to have a personality type where you can be empathetic but also give directions in a way that isn’t confrontational.”

Minder has already seen pressure tactics and ransom demands escalate. In 2018, the average payment was about seven thousand dollars, according to the ransomware-recovery specialist Coveware. In 2019, it grew to forty-one thousand dollars. That year, a large ransomware syndicate announced that it was dissolving, after raking in two billion dollars in ransom payments in less than two years. “We are a living proof that you can do evil and get off scot-free,” the syndicate wrote in a farewell message. By 2020, the average ransom payment was more than two hundred thousand dollars, and some cyber-insurance companies began to exit the market. “I don’t think the insurers really understood the risk they were taking on,” Reiner told me. “The numbers in 2020 were really bad, but, at the end of 2020, everyone looked around and said, 2021 is going to be even worse.”

In 1971, a British manager at an Argentine meatpacking plant was seized by a guerrilla group. Several weeks later, after his employer paid a two-hundred-and-fifty-thousand-dollar ransom, he was freed. The following year, an electronics company paid twice as much to retrieve a kidnapped executive. In 1973, businessmen in Central America kept getting abducted, and their ransoms rose at an alarming rate: Coca-Cola paid a million dollars; Kodak paid $1.5 million; British American Tobacco paid $1.7 million; Firestone paid three million. One C.E.O. fetched $2.3 million; by the time he was kidnapped again, two years later, the price had risen to ten million. Then Juan and Jorge Born, heirs to a multinational food-processing conglomerate, were captured in a scheme involving fake street signs and operatives dressed as telephone workers and police officers. They were eventually ransomed for sixty million dollars, plus a million dollars’ worth of clothing and food to be distributed to the poor. Taking on the risk of kidnapping was “part of what it means to be an executive,” Gustavo Curtis, an American manager working in Colombia, was told by his employer shortly before his abduction, in 1976.

For much of human history, kidnapping had been largely a local affair, governed by a certain amount of ritual and reciprocity. Globalization, political destabilization, and rising inequality upended those norms. In Italy, criminal gangs abducted wealthy foreigners and farmers’ children; one year, eighty people were held for ransom. John Paul Getty refused to pay more in ransom for his kidnapped grandson than he could deduct on his taxes—reportedly three million dollars.

Kidnap-and-ransom insurance, a field that arose after the Lindbergh baby’s abduction and murder, in 1932, surged. In 1970, the size of the market was around a hundred and fifty thousand dollars; by 1976, it was seventy million dollars. The majority of policies were underwritten by Lloyd’s of London, the world’s main market for specialist insurance. Soon, there were risk analysts, who advised policyholders on how to prevent kidnappings; private security firms that offered on-the-ground protection; and specialist negotiators, who took over if things went south.

Control Risks was founded in 1975, by former members of the British Special Forces, to help the insurance industry deal with its kidnapping problem. Its executives performed their work with a patrician discretion. When, in 1977, two of its founding members were arrested in Colombia—no one was quite sure whether the nascent negotiation industry was legal—they spent their ten-week detention writing a code of conduct for their company. (The members were later exonerated.)

Around three-quarters of Fortune 500 companies eventually invested in kidnap-and-ransom insurance, but there was some discomfort with an industry that turned a profit by funnelling money to the Mafia, terrorist groups, and criminal gangs. “There is a feeling you shouldn’t make too much money,” a Control Risks co-founder told the Times, in 1979. Italy, Colombia, and the United Kingdom have all banned kidnap-and-ransom insurance.

But Anja Shortland, a professor of political economy at King’s College London, told me that privatized kidnap intermediaries were key in instituting what she calls “ransom discipline.” Control Risks didn’t merely negotiate ransoms; it also provided security audits, advising companies on how to keep staff from being abducted in the first place. Insurers offered reduced premiums to companies that beefed up their security, reducing over-all rates of kidnapping. When abductions did happen, skilled negotiators kept ransom demands from spiralling out of control. These days, some ninety per cent of kidnappings are resolved, typically through the payment of a ransom; when specialists are involved, the success rate rises to ninety-seven per cent. Countries that banned kidnap insurance drove negotiations underground.

Shortland specializes in the economics of crime. “A lot of economics is: let’s assume away all the complexities so we can come up with a tractable problem,” she told me. “And I’m just embracing the complexities.” To better understand the kidnap-for-ransom industry, she closely studied the piracy-and-kidnapping market in Somalia, where she saw how private insurers, consultants, and negotiators fostered a certain predictability in a trade that’s typically portrayed as unruly. “There is a pace, a rhythm to these things,” as one negotiator told her.

The orderliness, which relies on a mutual assumption of good faith, benefits all sides, Shortland told me. Kidnappers receive an expected rate of return; the kidnapped can reasonably expect that they’ll be released intact; companies in dangerous areas can assume that their staff won’t be abducted, but, if they are, they almost certainly won’t be killed. And the insurance companies and consultants can collect their fees.

Ransomware has less “kinetic impact” than kidnapping, Bill Siegel, the co-founder of Coveware, told me—that is, no one is sending severed ears in the mail. But, to an economist, the differences are small. “They are creating very similar kinds of institutions to the ones that the kidnap-and-ransom community has created,” Shortland said. “But they’re about eighty years behind.”

When it became clear that ransomware cases weren’t slowing down, Minder trained two of his employees to handle negotiations; one of them was Mike Fowler, a former narcotics detective from North Carolina. Working undercover had taught Fowler how to slip into character, which, he told me, “is part and parcel of being an effective negotiator.”

Last November, Fowler was the designated negotiator for the construction-engineering firm. When he logged on to the dark-Web site, he noticed that the timer showed that three days had already elapsed in the negotiations. In the chat box, a conversation was in progress. “It was shocking for me,” Fowler said. “This is a whole negotiation—poorly done, but a whole negotiation—that I’m looking at.”