An interview with a professional ransomware negotiator • The Register

Interview The first rule of being a ransomware negotiator is that you don’t admit you’re a ransomware negotiator — at least not to LockBit or another cybercrime gang. 

Instead, these negotiators portray themselves as simply company representatives, said Drew Schmitt, a professional ransomware negotiator and principal threat analyst at cybersecurity firm GuidePoint Security.

“The biggest reason is because most ransomware groups specifically and explicitly say: ‘We don’t want to work with a negotiator. If you do bring a negotiator to the table, we’re just going to post your stuff anyway,'” Schmitt told The Register. Hence the need to masquerade as a regular employee.

Ransomware is, of course, malware that once on a network scrambles all the valuable files it can find, and demands a payment to decrypt and restore the information. Lately, gangs also steal copies of the data prior to encrypting it so that they can leak or sell it if the demand isn’t paid. Sometimes they just siphon the files and don’t bother to encrypt them. Sometimes the crooks use the purloined files to harass or exploit a victim’s customers or users. There’s all manner of things extortionists can do and demand once they are on your computers and have your data.

Schmitt said he negotiates one or two ransoms a month, and victim organizations range from very small businesses to major enterprises, spanning all industries. Manufacturing, technology, construction, government, and healthcare were the hardest hit in the second quarter of this year, according to research done for his company’s latest extortionware report.

I’ve also seen initial demands of $25 million … they are all over the place

He said he once saw a ransom demand from a “less-sophisticated group” who wanted just $2,000. “But I’ve also seen initial demands of $25 million,” he added. “So they are all over the place.”

Schmitt said he has, on two occasions, negotiated ransoms down to…