Cyberattack 101: Go inside the ransomware negotiations with hackers | Action News Investigation

/in


PHILADELPHIA (WPVI) — Cyberattacks are surging and health care networks are being increasingly targeted.

Just last week, cyber thieves hit Capital Health in New Jersey.

Criminal enterprises usually get access to networks due to human error on a computer when employees often mistakenly click on what’s called a “phishing email” and accidentally download malware.

But that’s just the early innings in the game of ransomware, then begins the negotiations.

“It’s billions of dollars every year that ransomware groups are making,” said Drew Schmitt with Guidepoint Security.

Schmitt’s job is to negotiate with cyber syndicates who he said go by names like Akira, BlackBasta, Lockbit and the Lazarus Group.

“We see that there are threat actors that exist all over the world,” he said.

He said with the click of a mouse the cyber gangs take over networks.

Hospitals in Delaware County, the City of Philadelphia and a Pennsylvania water authority are just a few of the local victims in 2023.

“These threat groups have evolved in such a way that they have more or less real-time chat applications,” said Schmitt.

Schmitt took us behind the scenes of what happens when entities hire Guidepoint Security. The cybersecurity firm is responsible for past negotiations of one-third of Fortune 500 companies and more than half of US government cabinet-level agencies.

He said after an attack, victims will first get a link. They’ll then be instructed to enter their company name and code, and then negotiations are underway.

“Hey I was told to get in contact with you based on this ransomware. How do we get our files back?” he said they usually ask.

In this ransomware attack, Schmitt shared with the Investigative Team that BlackBast requested $1 million. If not paid, the group warned the sensitive information would be posted to a news board or leaked onto a site on the dark web where other criminals can access the information.

“That’s where they name and shame. That’s where they post the data.”

Schmitt said he’ll then request proof they have the files they say they do.

“So we actually call that proof of life,” he said. “You have what you say you have. But now we need to know that you can actually decrypt the files that you’ve encrypted…

Source…