'You Can't Just Concede.' How One Expert Explains Negotiating With Cybercriminals Bill Siegel works with companies that fall victim to the same type of ransomware attack that disrupted fuel supplies across large parts of the South and East Coast last week.

'You Can't Just Concede.' How One Expert Explains Negotiating With Cybercriminals

  • Download
  • <iframe src="https://www.npr.org/player/embed/997549334/997783499" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


The operators of the Colonial Pipeline now say things are back to normal after a ransomware attack led them to shut down the pipeline. They reportedly paid upwards of $5 million to the hackers who had infiltrated their network. But not all cyber extortion attacks end this way. Bill Siegel runs Coveware. It's a company that responds to ransomware attacks and often negotiates with hackers. I asked him to explain the objective for these kinds of negotiations.

BILL SIEGEL: Well, at the end of the day, the goal is to find a way for the company to recover without having to pay at all. But that'd be...

MARTIN: Does that ever happen?

SIEGEL: Oh, yeah, absolutely. It's not a foregone conclusion that a company has to pay a ransom for sure. A lot of times when an attack happens, it's very difficult for a big company to determine immediately what the situation is because if you're a large company and you've got, you know, 10,000 servers globally and you've got backups at, you know, 15 different locations throughout the globe, it can take days sometimes to actually safely check the integrity of those backups. And so when we're managing a large, you know, enterprise incident, you don't want to start negotiating when you realize you need it; you want to be done. And so we'll kick off negotiation knowing that a very likely outcome is that we actually don't end up paying. But we want to...

MARTIN: So you can be negotiating just to buy time? So the company can figure out if they have a backup, and they can say, sorry, your threat's not good here because we're safe.

SIEGEL: Of course, yeah. That's the goal, right? You know, the cost for a large company being down is so substantial that hours can mean the difference in, you know, millions or tens of millions of dollars of lost profit. Or in the case of, you know, a hospital or something, it can mean the difference between life and death. So you don't want to waste any time. You want to basically get to the finish line and be ready, even if the conclusion is, well, we don't need to do anything. And that's the best conclusion.

MARTIN: So what happens when it becomes clear that a company really is at risk and they don't have adequate backup and the hackers really do have all the power? I mean, what do you and your clients have in terms of leverage in a situation like that?

SIEGEL: The answer is you have very little, but there - you still have to find ways to negotiate successfully on behalf of your client, right? You can't just concede. You can't look desperate. So you have to find ways, you know, to draw the negotiation to some semblance of a successful conclusion. What we do, in as much as there is a lot of skill and tactics and experience and data brought into actually the how of how we perform negotiation, there is as much experience and skill used in just the overall project management of the incident and helping the company think through these decisions and manage their own time and decision-making.

MARTIN: If a situation occurs, a cyberattack happens, the company is forced to pay ransom, what's to prevent those same hackers from, six months, a year later, just coming back and doing the same thing again?

SIEGEL: Yeah, there's absolutely nothing, is the answer. One of the biggest fallacies and misunderstood aspects of these attacks is that they are like lightning strikes, right? It's like, well, it happened once; it's not going to happen again. That's just - that's not the way it works. The groups that are carrying this out are part of a very well-organized and a very large industry. The power laws of economics dictate how they behave, right? If there's one thing I've observed over doing a few thousand of these over the last couple of years is that economics rule how behavior runs in this space. If it is cost effective - i.e., cheap to attack a company - and has a high likelihood of being profitable at low risk, they will do it, and they will do it over and over and over again, just like any other business would do the exact same thing if they found a very cheap way to sell very high-profit products. And so it's...

MARTIN: You've seen this?

SIEGEL: Yeah, of course. If a company does not take it seriously and they don't fix the vulnerabilities that allowed it to happen in the first place, there's a 100% chance it happens again.

MARTIN: Are you able to tell us the origin country of most of the cyberattacks that you see?

SIEGEL: You know, we don't do very detailed attribution. What I would say is that the contributory factors that have led us to where we are today are as much socioeconomic as they are other things. There are such low barriers to entry to cybercrime, and there are lots of well-educated, sometimes STEM-educated individuals in lots of parts of the world. They don't have the job prospects that will pay them the money that they aspire to make, and sometimes their local jurisdictions are kind of out of the reach of Western law enforcement. And it's - you know, while it may be sort of frowned upon, it's sort of condoned by wherever they live - right? - because the local economy actually benefits from the laundered proceeds of those attacks filtering back in. And these people are buying houses and buying Starbucks and buying cars, and that's a good thing for the local economy, so they sort of look the other way.

MARTIN: Have you thought about your company's role in all of this, I mean, especially when you consider those repeat offenders and how paying ransom, agreeing to pay a ransom to a group of hackers, doesn't prevent them from coming back? I mean, you as a facilitator of these payments, are you concerned that you are actually helping perpetuate this cycle?

SIEGEL: Of course. And I think if you're going to be in this industry, you have to have a pretty big altruistic chip on your shoulder. And we founded this company to try and solve the problem. That may seem weird, but the reality is, when we founded the company, there was no centralized data on how these attacks happened. And we felt that the first thing you have to do to solve the problem is to collect the data, and I think we've done that very well.

MARTIN: So what that means is any time you're in a negotiation, yes, you're helping your client, but you are learning things. You're learning things about the attackers. You're learning things about the process. And then you make those more publicly available or available to law enforcement, perhaps, or other entities within the U.S. government so that they can work on cracking down on the issue of cyberattacks.

SIEGEL: That's correct. We share information with law enforcement. We share information with the public. And we have absolutely no problem winding up our company and closing it down if ransomware ceases to exist as a problem.

MARTIN: And that would be the goal, presumably.

SIEGEL: A hundred percent.

MARTIN: Bill Siegel - he is the CEO of Coveware, which responds to ransomware attacks. Thank you so much for taking the time to explain all this. We do appreciate it.

SIEGEL: Thank you so much for having me.


Copyright © 2021 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.