All computers are encrypted. Then the blackmail begins. Ransomware is seen as a major threat to businesses. A chat history shows how companies negotiate with hackers.
“We have transferred” – after days of negotiations and threats of a data leak, it is this chat message that documents how hackers successfully blackmailed a German medium-sized company. The Osnabrück-based copper manufacturer KME transferred 1.27 million US dollars in order to regain access to its own data, which hackers had previously been able to encrypt.IT security experts call the hacker’s business model “ransomware”. It is software that corrupts all data on the computer. In the past two years, a dozen such incidents have become known in Germany alone. The digital association Bitkom speaks of a total loss of 10.5 billion euros in 2018 and 2019.
BKA: Ransomware “greatest threat” to German economy
The Federal Criminal Police Office (BKA) even describes ransomware as the “greatest threat” for business enterprises. The hackers are targeting larger corporations, in particular, explains Carsten Meywirth, department head for cybercrime: “The perpetrators see that they are pulling big fish where they can realize very high ransom demands.”From the English-language chat, the BR Recherche and the ARD business magazine Plusminus in full, it emerges for the first time how exactly a German company was blackmailed by criminal hackers. The group did not comment on the request. The news agency Reuters and a French specialist medium had previously reported on negotiations with digital blackmailers.
Hacker: “We only want to profit”
In the case of KME, production was partially restricted, as the company announced in August. The police and the public prosecutor were called in, as well as a negotiator who was supposed to contact the hackers. These put a text file with the name “Read me” on the encrypted computers. It contained detailed instructions and the comment: “This is just business for us. We have absolutely no interest in you, we just want to profit.”
Attached was a link to the Darknet, i.e. that part of the Internet that cannot be reached with common web browsers. The hackers were waiting there. To start with, they wanted $ 7.5 million. “It is impossible for my client to pay you 7.5 million dollars,” the negotiator began the conversation, freely translated, and stated that the corona pandemic had also hit KME hard. The hackers were unimpressed: “We have many company deals every day, Covid 19 is already priced in.” They added a company balance sheet and the corporation’s insurance policy, saying, “In case you don’t have this on hand.”It was evident they could check the copper maker’s networks before deciding on the amount of the ransom. Such an approach is part of the usual strategy, as Kimberly Goody of the IT security company FireEye explains: “If the hackers manage to infect 20 companies at the same time, but they do not have the capacity to blackmail all of them at the same time, they have to set priorities. There it can help to know the annual turnover. ” The higher the turnover, the higher the demand.
A deal was worked on for days. The negotiator tried to appeal to the hackers’ conscience: “You have chosen the wrong victim, our insurance company does not cover a ransom. Therefore, a maximum of 750,000 is in it, and that costs jobs, but you don’t care.” In return, the hackers threatened to leak stolen data. It was only when they realized that they were actually seeing money that they reduced the price. In the end, an agreement was reached on $ 1.27 million to be paid in the digital currency Monero. Before the money was sent, the negotiator raised concerns: “Please confirm that all the systems that you encrypted will work again.” The hackers didn’t want to wait any longer, but the question arose for the company: what if they pay, but the hackers break their promise? Cybercrime expert Meywirth from the BKA warns: “There is no guarantee that the perpetrators will send appropriate decryptors after a payment has been made.”
The data can be decrypted again with decryptors. Neuwirth can understand that companies have to weigh up “between the damage that has occurred and the ransom demand”. But his advice is clear: “We recommend not to pay in any case. That would create even more incentives to repeat offences, possibly also in the same company.”Payment is “generally made when there is no more data at all,” says Christoph Fischer, managing director of the IT security company BFK edv-consulting. This year Fischer conducted almost 20 negotiations and had to transfer money for companies in six cases, a total of six million euros. He says of the hackers: “It is important to them that their business model does not break. It is so profitable that they do everything to ensure that their victims get their data back.”