Companies that fall into the ransomware trap but do not report it are faced with a crossroads. They must either negotiate with the hackers themselves or seek help from a professional negotiation team. Seo Hyunmin, Director of the Business Center at cybersecurity company S2W, said, "When hackers leave a ransom note (message) for victim companies, they provide very detailed instructions on how to contact them and how to exchange bitcoin," adding, "However, companies are always thrown into panic when hacked, so most of them turn to experts for help."

These 'experts' refer to those who negotiate with hackers on behalf of victim companies. They usually operate in teams of about five people. If you search for 'ransomware data recovery specialists' on portal sites, you will find a long list of such companies. This is a market created by corporate-targeted hacking.

Negotiate with hackers on behalf of affected companies

Reduced ransom below the initial amount through negotiation

Commission around 30% of the discounted amount

However, it is rare for victim companies to call just any company at random. As caution toward hackers has reached an extreme, they first reach out to security consultants known only to a select few. A security consultant, who requested anonymity, said, "My role is to connect hacked companies with trustworthy negotiation teams," and added, "If I get a call from an unfamiliar number, there is a 99% chance it's a company that has been hit by ransomware." This reputable security company CEO is also known as the "problem solver in the shadows," a name that is even more famous in the small and medium-sized business sector.

원본보기 아이콘

"At first, we tried to follow the hacker's instructions and had our employees access the site to start a conversation. It was our first time experiencing this, and we were so shocked that our minds went blank. I secretly sent an SOS to two trustworthy friends in business. One of them handed me a business card, saying he was a 'security consultant' and that I should contact him." The CEO of a bio-materials company that was hit by ransomware in September 2023 also got in touch with the problem solver in the shadows in this way and signed a contract with a negotiation team based in Busan.

Kim, the negotiator in charge of the case at the time, showed the messages exchanged with the hacker two years ago. The conversation between the two sides took place via chat and email on a website on the dark web created by the hacker. The ransom demanded by the hacker was about 15 bitcoins (5.6 billion KRW at the time).

원본보기 아이콘

"The amount you are demanding is too high. We cannot pay that much. Is negotiation possible?" (Kim) "Negotiation is always possible. Can you pay today or tomorrow? If so, I can offer an additional discount. But do not lie about not having money. You are a large company with more than 100 employees and annual revenue of at least 50 million dollars." (Hacker)

After a full day of negotiations, Kim managed to lower the ransom to about 9 bitcoins (about 340 million KRW at the time), which is about 60% of the original amount. Kim said, "Hackers usually set the price 1.5 to 2 times higher, anticipating negotiations," and added, "Negotiation is usually possible, but since hackers have full access to all company information, it is difficult to bargain for a large discount."

The negotiation team's revenue comes from a commission that is about 30% of the discounted amount. As the number of data recovery specialists has increased in recent years, some companies now offer flat-rate contracts or pledge not to charge any fee if negotiations fail.

The negotiation team's responsibilities also include exchanging and transferring bitcoin to the hacker. This is because, under current law, Korean corporations cannot directly purchase virtual assets. The victim company gives cash to Kim, who then converts it to bitcoin and sends it to the hacker's wallet. This expense is recorded in the company's accounting books as a "recovery cost" or similar item.

The negotiation team is seen reducing the ransom through chat on a dark web homepage created by hackers. The hackers initially demanded a ransom of about 15 bitcoins (approximately 563.5 million KRW at the time), but as a result of negotiations, it was lowered to about 9 bitcoins (approximately 340 million KRW at the time), which is about 60% of the original ransom. (Photo by victim company)

원본보기 아이콘

There have been cases where, even after paying the hacker, the decryption was not properly provided, resulting in further losses. Last year, a hacker group took 100 servers of a robot parts manufacturer hostage and demanded 12 bitcoins (1.8 billion KRW). Negotiations brought the amount down to 4 bitcoins (600 million KRW). However, the password provided by the hacker only restored 2 out of 100 servers. When Kim requested the rest, the hacker replied, "I got scolded by my boss for giving too big a discount," and said, "I need to get about 4 more bitcoins." Kim said, "These days, hackers are becoming increasingly malicious, sometimes giving incorrect passwords even after receiving payment. In such cases, we have to contact them again and renegotiate," and added, "If the hacker gets offended during negotiations, they may upload confidential information to the dark web even after being paid, so caution is required."

Even negotiation teams that deal directly with hackers can pose a risk to victim companies. There have been cases where they colluded with hackers, causing companies to suffer twice. The unfairness experienced by victim companies has sometimes led to lawsuits. In 2020, a logistics company in Seoul lost money to both the hacker and the negotiation team. They were told, "If you pay 6 bitcoins (1.8 billion KRW at the time), the server will be unlocked," but during negotiations, the ransom was lowered to 5.5 bitcoins.

However, the negotiation team concealed this fact from the client company and presented a forged email, claiming they could not reduce the ransom from 6 bitcoins. The 0.5 bitcoin difference was pocketed by the negotiation team to pay off their own debts. The victim company, without much suspicion, transferred the purchase amount of 1.8 billion KRW along with a 40 million KRW commission that was to be paid regardless of the negotiation outcome. As things went smoothly, the negotiation team became even greedier. They even sent an email to the hacker saying, "Let's try to demand 2 more bitcoins. I'll negotiate well and we can split the profit."

This scam group eventually went so far as to impersonate hackers themselves. They created a malicious program that encrypted files with the '.enc' extension. During computer repairs for client companies, they installed this program and falsely claimed the computers were infected with ransomware. Over a year, they extorted a total of 30 million KRW from six companies that had requested negotiations, under the guise of recovery costs. In 2022, the Supreme Court sentenced the ringleader of the negotiation team to two years and six months in prison. The court stated, "The crimes of deceiving victims to obtain money under the pretense of ransomware recovery or distributing malicious programs under the guise of computer repairs are of a particularly malicious nature."

원본보기 아이콘