Ransomware negotiator investigated over criminal gang kickbacks

If someone is going to negotiate with criminals for you, that person should at least be on your side. That might not have been the case at Digital Mint, a ransomware negotiation company where one worker allegedly went rogue.

According to Bloomberg, Digital Mint is cooperating with the US Department of Justive (DoJ) to investigate allegations that a former employee had worked with ransomware criminals. The company operates a service where it acted as an intermediary between ransomware thieves and their victims, negotiating ransomware demands down to reasonable levels.

The employee allegedly cut deals with ransomware criminals to profit from extortion payments. DigitalMint President Marc Jason Grens told Bloomberg that a criminal investigation was underway, and that the employee involved had since been fired. There is no suggestion that Digital Mint knew about the employee’s actions or supported them in any way.

A ransomware negotiator’s role is to deal with ransomware criminals on a victim’s behalf. The customer pays them to negotiate adjustments to the crooks’ initial demands, which can often be exorbitant.

It’s important that the negotiator doesn’t take any cut from the ransomware thieves because it muddies the waters and changes their motivation. It creates an incentive to keep the ransomware payment high, which maximizes their profit. “The problem with that is it ripe for fraud between me and the bad guys,” said one negotiator, interviewed by TechTarget.

Ransomware recovery services have faced some bad press in the past. In 2019, investigative journalism organization Propublica reported on two US companies that claimed to fix companies’ ransomware data by decrypting it, while secretly paying ransomware companies behind the scenes to recover the data that way.

Since then, companies have openly advertised negotiation services, based on a willingness for cyber insurance companies to reimburse victims as part of their policy coverage. Ransomware demands have also ballooned as this form of cybercrime continues to gain traction.

Some have vowed not to pay ransoms. In 2019, a collection of mayors from across the US flipped the collective bird at ransomware thieves by adopting a joint non-payment resolution. More recently, some state legislators have passed laws to prevent government agencies from paying. And members of the International Counter-Ransomware Initiative, a global effort led by the US, has reportedly adopted a non-payment agreement.

However, these resolutions can only apply to government organizations. Many private companies do pay ransoms, coinciding with evolving approaches by ransomware attackers.

In the early days of this criminal model, ransomware operators would focus purely on encrypting data and demanding payment. Now, more of them steal the data as well, downloading it to their own computers and then threatening to embarrass the victim by publishing it. That likely encourages the victim to pay up, because even if they can decrypt the affected data on their own or restore it from their own backups, they’re still vulnerable to having their secrets leaked online.

The problem is that ransomware operators aren’t trustworthy. The #StopRansomware guide, authored by CISA, the NSA, and the FBI, warns that “paying ransom will not ensure your data is decrypted, that your systems or data will no longer be compromised, or that your data will not be leaked.” It might also put a victim on the wrong side of government sanctions, the document adds.

If companies must pay these ransoms, they’ll at least need a reliable partner to help them manage it. Every incident that draws that industry into disrepute is likely to damage that partnership, and perhaps lead more companies to wonder whether they should pay at all. Perhaps that wouldn’t be a bad thing.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.