www.newyorker.com /magazine/2021/06/07/how-to-negotiate-with-ransomware-hackers

How to Negotiate with Ransomware Hackers

Rachel Monroe 31-39 minutes 5/31/2021

A few days after Thanksgiving last year, Kurtis Minder got a message from a man whose small construction-engineering firm in upstate New York had been hacked. Minder and his security company, GroupSense, got calls and e-mails like this all the time now, many of them tinged with panic. An employee at a brewery, or a printshop, or a Web-design company would show up for work one morning and find all the computer files locked and a ransom note demanding a cryptocurrency payment to release them.

Some of the notes were aggressive (“Don’t take us for fools, we know more about you than you know about yourself”), others insouciant (“Oops, your important files are encrypted”) or faux apologetic (“WE ARE REGRET BUT ALL YOUR FILES WAS ENCRYPTED”). Some messages couched their extortion as a legitimate business transaction, as if the hackers had performed a helpful security audit: “Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company.”

The notes typically included a link to a site on the dark Web, the part of the Internet that requires special software for access, where people go to do clandestine things. When victims went to the site, a clock popped up, marking the handful of days they had to fulfill the ransom demand. The clock began to tick down ominously, like a timer connected to a bomb in an action movie. A chat box enabled a conversation with the hackers.

In the past year, a surge of ransomware attacks has made a disruptive period even more difficult. In December, the acting head of the federal Cybersecurity and Infrastructure Security Agency said that ransomware was “quickly becoming a national emergency.” Hackers hit vaccine manufacturers and research labs. Hospitals lost access to chemotherapy protocols; school districts cancelled classes. Companies scrambling to accommodate a fully remote workforce found themselves newly vulnerable to hackers. In May, an attack by the ransomware group DarkSide forced the shutdown of Colonial Pipeline’s network, which supplies fuel to much of the East Coast. The shutdown, which pushed up gas prices and led to a spate of panic-buying, put a spotlight on ransomware’s potential to disable critical infrastructure. A week after the attack, once Colonial paid a ransom of $4.4 million to get its systems back online, eighty per cent of gas stations in Washington, D.C., still had no fuel.

The F.B.I. advises victims to avoid negotiating with hackers, arguing that paying ransoms incentivizes criminal behavior. This puts victims in a tricky position. “To just tell a hospital that they can’t pay—I’m just incredulous at the notion,” Philip Reiner, the C.E.O. of the nonprofit Institute for Security and Technology, told me. “What do you expect them to do, just shut down and let people die?” Organizations that don’t pay ransoms can spend months rebuilding their systems; if customer data are stolen and leaked as part of an attack, they may be fined by regulators. In 2018, the city of Atlanta declined to pay a ransom of approximately fifty thousand dollars. Instead, in an effort to recover from the attack, it spent more than two million dollars on crisis P.R., digital forensics, and consulting. For every ransomware case that makes the news, there are many more small and medium-sized companies that prefer to keep breaches under wraps, and more than half of them pay their hackers, according to data from the cybersecurity firm Kaspersky.

For the past year, Minder, who is forty-four years old, has been managing the fraught discussions between companies and hackers as a ransomware negotiator, a role that didn’t exist only a few years ago. The half-dozen ransomware-negotiation specialists, and the insurance companies they regularly partner with, help people navigate the world of cyber extortion. But they’ve also been accused of abetting crime by facilitating payments to hackers. Still, with ransomware on the rise, they have no lack of clients. Minder, who is mild and unpretentious, and whose conversation is punctuated by self-deprecating laughter, has become an accidental expert. “While I’ve been talking to you, I’ve already gotten two calls,” he told me when we video-chatted in March.

The man who reached out to him in November explained that the attack, the work of a hacking syndicate known as REvil, had rendered the company’s contracts and architectural plans inaccessible; every day the files remained locked was another day the staff couldn’t work. “They didn’t even have an I.T. person on staff,” Minder said. The company had no cyber-insurance policy. The man explained that he had been in touch with a company in Florida that had promised to decrypt the files, but it had stopped replying to his e-mails. He wanted Minder to negotiate with the hackers to get the decryption key. “The people who reach out to me are upset,” Minder told me. “They’re very, very upset.”

As a child, Minder visited his father at the mill where he worked, in central Illinois, and watched him hoist fifty-pound sacks of flour. His mother, who worked for the state, sat in an air-conditioned office with a cup of coffee. He didn’t quite understand what her job was, other than that it seemed to involve a lot of typing. “I was, like, whatever that typing job is, that’s what I want,” Minder told me.

After college, in the early nineties, he got a tech-support job at a local Internet-service provider. Within a year, he was promoted to assistant systems administrator, a job that entailed keeping tabs on the server logs. He began to notice a strange pattern, which he eventually realized was evidence of hackers. “They would use our routers as what we would now call a pivot point—bouncing off them to attack someone else, so the attack looked like it was coming from us,” he said. The attackers were typically hobbyists who were more interested in showing off their skills than in wreaking real havoc; Minder found the cat-and-mouse energy of outsmarting them deeply satisfying.

By that time, hackers had proved that they could inflict serious damage. In 1989, twenty thousand public-health researchers around the world received a floppy disk purporting to contain an informational program about AIDS. But the disk also included a malicious program that is now considered the first instance of ransomware. After users rebooted their computers ninety times, a text box appeared on the screen, informing them that their files were locked. Then their printers spat out a ransom note instructing them to mail a hundred and eighty-nine dollars to a post-office box in Panama. The malware, which came to be known as the AIDS Trojan, was created by Joseph Popp, a Harvard-trained evolutionary biologist. Popp, whose behavior grew increasingly erratic after his arrest, was declared unfit to stand trial; he later founded a butterfly sanctuary in upstate New York.

Popp’s strategy—encrypting files with a private key and demanding a fee to unlock them—is frequently used by ransomware groups today. But hackers initially preferred an approach known as scareware, in which they infected a computer with a virus that manifested as multiplying pop-ups with ominous messages: “SECURITY WARNING! Your Privacy and Security are in DANGER.” The pop-ups told users to buy a certain antivirus software to protect their systems. Hackers posing as software companies could then receive credit-card payments, which were unavailable to those deploying ransomware. In the early two-thousands, ransomware hackers typically demanded a few hundred dollars, in the form of gift cards or prepaid debit cards, and getting hold of the money required middlemen, who siphoned off much of the profits.

The calculus changed with the launch of Bitcoin, in 2009. Now that people could receive digital payments without revealing their identity, ransomware became more lucrative. When Minder founded GroupSense, in Arlington, Virginia, in 2014, the cybersecurity threat on everyone’s mind was data breaches—the theft of consumer data, like bank-account information or Social Security numbers. Minder hired analysts who spoke Russian and Ukrainian and Urdu. Posing as cybercriminals, they lurked on dark-Web marketplaces, seeing who was selling information stolen from corporate networks. But, as upgrades to security systems made data breaches more challenging, cybercriminals increasingly turned to ransomware. By 2015, the F.B.I. estimated that the U.S. was subjected to a thousand ransomware attacks per day; the next year, that number quadrupled. Mike Phillips, the head of claims for the cyber-insurance company Resilience, told me, “Now it’s ransomware first and only, and everything else is a distant second.”

Criminal syndicates are behind most ransomware attacks. In their online interactions, they display a mixture of adolescent posturing and professionalism: they have a fondness for video-game references and the word “evil,” but they also employ an increasingly sophisticated business structure. The larger groups establish call centers to help talk victims through the confusing process of obtaining cryptocurrency, and they promise discounts to those who pay up in a timely fashion. Some ransomware groups, including REvil, work on the affiliate model, providing hackers with the tools to deploy attacks in exchange for a share of the profits. (REvil also handles ransom negotiations on behalf of its affiliates.) “It’s way too easy to get into this,” Reiner, of the I.S.T., told me. “You or I could do it—you just hire it out. There’s been an incredible commoditization of the entire process.”

Hackers use various techniques to gain access to a company’s computers, from embedding malware in an e-mail attachment to using stolen passwords to log in to the remote desktops that workers use to connect to company networks. Many of the syndicates are based in Russia or former Soviet republics; sometimes their malware includes code that stops an attack on a computer if its language is set to Russian, Belarusian, or Ukrainian. Some of the syndicates employ current or former members of the military, but they seem to care more about money than about geopolitical machinations. “We are apolitical,” a man claiming to be an REvil representative said in an interview with a Russian YouTuber. “No politics at all. We don’t care who’s going to be President. We worked, we work, and we will work.”

Phillips told me, “Paying a ransom, you worry about it being venture capital for this dark-Web Silicon Valley on the other side of the world.” Ransomware groups, like their Silicon Valley counterparts, move fast and break things. In May, 2017, the WannaCry attack infected three hundred thousand computers through old and unpatched versions of Microsoft Windows. In the United Kingdom, ambulances had to be diverted from affected hospitals, and a Renault factory stopped production. Just three years after that attack, though, the REvil representative called this scattershot approach “a very stupid experiment.” The WannaCry hackers had demanded ransoms of only three hundred to six hundred dollars, netting around a hundred and forty thousand dollars.

After WannaCry, ransomware groups concentrated on sectors where a combination of lax security and a low tolerance for disruption makes getting paid more likely and more lucrative—industrial agriculture, mid-level manufacturing, oil-field services, municipal governments. Groups timed disruption for periods of acute vulnerability: schools in August, right before students returned; accounting firms during tax season. Certain syndicates specialize in “big-game hunting,” launching targeted attacks against deep-pocketed companies. The group deploying the Hades ransomware strain focusses on businesses with reported revenues of more than a billion dollars. Another designs custom malware for each job. In 2019, during a Webinar hosted by Europol, the European law-enforcement agency, a security expert mentioned that the cryptocurrency Monero was essentially untraceable; soon afterward, REvil began asking for ransom payments in Monero instead of Bitcoin.

When companies seem reluctant to negotiate, executives receive threatening phone calls and LinkedIn messages. Last year, the Campari Group issued a press release downplaying a recent ransomware attack. In response, hackers launched a Facebook ad campaign, using the profile of a Chicago d.j., whom they had also hacked, to shame the beverage conglomerate. “This is ridiculous and looks like a big fat lie,” they wrote. “We can confirm that confidential data was stolen and we talking about huge volume of data.” Last year, printers at a South American home-goods chain began spitting out ransom notes instead of receipts.

More recently, syndicates have added extortion to their playbook. They siphon off confidential files before encrypting systems; if their ransom demand isn’t met, they threaten to release sensitive data to the media or auction it off on the black market. Hackers have threatened to publish an executive’s porn stash and to share information about non-paying victims with short sellers. “I’ve seen social-work organizations where ransomware actors threatened to expose information about vulnerable children,” Phillips said.

Before ransomware took over Minder’s life, he had settled into a routine. He walked to work, where he was usually the first to arrive and the last to leave. On the way home, he stopped at a coffee shop for a glass of wine and a salad. Back at his apartment, where he lived alone, he would work at his desk until he fell asleep. His major social outlet was the local motorcycle club, the BMW Bikers of Metropolitan Washington.

Early last year, GroupSense found evidence that a hacker had broken into a large company. Minder reached out to warn it, but a server had already been compromised. The hacker sent a ransom note to the company, threatening to release its files. The company asked Minder if he would handle the ransom negotiations. Initially, he demurred—“It never occurred to me as a skill set I had,” he said—but eventually he was persuaded.

To buy time, Minder suggested that the company acknowledge receipt of the ransom note. He began studying up on negotiation tips, watching MasterClass tutorials and reading books by former hostage negotiators. He learned that he should avoid making counteroffers in round numbers, which can seem arbitrary, and that he shouldn’t make concessions without providing a justification. During the next few weeks, as the conversation with the hacker unspooled, Minder discovered that he had a knack for negotiation. He did his best to engage the hacker, who appeared to be unaffiliated with any of the major ransomware syndicates. When the hacker complained about how much time and effort he’d invested in breaking into the company, Minder complimented him on his skills: “I told him, ‘You’re a very talented hacker, and we’d like to pay you for that. But we can’t pay what you’re asking.’ ”

The negotiation became all-consuming. On a motorcycle camping trip with his girlfriend, Minder huddled by the campfire with his laptop, using a 3G hot spot to keep talking. Eventually, the hacker agreed to a price that the company’s insurer found acceptable. “ ‘I think I could get him even lower if you gave me a little bit more time,’ ” Minder recalls saying. “But the cyber-insurance company said, ‘This is good enough.’ ”

Minder soon found more work. Sometimes it was a prominent company facing a multimillion-dollar ransom demand, and the negotiation took weeks. Sometimes it was a small business or a nonprofit that he took on pro bono and tried to wrap up over the weekend. But GroupSense rarely made money from the negotiations. Some ransomware negotiators charge a percentage of the amount that the ransom gets discounted. “But those really profitable approaches are ripe for fraud, or for accusations of fraud,” Minder said. Instead, he charged an hourly rate and hoped that some of the organizations that he helped would sign up for GroupSense’s core product, security-monitoring software.

Last March, after GroupSense’s office shut down, Minder paced in circles in his four-hundred-and-seventy-five-square-foot apartment. “I was, like, I need to go hike,” he said. He towed two motorcycles to a rental house in Grand Junction, Colorado. As the world fell apart, the ransomware cases kept coming. Minder handled the negotiations himself; he didn’t want to distract his employees, and he found that the work required a certain emotional finesse. “Most of our employees are really technical, and this isn’t a technical skill—it’s a soft skill,” he told me. “It’s hard to train people for it.”

The initial exchange of messages was crucial. People advocating on their own behalf had a tendency to berate the hackers, but that just riled them up. Minder aimed to convey a kind of warm condescension—“Like, we’re friends, but you don’t really know what you’re doing,” he explained. His girlfriend, who speaks Romanian, Russian, Ukrainian, and some Lithuanian, helped him find colloquialisms that would set the right tone. He liked to call the hackers kuznechik, Russian for “grasshopper.”

Occasionally, Minder was called in to try to rescue negotiations that had gone off the rails. If hackers felt that a negotiation was moving too slowly, or they sensed that they were being lied to, they might cut off communication. Following the advice of Chris Voss, a former F.B.I. hostage negotiator who is now a negotiation consultant, Minder tried to establish “tactical empathy” by mirroring the hacker’s language patterns.

“You literally could not pay me enough to relive my twenties.”
Cartoon by Suerynn Lee
You literally could not pay me enough to relive my twenties.

Most of the time, Minder found himself dealing with a representative from one of the syndicates. “The first person you talk to is, like, level-one support,” he told me. “They’ll say something like ‘I want to work with you, but I have to get my manager’s approval to give that kind of discount.’ ”

GroupSense partnered with CipherTrace, a blockchain-analysis firm, which allowed Minder to see that a particular cryptowallet had been created and to trace its transactions. Determining the average payments flowing into a wallet gave him a sense of the going rate, so he could avoid overpaying. He came to understand that syndicates were working from a script. “Oftentimes, we can go to the client and say how it’s going to go before it starts,” he told me.

The clients themselves could be more challenging. Minder ran all communications by them, through a secure portal. Some wanted to edit every message to the hackers. “It’s like a spy game to them,” Minder said. Others erupted in anger or frustration. “Sometimes you’re negotiating in two directions at once—with the hacker and with the victim,” he said. “You have to have a personality type where you can be empathetic but also give directions in a way that isn’t confrontational.”

Minder has already seen pressure tactics and ransom demands escalate. In 2018, the average payment was about seven thousand dollars, according to the ransomware-recovery specialist Coveware. In 2019, it grew to forty-one thousand dollars. That year, a large ransomware syndicate announced that it was dissolving, after raking in two billion dollars in ransom payments in less than two years. “We are a living proof that you can do evil and get off scot-free,” the syndicate wrote in a farewell message. By 2020, the average ransom payment was more than two hundred thousand dollars, and some cyber-insurance companies began to exit the market. “I don’t think the insurers really understood the risk they were taking on,” Reiner told me. “The numbers in 2020 were really bad, but, at the end of 2020, everyone looked around and said, 2021 is going to be even worse.”

In 1971, a British manager at an Argentine meatpacking plant was seized by a guerrilla group. Several weeks later, after his employer paid a two-hundred-and-fifty-thousand-dollar ransom, he was freed. The following year, an electronics company paid twice as much to retrieve a kidnapped executive. In 1973, businessmen in Central America kept getting abducted, and their ransoms rose at an alarming rate: Coca-Cola paid a million dollars; Kodak paid $1.5 million; British American Tobacco paid $1.7 million; Firestone paid three million. One C.E.O. fetched $2.3 million; by the time he was kidnapped again, two years later, the price had risen to ten million. Then Juan and Jorge Born, heirs to a multinational food-processing conglomerate, were captured in a scheme involving fake street signs and operatives dressed as telephone workers and police officers. They were eventually ransomed for sixty million dollars, plus a million dollars’ worth of clothing and food to be distributed to the poor. Taking on the risk of kidnapping was “part of what it means to be an executive,” Gustavo Curtis, an American manager working in Colombia, was told by his employer shortly before his abduction, in 1976.

For much of human history, kidnapping had been largely a local affair, governed by a certain amount of ritual and reciprocity. Globalization, political destabilization, and rising inequality upended those norms. In Italy, criminal gangs abducted wealthy foreigners and farmers’ children; one year, eighty people were held for ransom. John Paul Getty refused to pay more in ransom for his kidnapped grandson than he could deduct on his taxes—reportedly three million dollars.

Kidnap-and-ransom insurance, a field that arose after the Lindbergh baby’s abduction and murder, in 1932, surged. In 1970, the size of the market was around a hundred and fifty thousand dollars; by 1976, it was seventy million dollars. The majority of policies were underwritten by Lloyd’s of London, the world’s main market for specialist insurance. Soon, there were risk analysts, who advised policyholders on how to prevent kidnappings; private security firms that offered on-the-ground protection; and specialist negotiators, who took over if things went south.

Control Risks was founded in 1975, by former members of the British Special Forces, to help the insurance industry deal with its kidnapping problem. Its executives performed their work with a patrician discretion. When, in 1977, two of its founding members were arrested in Colombia—no one was quite sure whether the nascent negotiation industry was legal—they spent their ten-week detention writing a code of conduct for their company. (The members were later exonerated.)

Around three-quarters of Fortune 500 companies eventually invested in kidnap-and-ransom insurance, but there was some discomfort with an industry that turned a profit by funnelling money to the Mafia, terrorist groups, and criminal gangs. “There is a feeling you shouldn’t make too much money,” a Control Risks co-founder told the Times, in 1979. Italy, Colombia, and the United Kingdom have all banned kidnap-and-ransom insurance.

But Anja Shortland, a professor of political economy at King’s College London, told me that privatized kidnap intermediaries were key in instituting what she calls “ransom discipline.” Control Risks didn’t merely negotiate ransoms; it also provided security audits, advising companies on how to keep staff from being abducted in the first place. Insurers offered reduced premiums to companies that beefed up their security, reducing over-all rates of kidnapping. When abductions did happen, skilled negotiators kept ransom demands from spiralling out of control. These days, some ninety per cent of kidnappings are resolved, typically through the payment of a ransom; when specialists are involved, the success rate rises to ninety-seven per cent. Countries that banned kidnap insurance drove negotiations underground.

Shortland specializes in the economics of crime. “A lot of economics is: let’s assume away all the complexities so we can come up with a tractable problem,” she told me. “And I’m just embracing the complexities.” To better understand the kidnap-for-ransom industry, she closely studied the piracy-and-kidnapping market in Somalia, where she saw how private insurers, consultants, and negotiators fostered a certain predictability in a trade that’s typically portrayed as unruly. “There is a pace, a rhythm to these things,” as one negotiator told her.

The orderliness, which relies on a mutual assumption of good faith, benefits all sides, Shortland told me. Kidnappers receive an expected rate of return; the kidnapped can reasonably expect that they’ll be released intact; companies in dangerous areas can assume that their staff won’t be abducted, but, if they are, they almost certainly won’t be killed. And the insurance companies and consultants can collect their fees.

Ransomware has less “kinetic impact” than kidnapping, Bill Siegel, the co-founder of Coveware, told me—that is, no one is sending severed ears in the mail. But, to an economist, the differences are small. “They are creating very similar kinds of institutions to the ones that the kidnap-and-ransom community has created,” Shortland said. “But they’re about eighty years behind.”

When it became clear that ransomware cases weren’t slowing down, Minder trained two of his employees to handle negotiations; one of them was Mike Fowler, a former narcotics detective from North Carolina. Working undercover had taught Fowler how to slip into character, which, he told me, “is part and parcel of being an effective negotiator.”

Last November, Fowler was the designated negotiator for the construction-engineering firm. When he logged on to the dark-Web site, he noticed that the timer showed that three days had already elapsed in the negotiations. In the chat box, a conversation was in progress. “It was shocking for me,” Fowler said. “This is a whole negotiation—poorly done, but a whole negotiation—that I’m looking at.”

Whoever had been chatting on behalf of the engineering firm was confrontational and aggressive. When the hackers demanded two hundred thousand dollars to unlock the company’s files, the negotiator initially counteroffered ten thousand dollars, and then quickly went up to fourteen thousand, then twenty-five thousand. “What that communicates to the threat actor is: there’s more money here,” Fowler said. The hackers grew frustrated. “You have reported an annual income of $4 million,” they wrote. “We are not expect small money from you.” The final message in the chat had arrived from the hackers two days earlier: “Are you ready to close with a cost of 65k?”

Fowler and Minder tried to piece together what had happened. The clients insisted that they had never gone to the dark-Web site, much less interacted with the hacker. Then Fowler reminded Minder about a recent post on REvil’s blog, warning about fraudulent middlemen who said that they could decrypt files; instead, the middlemen would secretly negotiate with the hackers before offering the decrypted files at a markup. At the time, it had amused Minder that a cybercrime syndicate was issuing a warning about scammers. But now the clients acknowledged that they had reached out to MonsterCloud, a Florida company that advertises itself as “the world’s leading experts in Cyber Terrorism & Ransomware Recovery.” MonsterCloud’s Web site encouraged victims to use its ransomware-removal services instead of paying a ransom. That pitch likely appealed to the heads of the engineering firm, who were “very, very patriotic,” Minder told me. “It didn’t surprise me at all that they’d rather pay a software company in Florida” than send a ransom to a foreign criminal syndicate.

Minder soon learned that, shortly after the REvil hacker demanded sixty-five thousand dollars, a MonsterCloud representative told the engineering firm that it could recover the files for a hundred and forty-five thousand dollars. (MonsterCloud declined to comment.)

According to an investigation by ProPublica, MonsterCloud has a long track record of secretly negotiating with hackers. ProPublica spoke with a number of former clients who believed that their files had been decrypted without their paying a ransom, even though the ransomware strains in question made this outcome highly unlikely; most are impossible to decrypt unless there is an error in the code. MonsterCloud is one of a handful of U.S.-based data-recovery companies that appear to follow a similar business model. By purporting to decrypt files using high-tech tools, these firms allow their clients to believe that ransomware can be addressed without sending funds to criminal syndicates—a strategy that’s particularly appealing to MonsterCloud’s publicly funded clients, such as municipalities or law-enforcement departments. Ransomware groups recognize that data-recovery firms can be lucrative partners; one offers a promo code especially for such firms. MonsterCloud declined to discuss its methods with ProPublica. “We work in the shadows,” Zohar Pinhasi, the company’s C.E.O., told the publication. “How we do it, it’s our problem. You will get your data back. Sit back, relax and enjoy the ride.”

When Minder explained the situation to his client, the man let loose a string of expletives. Because the negotiation had already been bungled, there was little chance that Minder could get the hackers to agree to a lower price. The client asked Minder to tell the hackers to go fuck themselves, but Minder says he “respectfully declined.” Instead, the company attempted to rebuild files from backups and old e-mails. Minder encouraged the client to investigate how the breach happened, but the company seemed uninterested. “They said their I.T. guy has theories,” he told me.

Minder reported MonsterCloud to the Federal Trade Commission, but the incident continued to gnaw at him. “If you Google ‘save me from ransomware’ or ‘ransomware response,’ you’re getting these companies that are basically profiteering or fraudulently misrepresenting themselves,” he said. “I’m just nauseous about it.”

Last October, the Treasury Department’s Office of Foreign Assets Control issued an advisory aimed at negotiators, cyber-insurance firms, and incident-response teams, warning that they may be fined for facilitating payments to criminals.

“They did this poorly,” Mike Convertino, the former chief information-security officer for Twitter, told me. “Maybe they got frustrated, but I view it as somewhat irresponsible. Let’s face it—if you’re a two-billion-dollar company and you’re encrypted and you don’t have good backups, they just took away your only option. So you just destroyed a two-billion-dollar company.” (The advisory seemed to have an effect: the number of ransomware victims who paid ransoms declined in the last quarter of 2020.)

In response, Convertino’s current employer, the cyber-insurance firm Resilience, participated in a Ransomware Task Force, which included representatives from major cybersecurity venders and incident-response firms, as well as from the F.B.I. and the Department of Homeland Security, under the umbrella of the Institute for Security and Technology. “Make no mistake, our recommendations aren’t about eliminating ransomware as a threat,” John Davis, a vice-president at the cybersecurity firm Palo Alto Networks, said at an online event; rather, the goal is to bring it to a level “that can be more effectively managed.” Those recommendations included requiring ransom payments to be reported to authorities and creating a fund to support victims who refrain from paying ransoms. In April, the Justice Department announced that it was forming its own ransomware task force to coördinate among the private sector, other federal agencies, and international partners.

Meanwhile, the ransomware syndicates have been working to shore up their images. DarkSide, the group responsible for hacking Colonial Pipeline’s system, had vowed that it would not attack schools, hospitals, funeral homes, or nonprofit organizations; it would target only large corporations. In October, DarkSide issued a press release announcing that it had just donated ten thousand dollars in cryptocurrency to two charities. “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the syndicate wrote. But disabling critical infrastructure brought another level of attention, as well as the threat of a significant law-enforcement response. DarkSide apologized for causing disruption and, sounding like a chastened tech company, promised to invest more in moderation, “to avoid social consequences in the future.” A few days later, the syndicate announced that its servers had been shut down and its Bitcoin wallet emptied, potentially an indication of law-enforcement actions. Seemingly spooked by the negative publicity, REvil announced that it would no longer attack targets in the government, health-care, and education sectors.

Shortland saw this kind of brand-burnishing as a good thing. “If this was a complete fly-by-night scenario, then I might despair,” she told me. “But people who do this want to do it again.” The hackers cared about their reputations, which was a sign that the market was governable. That didn’t mean ransomware would go away—at least, if the example of criminal kidnapping was any indication. “There is a certain amount of kidnap that works for everyone,” she said. ♦