‘It’s just choosing between plague and cholera’

Four to six hacked companies a week: that’s how many knock on Geert Baudewijns’ door these days. As CEO of the specialized IT company Secutec, he is now almost a full-time negotiator with hackers. He also had to deal with Play, the collective that is currently holding the city of Antwerp hostage.

Stefan Vanderstraeten

“Do you know what is striking?”, says Geert Baudewijns during our conversation. “There were significantly fewer hacker attacks between last May and August. Because the price of bitcoin was so low and hackers always want to be paid that way. The better the crypto rate, the more profitable it is for them. That is why there have been more cyber attacks since September.”

Just ask the city of Antwerp, who has until December 19 to pay a ransom to hacker collective Play wants to recover 557 gigabytes of data. As CEO of Secutec – one of the largest Belgian IT companies specialized in cyber security – Baudewijns now conducts negotiations with hackers on an almost daily basis. He is not involved with that of Antwerp, but he has already had to deal with Play – last month at the request of a hacked organization in Austria.

And do you already know who is behind Play?

“In my opinion, this is a tear-off from Conti, one of the most powerful hacker collectives in the world at the beginning of this year. Until that collective came out openly ‘pro Putin’ at the start of the war in Ukraine – the leaders were clearly Russian – but then it completely disintegrated in just four days. Perhaps some other members did not agree with that statement of support and they founded their own collective with Play.

“Although you shouldn’t want to see that as too structured. I like to compare it to a pyramid, of which, certainly at the lowest levels, the hackers don’t even know each other, not even by name. They also always conduct their mutual communications on a secure platform with nicknames.”

How the hell does such a hacker collective end up with the city of Antwerp?

“Such a cyber attack almost always starts with one hacker. A freelancer, if you will. He has found a ‘leak’ and therefore access key at a large company or important organization and is looking for the highest-bidding hacker collective in the shadowy corners of the internet. In the meantime, it does its homework and studies the size and turnover of the ‘offered’ company. If it pays off, they buy the access key and some members of the collective launch the actual cyber attack.”

And if that cyber attack succeeds, and the IT system of a company or organization is held hostage, then the latter will knock on your door. What is your job then?

“In advance I have already received the mandate from the hostage company or organization to pay a ransom. This is not prohibited in Belgium: just as family members of a kidnapped person can pay a ransom, so can companies. As long as the hackers do not demonstrably belong to a terrorist organization, because then it is illegal. My job is then to get the final sum of the ransom as low as possible.”

“As a starting sum, the hackers always aim for 10 to 12% of the company’s turnover. They always deliberately set it high in order to ultimately be satisfied with about 4 to 5%. How did they calculate their ransom for a city like Antwerp? That is the exceptional thing about this case. No one can rely on turnover figures here. I myself estimate the starting amount for Antwerp at 500,000 to no more than 750,000 dollars (474,000 to 711,000 euros, ed.). To land after negotiations at 150,000 to 200,000 dollars (142,000 to 190,000 euros, ed.).”

How exactly do such negotiations proceed?

“Usually very sec, via untraceable chat channels. Especially with those large collectives, this happens as a business conversation, which can drag on for a long time. Much depends on the size of the company and therefore the corresponding starting bid. If they ask, say, for a hostage SME, 50,000 to 60,000 dollars (47,000 to 57,000 euros, ed.) to start with, then I usually reach an agreement of around 15,000 to 20,000 dollars (14,200 to 19,000 euros, ed.) in three to four days.”

But if it concerns a multinational, for which the hackers demand 20 million dollars (19 million euros, ed.) as starting money and the customer is only willing to pay 1 million dollars (950,000 euros, ed.), then I will soon be four or five weeks busy. Not continuously, huh. Sometimes those hackers do not respond for two or three days, after which a counterproposal is made in two sentences.”

Are those hacker collectives actually men of their word?

“Always, especially the large collectives. Once a deal is made, they stick to it. It is a big myth that those hackers collect the ransom and in the meantime also resell the stolen data. My experience shows that if the hackers eventually get paid, they will not do anything with the stolen company data. But conversely, they are also men of their word. In this case: if the city of Antwerp does not pay, the data will be available on December 19. Guaranteed!”

Do you see the number of cyber hostages in Belgium increasing in the near future?

“At the moment I get 4 to 6 negotiating mandates a week, which says a lot. I estimate that only 20 percent of Belgian companies and organizations – and I include banks anyway – are today sufficiently protected against these hostage-taking. But conversely, most companies do not yet realize that their own security requires more than classic antivirus software. To really protect you as a company against cyber attacks such as in Antwerp, you really have today ‘next-generation endpoint protection & response’ or EDR required. Simply explained: where antivirus software only protects based on a list of known viruses, EDR will actively search for suspicious behavior in your network and take immediate action.”

So you won’t be out of work right away?

“Every euro that goes to a criminal organization is a wrong euro. Because with that you ‘sponsor’ them. Sometimes my competitors rub that in on me and they are right in a way. But it’s just choosing between the plague and the cholera. Because on the other side is a customer who can no longer run his business. How often company managers have come to me afterwards visibly grateful, with tears in their eyes: “Thank you, because without you my company would no longer exist today.” Make no mistake: hacker collectives do have that power.”

Leave a Comment

Your email address will not be published. Required fields are marked *