Go inside the ransomware negotiations with hackers | Action News Investigation

PHILADELPHIA (WPVI) -- Cyberattacks are surging and healthcare networks are being increasingly targeted.

Just last week, cyber thieves hit Capital Health in New Jersey.

Criminal enterprises usually get access to networks due to human error on a computer when employees often mistakenly click on what's called a "phishing email" and accidentally download malware.

But that's just the early innings in the game of ransomware - then negotiations begin.

"It's billions of dollars every year that ransomware groups are making," said Drew Schmitt with Guidepoint Security.

Schmitt's job is to negotiate with cyber syndicates who he said go by names like Akira, BlackBasta, Lockbit and the Lazarus Group.

"We see that there are threat actors that exist all over the world," he said.

He said with the click of a mouse the cyber gangs take over networks.

Hospitals in Delaware County, the City of Philadelphia and a Pennsylvania water authority are just a few of the local victims in 2023.

"These threat groups have evolved in such a way that they have more or less real-time chat applications," said Schmitt.

Schmitt took us behind the scenes of what happens when entities hire Guidepoint Security. The cybersecurity firm is responsible for past negotiations of one-third of Fortune 500 companies and more than half of US government cabinet-level agencies.

He said after an attack, victims will first get a link. They'll then be instructed to enter their company name and code, and then negotiations are underway.

"'Hey, I was told to get in contact with you based on this ransomware. How do we get our files back?'" he said they usually ask.

In this ransomware attack, Schmitt shared with the Investigative Team that BlackBast requested $1 million. If not paid, the group warned the sensitive information would be posted to a news board or leaked onto a site on the dark web where other criminals can access the information.

"That's where they name and shame. That's where they post the data."

Schmitt said he'll then request proof they have the files they say they do.

"So we actually call that proof of life," he said. "You have what you say you have. But now we need to know that you can actually decrypt the files that you've encrypted in our environment."

Schmitt said it can take seconds, minutes, even hours for responses. But the entire cat and mouse game often takes days.

"So they might find your policy information. So they know how much insurance coverage you have for certain type scenarios," says Schmitt.

In the chat with BlackBasts, the bad actors seemed to even know bank account information -- valuable nuggets in a ransomware negotiation.

Schmitt said his company's statistics found 65% of clients pay the ransom with the average payment in low hundreds of thousands of dollars.

"They're going to be paid using cryptocurrency, and in most cases is going to be Bitcoin."

Cyber security experts also tell us many small and medium-sized businesses can't pay and may be forced to lay off employees or shut down completely.

Schmitt said bringing down these networks is very difficult because they often operate in countries that do no cooperate in U.S. investigations.

Help the Action News Investigation team get to the bottom of the stories that impact you. Use the below form to tell us your story idea.