Anatomy of a Ransomware Negotiation

Posted on 02 Dec 2022 by Ray Heffer

I recently stumbled upon a Reddit post, where the op posted 19 screenshots, showing the email correspondence between a ransomware group and a representative at an Australian health insurance provider, Medibank. You can read details of the breach here.

What I find fascinating about this, is how Medibank used a negotiation tactic that can be very useful in these situations. They played dumb. This allowed them to delay the negotiation over several days, whilst at the same time, gleaning as much information from the adversary as possible. It’s very likely that from the very start, Medibank had no intentions of paying the ransom.

The psychology behind playing dumb, is all centered around manipulation. By feigning ignorance, you can quickly let the adversaries guard down, and they feel less intimidated.

Like one commenter in the Reddit post mentioned, these emails weren’t written by some “incompetent rep”, but using a fake name (Alice), and playing the innocent victim, they were able to gain as much information about the attack as possible.

Tox is harder for us

From what we are seeing, it seems like you are very talented at what you do. We can see your connections through the VPN, but want to know that other access you used?

What’s also very interesting is that the data was exfiltrated, but not deleted or encrypted. The ransom in this case, was the threat of exposing the PII (Personally identifiable information) on a Tor site.

The entire timeline of this breach lasted 29 days, starting on October 12, 2022, and came to an end on November 10, 2022. These are the emails between October 19th and November 10th.

Here are the emails that were posted on Reddit:

Comments are closed for this post.