My war against cyberhackers terrorising UK… from trick to force ransom payments to tiny detail that exposed ‘inside job’

RICHARD Foster doesn’t look like your typical computer geek, but the ex-copper is on the front line in the war against cyber hackers. 

The 6ft 6in former Regional Crime Squad detective is the man companies like the Co-op – which had data from all its 6.5million members stolen and lost £206million in sales – call in when they are hit by ransom-ware attacks.

7

Richard is one of the UK’s few cyber-hack negotiators.

Just like in a kidnapping, his job is to deal with the ruthless villains who infect companies’ IT systems and demand ransoms often running into millions.

While in the police Richard ran his own network of underworld informers and knows how to talk to the cyber villains who try to extort payments in hard-to track crypto currency.

In an exclusive interview with The Sun, he reveals: “You’re dealing with criminals who will double-cross you, they’ll constantly try and manipulate you and they haven’t got a moral code.

“Companies are being hacked every day. The ones the public get to hear about are just the tip of the iceberg.

“I don’t think anybody knows the true numbers. It’s on a global scale. It’s happening to every country around the world. The numbers are massive.

“Hackers who attack big companies will have done their research into who they are going after and as a result will ask for anywhere from half a million to a million, five million or ten million, usually dollars.”  

Often criminals will invade a company’s IT system and spend weeks, sometimes months, researching their target.

They will even try to find out how much insurance the business has taken out to cover hack attacks – so they know how much ransom to demand.

It is estimated that in the UK, eight out of ten businesses hit by a cyber-attack will pay a ransom. 

7

Marks & Spencer was hit by a gang of young hackers working from bedrooms in Britain and the US calling themselves Scattered Spider.

It is at this point expert negotiators like Richard, boss of Brainstorm Security, would be called in.

Richard – who was not involved in the M&S or the Co-op case – says: “It’s not illegal for a private company to pay a ransom. 

“My advice is if we can avoid paying, we will because we shouldn’t be paying.

Companies are being hacked every day. The ones the public get to hear about are just the tip of the iceberg

Richard Foster

“But in some cases if we don’t do this you might not even have a company. Everybody who you employ may end up out of a job as a result of it. 

“So, I give the facts and my professional advice to help the victim make the best-informed decision making possible.”

A cyber attack on bureau de change firm Travelex in 2020, where hackers demanded a $3million ransom, led to the loss of 1,300 jobs.  

Sly tactics

7

7

7

Hackers communicate with their victims in different ways.  

They might find that their computers are all encrypted apart from a text file note on the system that will say ‘Go to this address on the dark web, put in a code in and then you can communicate with us’.

Or, like in the M&S case, they email individuals with a ransom demand.

Richard says: “On other occasions they will phone the victim company and maximise their nastiness as criminals by speaking to a receptionist in a really horrible way, applying great pressure.

“It’s stopping the person who’s in charge of the company thinking straight because they’re under so much pressure. 

“Our job when we come in to negotiate with the bad guys is to slow and calm everything down. 

“We can communicate with these people but we’re not going to do anything rash.”

‘Inside job’

In one case he was brought in to negotiate with a gang demanding the payment of nearly half a million pounds in Bitcoin.

He reveals: “I was asked to come in and try and speak with the bad guys because they’ve been communicating via email.

“We got to the negotiating bit and the sums were in the hundreds of thousands of pounds.

“Communication was going on and we noticed there was one digit out on the email address the bad guys were using. We thought, that’s odd.

Communication was going on and we noticed there was one digit out on the email address the bad guys were using. We thought, that’s odd

Richard Foster

“There was an insider threat. The company had been attacked by a real ransomware group. 

“But there was a member of IT within that company who’d identified that this was taking place and was monitoring the emails.

“And they registered a very similar website address to the villains and were intercepting the emails that were supposedly going from the company to the bad guys.

“They swapped out the Bitcoin address that we were going to pay money into so the individual inside the company would get all the money.

“We continued the negotiation while we forensically investigated the email systems and identified who the insider threat was. They had got up to all sorts of other things and were arrested then dealt with. 

“The ransomware attackers never got paid. The company had back-up that they could restore from.” 

7

7

Negotiations can take weeks as Richard keeps the criminals on the hook while constantly trying to cut the amount of money to be paid. 

Like in human kidnappings, where negotiators insist on proof that the victim is still alive, he will demand proof that the cyber criminals are able to post the information they claim to have stolen on the web. 

Richard says: “This is a very specialised skill to do it correctly without making anything worse. 

“It’s about building rapport so we can have some negotiation while trying to capture evidence.

“You don’t lie to these criminals because the last thing you want is for them to say ‘the ransom has doubled – now we want a million dollars because you have messed us about’.”

‘Urgency, authority, fear’

It can take weeks to build up that rapport and trust between negotiator and the criminal.

Richard was at the heart of a case where a company received a ransom note informing bosses that their firm’s emails had been hacked and the criminals had been inside their computer network for a long time and were able to access most of their clients. 

He says: “This email is trying to generate fear in the minds of the victims. They will often use five or six different social engineering techniques, like urgency, authority, fear.”

On day two, Richard and his team were able to rule out an inside job and it was not until the third day that he began negotiating with the criminals.

Richard explains: “People think if you’re negotiating, you’re going to pay them. That’s wrong – you are generating time.

People think if you’re negotiating, you’re going to pay them. That’s wrong – you are generating time

Richard Foster

“Because as soon as you hit the dark web there will often be a clock that will start ticking down. 

“Once we start to negotiate, we can often extend that time. That’s an easy one for the bad guys to concede.

“By day four we knew what they wanted – $450,000 in Bitcoin. Can we trust them? No. Because the bottom line is, they’re already extorting us. But we have to build a level of trust with these people.

“This one went on for a long time and by day 19 the ransom was down to $300,000. But we wanted assurances they were not going to attack us in the future. 

“Day 24, we were now down to $200,000. A day later, we managed to get it down to $100,000 but in this case we did not pay.

“The intelligence we had gathered about these people was enough to decide that they weren’t credible. 

“They claimed they would release certain elements of data. But when we asked for proof they weren’t able to convince me. So, I advised the company ‘I don’t think we should pay’.

“When we refused to pay, the hackers made out they had displayed company data on the web but when you clicked into it and tried to download some of the material they’d released, it was fake. 

“It wasn’t the data that was stolen, and our hunch was completely correct.”