Negotiating in the Dark by ACC Art Books

DE ANTWERP CASE

‘The City of Antwerp is hacked.’

Although my business card says something else, when people ask what I do, I usually say: ‘Negotiating with cybercriminals.’ That’s the most clear-cut aspect of my work in cybersecurity: communicating with hackers who use ransomware to cripple a company’s network. Those hackers are always devising new ways to infiltrate networks, install malicious software, encrypt all the data, and copy it. Then they demand a ransom to reverse the encryption and not publish your data. Blackmail, pure and simple.

The targeted companies have their backs to the wall. Nothing works anymore and they have no choice but to send their staff home, suspend production and services, and have their IT personnel clock up overtime. In most cases, they soon conclude that paying the ransom is the quickest, most cost-effective – or even the only – solution. That’s when they come to me for help. As a negotiator, my job isn’t to track down cybercriminals, but to talk with them for days or even weeks. My goal is to drive down their price and figure out how they got in. Of course, giving in to the demands of unscrupulous hackers feels galling, but I do all I can to minimise the ransom demand so that most companies survive an attack unscathed.

The most notorious hacking in Flanders is probably the cyberattack on the City of Antwerp in late 2022. Whenever I strike up a conversation with someone and mention my work, I’m always asked: ‘What happened in Antwerp?’ The cyberattack on the city, and on 5 December, St Nicholas’ Eve of all nights, has lost none of its fascination, and is etched in the collective memory. The story has all the ingredients to pique the imagination: an iconic date, a major city, and a mysterious denouement about which rumours persist.

For me, this is a loaded question because frankly, ‘the Antwerp case’ still gets under my skin. At the time of the hacking,

as suppliers we were closely involved with Digipolis, the city’s IT partner, responsible for an extensive range of services, from maintaining the city network to the digital development of city services. Their remit also includes cybersecurity, something Antwerp had taken particularly seriously since the Liège hacking.

Liège was hit by a ransomware attack carried out by the Ryuk group in June 2021. A Belgian metropolis was brought to a standstill for the first time. Media reports claim the city paid thirty million in ransom, which set off alarm bells in Antwerp. Cybersecurity was suddenly high up on the agenda and the city council made extra resources available to avoid a scenario like the one in Liège. With this in mind, they tasked Digipolis, their technology partner, with developing a comprehensive cybersecurity plan. The goal was clear: to reinforce the city’s digital defences and make its systems cyberattack-proof. Digipolis put out several invitations to tender, a few of which our company won. Specifically, our job was to track down and identify potential weak spots in the network. We were not involved in the operational side of things; our role was to pinpoint places where attackers could gain access. Our analysis uncovered numerous vulnerabilities, which isn’t uncommon, and something we see in many companies. Keep in mind that, like the networks of many other large cities, Antwerp’s infrastructure dates back 20 or 30 years.

At the time of the hacking, as suppliers, we were closely involved with Digipolis, the city’s IT partner.

Many of our clients face the same issue. They start with a small network that needs to grow rapidly without disrupting the operation of existing applications or services. Over the last 15 years, the digital transformation of city services caused the

HOW IT BEGAN

‘Geert, promise you’ll never go into electronics. If you do, you’ll give our school a bad name.’

It is curious how some moments later turn out to be tipping points, harbingers of what’s to come. As a child, I could never have imagined that one day, I’d own my own cybersecurity company, let alone spend days negotiating with cybercriminals. But there were certainly circumstances and people in my childhood that shaped me, that taught me things, that got me where I am today.

Top of the list: school. Not for the reason you might think; I still can’t write five sentences without mistakes and when it comes to maths, I don’t get numbers at all. This was partly because when I was at primary school, I spent a lot of time in hospital due to severe asthma attacks. When I was about thirteen, the attacks stopped, but I couldn’t catch up. I struggled to concentrate. Those were the days before things like ADHD were talked about, and I struggled through secondary school. Sometimes I passed, sometimes I had to repeat a year; that phase of school lasted agonisingly long. I hated every day I had to spend at school not only because I could barely cope with the subject matter, but mostly because of the constant stress of being bullied. And bullied I was, throughout my miserable school years, about something as trivial as my weight. Don’t get me wrong: there is really nothing positive to say about bullying, but it did teach me a skill that I can still put to good use: I learned to disappear. I can blend into the crowd quite easily, behave in such a way that people don’t see me. Those who don’t stand out can watch, observe people, assess what another person is thinking or will do. I trained myself to figure out people’s motives, to know what their next move would be, to wriggle out of a tricky position and not be intimidated by some bully. I don’t need to explain that this gift comes in handy when a cybercriminal hurls the vilest insults at me.

Fortunately, I grew up in a loving family, in the borough of Tervuren, in Moorsel, a small village where time stood still 45 years

ago. We lived close to both my grandparents, who lived barely five houses apart. So, you can’t say my father had to venture far to find the love of his life. My sister and I spent a lot of time with them, though I mostly remember that they were hardworking people, just like my parents by the way. My father’s father had the most wonderful job: he grew and tended geraniums in all the railway stations in Brussels. When he came home, he always tapped on the window to warn us that he was coming. Then, my sister and I would hide under a cupboard or under the sofa, and he’d come and find us, making all kinds of funny noises. Those moments were wonderful, but short. Once he’d found us, we weren’t allowed to disturb him. It was drummed into us from an early age that working people were entitled to some downtime. Well, my grandfather didn’t get much time to rest, as he often went to help out on his parents’ farm after work.

My other grandfather also worked extremely hard. He worked at the post office in Tervuren until about four o’clock, after which he did odd jobs as a gardener for people in the neighbourhood. He had five children to feed, including my mother, who was not his biological daughter but whom he raised as his own.

We didn’t discover my mother’s story until recently, and it’s too good not to tell. After World War II, the Belgian army controlled part of Germany. One of the barracks was in Siegen, where my grandfather was stationed as a soldier in 1950. Once his shift was over, he’d sneak out of the barracks and go dancing at one of the town’s many bars. Landlords always welcomed him; he was the heart and soul of the party, and, in due course, a civilian suit awaited him at every bar, and he was paid to dance and encourage other customers to get onto the dancefloor. Why the civilian clothes? Because soldiers were forbidden from leaving the barracks and he didn’t want to be seen in his army uniform.

THE FIRST COMPUTERS (AND FIRST CRIMINALS)

Computers and I turned out to be a perfect match.

My first memory of a computer is one of disillusionment. I was sitting next to my grandmother when my grandfather came home with the exciting news that my father had brought a computer into the house. I cycled home as fast as I could, left my bike in the driveway, and raced into the living room. My father was bent over a device, yes, but it turned out to be a microfiche reader, a kind of overhead projector like you used to find in every classroom. My father had all kinds of microfiches full of technical drawings. When he put them on that device, it projected that drawing on the wall in full size. Pretty impressive, granted, but not nearly as impressive as a real computer. I had to wait another year for that. However, that was still quite early; most of my friends didn’t have a computer at home until much later. We had my mother to thank for that early acquisition. In the early 1990s, her employer had introduced computers into the department that usually gets the latest gadgets: accounting. My mother was chosen to test out those new programmes. She took training courses, learned the basics, and bought a computer for home use. An IBM, I remember it well. It didn’t have internet, which didn’t come until about a year later, with a modem that went through the telephone line, and it was impossible to make or answer phone calls when the computer was online. I was fascinated by that computer from the start. I wanted to know what you could do with it – not very much in the beginning – and did the back-ups of my mother’s work, taught myself the DOS operating system and, as soon as I could, installed a forerunner of a banking app so that, from then on, my mother could check the bank accounts online.

My father, despite his technical ability, avoided using the computer. Even after he saw how much quicker it was to draw up invoices with the computer, he asked my mother to prepare them for him.

Computers and I turned out to be a perfect match. So, when I started looking for a job during my final year of boarding school, I automatically looked in that direction. I got a position as a representative, ‘sales’ as it’s known today, at Trade & Training, a small firm in Wemmel. When I arrived for the job interview, the secretary, Viviane, opened the door. I was struck by her warmth and professionalism and, years later, when I started my own business, mustered up the courage to invite her to come work for me. Today, she continues to work enthusiastically and cheerfully at Secutec, but I’m getting a little ahead of myself.

During those first years, I had to sell computers and Cubic, an accounting programme that was well-known at the time. Selling those computers was easy, I knew a lot about them, but I knew absolutely nothing about accounting. This didn’t matter very much at first, because I sold computers like hot cakes. That was not due to my sales talent, but to what was known as the millennium bug. Somewhere the idea spread that computers would be unable to make the transition from 1999 to 2000; a marketing myth, of course, but one with major consequences. The last six months of 1999 saw a staggering number of computers sold.

The new century dawned, everything just kept running, and me, I wasn’t selling anything anymore. There was no point in staying in that job, so I bounced from one computer company to another, but didn’t find anything that excited me. For a while, I was even unemployed. I felt horrible about it and looked in puzzlement at the stamp card I was given. Until I landed a job at Data Alert, a distributor of McAfee, one of the largest internet security companies in the world, founded by the controversial John McAfee.

From the start, computers were plagued by viruses spread, for example, through pirated copies of programmes on floppy disks or diskettes, and later also via email. Melissa was a virus that

THE DARK WEB

Those who venture onto the dark web rarely do so with the best of intentions.

At about the same time as the internet, the dark side of this new technology emerged: the dark web, where you can now find all kinds of illicit or illegal goods and services. For a long time, the dark web was relatively unknown, and wasn’t very user-friendly, either, but by around 2005, people were becoming more aware of it. As a security company, we felt we couldn’t ignore this underworld any longer. If we wanted to understand how hackers worked, we had to venture into their world. Admittedly, my first forays onto the dark web were exciting, although at the same time I was afraid the police would turn up on my doorstep. It felt illegal, even though it isn’t. However, those who venture onto the dark web rarely do so with the best of intentions. I felt as though I was plotting some kind of illicit activity, as if I were about to embark on a life of crime, something the police would track down. It was thrilling, I freely admit, and by now it’s become something of an addiction. Every day I spend hours in that shadow world, trying to get inside the minds of the people I so often negotiate with. The better I understand the world of hackers, the stronger I am as a negotiator.

Many people are incredibly curious about that dark web, but it might not be of much use to the average person. It’s not exactly a pleasant place to hang out – you’ll encounter the ugliest side of humanity. The dark web doesn’t always follow the normal laws of doing business. Its main goal is to make a profit. Think of it as a gigantic global black market where you can buy products and services you had no idea existed, almost all of which are always illegal.

The most sold commodity is illicit drugs, which are offered by an enormous number of sellers. Pharmaceuticals are also readily available. If you dig a little deeper, you’ll also find fake passports, and everything from weapons to hitmen. In this sense, the dark

web lives up to its name, offering things that reveal humanity’s darkest side. People are capable of the nastiest things. You can buy just about anything, as long as you pay. With bitcoins, that is, which is the only way to remain completely anonymous.

Meanwhile, I am used to dealing with that kind of thing. It is simply a reality.

Which doesn’t mean I’m not sometimes appalled by the scale of certain phenomena. It makes me sick thinking about human trafficking, especially when it involves children. Not just things, but even people can be bought on the dark web. For example, traffickers took advantage of the 2001 tsunami, going to the affected areas to seek out young children who had lost their families. Before you knew it, those kids were up for sale on the dark web, and no one seemed to care. It is also extremely difficult for the police to trace and break up these networks. Firstly, the dark web is built in such a way that it is practically impossible to find out who is behind certain trading platforms and secondly, these networks are often international, which means that in order to gather evidence, as an investigator you have to make agreements with all the individual countries. The unfortunate fact is that this takes ages, and the longer your investigation lasts, the smaller your chance of success. Investigators and the judiciary use entirely different weapons than cyber criminals, which the latter know all too well. There are few ethical codes on the dark web, anything goes. While investigators have to follow the rules when compiling their case files. That is what makes the fight against cybercrime so difficult.

It is almost ironic how user-friendly the various platforms have become, you can compare them to a digital marketplace like Amazon, complete with the checkout session and pay button. In this regard, the dark web has changed almost beyond recognition, and ‘customer friendliness’ is a thing there too. In 2005, the

THE RISE OF RANSOMWARE

Initially, a decade ago, hackers targeted individuals, people like you and me.

About five years after I first ventured onto the dark web, a new form of cybercrime emerged around 2010, one that changed my life forever: ransomware. A type of malware designed for just one thing: to modify and encrypt a normal file, such as a Word document. That is, it changes the file content so that it becomes unreadable. The content hasn’t been deleted and, with the right decryption key, you can reopen the file. But you only get that key after you’ve paid hackers a ransom. Compare it to kidnapping: someone is kidnapped, and the family isn’t given the victim’s whereabouts until a ransom is paid.

Your data will be lost if you don’t obtain the decryption key. In theory, it’s achievable to produce a decryption key, but on average, it would take thirty years. No one can wait that long or view that as a feasible solution.

Encryption isn’t a new concept. Long before the rise of ransomware, we were using the same technique without realising it. If you surf to your bank today, for instance, that data is encrypted. It’s exactly the same principle. You can tell if something’s encrypted by the ‘s’ behind the http. ‘S’ stands for ‘secure’, which indicates that the connection between your PC and the website to which you’re surfing is safe. The data transferred and received over a secure connection are encrypted, which makes them much harder for malicious parties to access. Suppose you were to send sensitive information such as passwords or financial data, someone intercepting this data would, in principle, be unable to do anything with it. When new technologies emerge, you can be sure that, sooner or later, they’ll pop up in the crime world. That was no different here. The business model behind that encryption was tempting: a modest investment could generate big profits, without the risk of getting caught. Not that cybercriminals always get off scotfree, but the chances of getting caught are, unfortunately, slim.

Initially, a decade ago, hackers targeted individuals, people like you and me. It wasn’t until later that they started holding companies and governments to ransom. In those early days, people unknowingly downloaded a piece of ransomware, their screen turned black instantly, and they couldn’t open their files. Then, a small file, which we’ll call the ransom note, flashed up on-screen. When you double-click it, a WordPad file opens explaining who hacked you and why. According to the notes, the hackers are well-intentioned and did it to do you a favour, to show you that your computer isn’t properly secured. But there’s a hitch – they charge money for their ‘service’.

For most people, that was quite shocking, although compared to now, the ransom demands were low. You could buy off the hackers for 200 or 300 euro. But it was a new phenomenon, even for us, and the realisation that someone could remotely lock your entire computer was frightening. What’s more, a PC often contains things people are emotionally attached to – photos of their children, music playlists, vital personal documents. And in the blink of an eye, it was all gone, as if a thief had broken into your home in the night and made off with all your personal possessions.

For many of the victims, the fact that you could only pay in cryptocurrencies was an additional stress factor. You can’t buy bitcoins from a high street bank, so this was something completely new for most people. The hackers were aware of this so, in their notes, they gave step-by-step instructions explaining where, and through which platforms, you could buy bitcoins. A sort of free tutorial kindly provided by the hackers.

What also didn’t help was that, as an ordinary person you didn’t know if you were dealing with a reliable hacker. Back then, hackers were often lone wolves who targeted hundreds of PCs at once. You then had to send the hacker a message or a file so

www.lannoo.com

TEXT

Geert Baudewijns and Liesbet Depauw TRANSlATION

Lisa Holden

AuTHOR PHOTO

Belga Photo, Dirk Waem

ISBN 978 90 209 1956 1

D/2024/45/568

NuR 740

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, and/or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written permission of the publisher.