ransomware negotiator trying to buy time AMC — Image by Cybernews

An attack by a notorious cyber gang brought a French data center to a halt. With thousands relying on its servers, the pressure was on to negotiate. An incident responder begged them to hold off. It was the right move, but it had consequences.

In the early hours of Friday December 8th 2023, Joseph Veigas, the CEO of Coaxis, found himself in an unenviable position: his CTO had just called, and the firm had lost access to its systems.

The data center, located in Lot-et-Garonne, in the south of France, was responsible for managing and storing data for more than 350,000 customers, ranging from medical, accounting, and agricultural firms to laboratories and law practices.

Don't miss our latest stories on Google News

Information stored on thousands of crucial servers that Coaxis maintained included calendars, accounts, payroll systems, and legal documents.

Veigas and the CTO jumped in their cars and met on site. That’s when they found a ransom note stored as a file on their systems.

Ransom note with a link to the Tor browser

“Don't go to the police,” the note started.

And it’s this phrase that has become the title of a new documentary, financed by Orange Cyberdefense, that dissects this ransomware attack step-by-step, through the lens of its victims, police, and incident responders.

The 56-minute documentary – now available on YouTube – premiered in London on Wednesday, and Rodrigue Le Bayon, Orange’s computer emergency response team director, was on hand to provide more insight.

Incident response leader Rodrigue LeBayon (second left) talking at Don't Call the Police premiere in London.

The ransom note, Le Bayon adds, was in English, demanding $5 million dollars to unlock the data and receive an encryption key to allow Coaxis to unlock its clients’ files. Notorious ransomware group LockBit claimed the attack.

The message came with a link to a Tor browser, which would take the victim to a site that would activate negotiations.

Coaxis enlisted the support of Orange Cyberdefence, which drafted in 20 employees over the weekend to manage the incident and investigate the source of the attack, which turned out to be a phishing link sent to a client who was fooled into revealing their username and password.

Buying time

The next step was to start negotiations with the attackers and pay the ransom.

“Should we get in touch with the criminals, pay the ransom, and obtain the encryption key? And if we pay, will it all stop there?” Veigas asks.

Le Bayon, who led the incident response team, was keen for Coaxis not to click on the ransom note’s link.

“Should you start a conversation with the attacker, or should you ignore him for now? It’s an important choice."
Rodrigue Le Bayon, computer emergency response team director, Orange Cyberdefense

“I said, ‘Listen, I just need six hours, and then we can start telling you the story about what has happened,” he adds.

Le Bayon wanted to buy time.

Security experts note that once a victim clicks an attacker’s “negotiation link,” it can trigger a countdown clock, which then puts victims under more pressure.

Everest Under Armour clock — Example of a ransomware timer, taken from the Under Armour attack, launched by the Everest ransomware gang

According to Le Bayon, as soon as you start negotiating, the cybercriminals have the upper hand.

He explains why.

“Negotiations come down to a matter of balancing: how long will it take? How much will it cost? And that's what the cybercriminals will be weighing up, too.

“They have well-trained negotiators, and through having an initial conversation, they will get to a point where they will try to figure out how much Coaxis will pay, and we want to avoid this,” Le Bayon says.

He adds that allowing victims to open negotiations also takes the focus off alternatives.

Transparency and building up trust

To persuade Coaxis that negotiations were not the only solution, Le Bayon had to build trust with this relatively new client. His approach, he says, was to be as honest as possible and to take the CEO step by step through the processes he would follow.

“My job was to present Joseph with the facts and to help the company make decisions based on the information I was sharing with them,” he said.

During this time, Coaxis and Orange discovered they had one big advantage: the company possessed backups that were disconnected from the production systems.

“This was key,” Le Bayon says.

“The attacker never had access to them. “

This meant Coaxis had the means to restart its operations. Le Bayon explains that part of his role in the process was to advise on what was realistic.

Initially Veigas said he wanted everything back online by Monday.

“I couldn’t promise that,” Le Bayon recalls.

The security specialist established that over 2,000 clients were affected, each having specific domains and servers.

Data systems that were 25 years old would need to be rebuilt in a month.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!

35,607,543,468

Exposed Passwords

“Joseph was shocked,” Le Bayon recalls. “It was a technical issue, but he knew the human impact.

“He told me he only had two months of cash flow and there was a prospect of 50 employees losing their jobs.”
Rodrigue Le Bayon, computer emergency response team director, Orange Cyberdefense

Despite this pressure, by Friday evening, Veigas was resolute that the company “would not get in touch with the attackers via their infrastructure and not pay the ransom.”

It was a tough decision to make, and it did not come without consequences.

Unable to write paychecks to employees a few days before Christmas, Coaxis’s clients started to panic.

“It took a lot of time before we were able to reconstruct everything. It took weeks,” says Veigas.

“Our goal was to update everyone by 31st December. It was more difficult than we thought, but we managed to construct it by January 8th.”

But LockBit wasn’t finished yet.

Violence-as-a-service

The documentary highlights how, like many legitimate companies, criminal gangs like LockBit hire different affiliates within their ecosystem for specialized “as-a-service” tasks.

Initial access brokers will usually be different people from the criminals who scope out servers or drop ransomware payloads.

Negotiation also involves a different set of people with different skills. This also extends to physical intimidation.

In Coaxis' case, LockBit decided to send a message in the form of thugs hired, Orange now suspects, via a violence-as-a-service operator.

The Com, cybercriminals — “Violence-as-a-service” groups like The Con are often hired for drug trafficking, cyberattacks, online fraud, violent extortion, and even murder.

Three men who appeared to be employees of one of Coaxis’s clients lured the CEO into an underground car park and showed him two Kalashnikov rifles in the boot of their car.

This is what would happen, they added, if Coaxis did not pay the ransom.

Double extortion and a crisis of confidence

As well as physical intimidation, the day after Christmas, LockBit launched a second attack, threatening to leak Coaxis’ clients’ sensitive information on the dark web.

This time, the criminals sent Coaxis a note with a timer, threatening to leak the data if the $5 million was not paid within the time limit.

Le Bayon was on a family ski trip at the time and recalls trying to manage the crisis remotely.

His main challenge, he says, wasn’t the pressure of the countdown – it was his client who was starting to have doubts about Orange’s ability to manage the incident.

Veigas was not responding to Orange's calls, and emails were being ignored.

“I think he was starting to have doubts about the quality of the investigation. It took me a few days to convince him to trust me. And I was also frightened, because, in turn, I had to trust my team. That was super important,” he recalls.

Again, Coaxis was fortunate. Because it had drafted in Orange’s help at an early stage of the investigation and Le Bayon had negotiated that extra time early on,they were able to launch surveillance on Coaxis’ networks within 48 hours of the attack.

“We knew they hadn’t been able to extract any data. LockBit was bluffing,” said Le Bayon.

Sure enough, on the day of the deadline, January 9th, the clock stopped ticking, and nothing happened.

“It was just hot air!” said Le Bayon.

“It’s important to communicate what happened”

According to Veigas, Coaxis was able to restart its operations “not without difficulty and at the cost of considerable effort” by January 8th, almost a month after the attack.

While many enterprises choose to minimize publicity around cyberattacks, Veigas believes that it’s important to communicate. There’s still so much that remains unsaid about what actually happens when a company gets hit.

“Sometimes I get asked to guarantee that clients will never have issues [with ransomware], and I tell them clearly: ‘Can you guarantee me that you won’t click on suspicious links? That you will use strong enough passwords and change them regularly? No? You can’t! So I’m compelling you to do this."
Joseph Veigas, CEO of French data center, Coaxis.

*As told to Cybernews at an Orange Cyberdefense event on Wednesday at BAFTA in London.

Unlock more exclusive Cybernews content on YouTube.