Emails Give Real Transcript of FBI Negotiation with Symantec Hackers

The FBI/Symantec attempt to sting a hacker who had source code raises some interesting questions: Why would a company pay ransom to get back electronic information? It’s so easy to copy the data that there’s no way the bad guys haven’t done it. So paying a ransom pretty much just guarantees you’ll get shaken down again.

So how dumb would you have to be to do this? And how dumb would you have to be to think your victim would do this? The email exchanges between the FBI agent posing as Symantec employee Sam Thomas and the hacker who goes by the name of YamaTough offer some interesting insight into all this. (As well as letting us see a real negotiation between the cops and the bad guys.)

First the FBI asks YamaTough to send some sample files but “Because our email system strips large attachments, send sample files to this address …” The gmail address won’t take those files either – which I’m figuring the FBI knew – so they ask for the weekend to figure out a way to get the files. “Give us through the weekend to figure out how to get these from you. We don’t want these docs posted on a public site.”

The agency then says it is trying to set up a secure FTP site which YamaTough has trouble believing, “If you are trying to trace with the ftp trick it’s just worthless.” The two sides go around on this issue for a while. The FBI is clearly playing for time but being on hold is as irritating for a hacker as it is for anyone else, so YamaTough eventually writes:

If we dont hear from you in 30m we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code

Eventually YamaTough asks for $50,000 and – the FBI gives them a classic bit of corporate run around,

We are really trying to work with you but we can’t meet all the deadlines that you keep throwing at us. We need approvals by a lot of people who all have different opinions. This is the first time we’ve heard of Liberty Reserve and we are hesitant to just wire money straight to an offshore account.

Finance is asking us what offshore account it is and also how we could make a payment through liberty reserve. Send us that info to give to them. If they shoot these options down, do you have any other ways to accept your payment?

They then propose using PayPal (maybe this was a test to see how stupid the hackers really are):

We’ve been looking into Liberty Reserve. Looks like we have to use an exchanger to get money into our Liberty Reserve account. This is more complicated than we expected. Our plan was to get you $1,000 by the end of the week as a test and a sign of good faith but we don’t know if we can make this work that quickly through Liberty Reserve. We’ve used paypal numerous times and we know how it works. We can definitely send you $1,000 by the end of the week through paypal

The FBI – like everyone else in the corporate world – goes to great lengths to blame the delays on Finance. The hackers clearly have some experience with corporate life because they believe the excuses:

No offence, nobody’s trying to give you a hard time.

We have a clear understanding on how things work inside corp environment.

Do not send us any money (we do not use paypal period) do not send us any 1k etc.

We can wait till we agree on final amount.

Please confirm that you received this message so we are not anxious.

It’s a strangely solicitous message to get from a blackmailer but even they have their limits. Finally they sent out this:

SO – you told us a week ago that you’ve being requesting a

 response from Fin dprtmnt. We got no answer for the below question

so far:

?How much do you consider ENOUGH to pay us in order to

 work all the issues out?

 Name the price,

 Clock’s tikin

By this point the hackers clearly think the FBI is involved (“Say hi to FBI agents”) but not that the FBI is running the entire operation. The agents deny this, naturally, and then try to extend the discussion further by offering another plan:

We can’t pay you $50,000 at once for the reasons we discussed previously. We can pay you $2,500 per month for the first three months. In exchange, you will make a public statement on behalf of your group that you lied about the hack (as you previously stated). Once that’s done, we will pay the rest of the $50,000 to your account and you can take it all out at once. That should solve your problem.

My favorite moment in the whole exchange is when the hackers try to explain that they are people of honor.

We have a rule – and we always follow it: If you are the owner – you have the right to be the first one asked. That is why we kept silent at the time of negotiating with you. We stick to the word given and nothing is going to happen to the code if we complete the deal. Were we not that way we would have already sold your code to that willing many.

Did they get this from the movies? 

There are at least two lessons to be learned from this:

1. Hackers aren’t always as smart as you or they think they are.
2. You’re even stupider than they are if you think you can buy them off.