How an Israeli Hostage Negotiator Outsmarts Ransomware Hackers
May 2, 2025 – Published on Bloomberg
In 2015 cybercriminals targeted several currency trading companies and stole sensitive data, leaving behind a ransom note. They received a frantic response from a woman named Helena, who identified herself as a European executive from one of the companies tasked with handling the negotiations. In increasingly flustered exchanges over WhatsApp, Helena implored them to lower their price.
Unbeknownst to the hackers, the author of the texts wasn’t an executive, wasn’t a woman and wasn’t truly panicking. Behind the screen was actually Moty Cristal, a veteran Israeli hostage negotiator more accustomed to speaking to radicals from Hamas and Hezbollah than criminal gangs. Adopting the Helena persona was Cristal’s first time trying a technique that would become one of his calling cards in a decade-long stint representing global companies in hundreds of high-stakes ransomware negotiation.
Today’s leading ransomware gangs are sophisticated operations, run mostly out of Eastern Europe and Latin America, with physical offices, human resources departments and tech support. Some partner with affiliates who offer access to the malicious software on a temporary basis, a model known as ransomware-as-a-service. In recent years many hackers have shifted to a model known as “double extortion,” where they not only steal data but threaten to publish it if the company doesn’t pay, experts say.
About half of the companies that seek help dealing with ransomware gangs will ultimately pay some fee, according to negotiators. “It could be because they need access to decryption tools. It could be for data suppression,” says Mark Lance of GuidePoint Security. He acknowledges there’s a risk that extortionists won’t restore the data even after they’re paid. But, he adds, “that being said, these cybercriminal groups have a brand and reputation to uphold.”
Read More HERE.