DOJ investigates ex-ransomware negotiator over extortion kickbacks

An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals.

The suspect is a former employee of DigitalMint, a Chicago-based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released. The company claims to have conducted over 2,000 ransomware negotiations since 2017.

Bloomberg first reported that the DOJ is investigating whether the suspect worked with ransomware gangs to negotiate payments, then allegedly received a cut of the ransom that was charged to the customer.

DigitalMint confirmed that one of its former employees is under criminal investigation and informed BleepingComputer that it terminated the employee after learning of the alleged conduct. The company says that it is not the target of the investigation.

“We acted swiftly to protect our clients and have been cooperating with law enforcement,” said Jonathan Solomon, CEO of DigitalMint, in a statement shared with BleepingComputer.

“Trust is earned every day. As soon as we were able, we began communicating the facts to affected stakeholders,” added Marc Grens, DigitalMint’s president.

DigitalMint would not respond to further questions from BleepingComputer, such as whether the suspect had been arrested, citing that the investigation was still ongoing.

Some law and insurance firms have reportedly warned clients this week against using DigitalMint while the investigation is ongoing.

The DOJ declined to comment when Bloomberg contacted them earlier this week. BleepingComputer also contacted the FBI to confirm the story, but they also declined to comment.

Profiting from crime

A 2019 report by ProPublica revealed that some U.S. data recovery firms were found to secretly pay ransomware gangs while charging clients for data restoration services, without disclosing that payments were made to the attackers.

These ransomware payments, though, were significantly lower, ranging from thousands to hundreds of thousands, compared to the multi-million-dollar ransom payments that companies make today.

Some ransomware operations, such as GandCrab and REvil, created special discount codes and chat interfaces specifically designed for these types of firms to receive a discount on the ransom demand.

Bill Siegel, CEO of ransomware negotiation firm Coveware, told BleepingComputer that business models that do not utilize a fixed-fee structure lend themselves to this type of potential abuse.

“Business models that are financially incentivized towards larger transaction volume and higher transaction size do NOT fit within the incident response industry,” Siegel told BleepingComputer.

“This moral hazard has been present for years and has manifested itself several times, but it’s always the same underlying issue. If an intermediary earns a large fixed percentage of a ransom, objective advice is not going to follow.”

Siegel further states that paying a ransom demand is often the wrong decision for any company, which can be challenging to communicate to a company dealing with a ransomware attack.