• Marc Bleicher, managing director at a cybersecurity consulting firm Arete Incident Response, helps companies deal with ransomware.
• He has given CNBC a rare and exclusive look inside a shadowy world where American companies find themselves paying millions of dollars to known criminals.
• According to a report by Chainalysis, the total amount paid by ransomware victims increased by 311% in 2020 to reach nearly $350 million worth of cryptocurrency.

Marc Bleicher is a hostage negotiator — but he's not trying to rescue human hostages, he's trying to rescue data.

Bleicher, managing director at cybersecurity consulting firm Arete Incident Response, is a specialist who helps companies deal with ransomware — the type of cyberattack in which hackers lock up a company's computers and then demand payment to undo the encryption.

He has given CNBC a rare and exclusive look inside a shadowy world where American companies find themselves paying millions of dollars to known criminals.

It's a corner of the criminal underworld that has seen explosive growth. According to a report by Chainalysis, the total amount paid by ransomware victims increased by 336% in 2020 to reach nearly $370 million worth of cryptocurrency.

And some big players are scoring huge gains: The report found the digital hostage-takers are dominated by large players who are raking in millions of dollars a year. Just 199 cryptocurrency deposit addresses receive 80 percent of all funds sent by ransomware addresses in 2020, Chainalysis found.

All those payments have created an underground marketplace where criminals and their victims in corporate America must come together to reach terms and exchange funds.

Ransomware has bedeviled small and large companies alike and is causing increasingly costly shutdowns at county governments, schools and even hospitals. In June, for example, Magellan Health announced it had been hit by an attack that ultimately impacted more than 300,000 people. The Clark County, Nevada, school district revealed an attack in August that may have exposed student data. And in July, the city of Lafayette, Colorado, paid a $45,000 ransom to regain control of its systems. 

Call it the extortion economy

Bleicher is a middleman in that economy, frequently finding himself with his fingers on a keyboard negotiating directly with the bad guys. He's also the person to send the payments when companies decide they have to pay the ransom.

"Some clients are extremely angry," he told CNBC. "A lot of these victims are also in shock." But they all share one goal, he added: "to make the bleeding stop and make this go away as quickly as possible."

 Bleicher said he has overseen the payment of hundreds of millions of corporate dollars to criminal hackers, and that he is seeing ransom demands growing larger and larger. One hacker recently demanded $70 million from one of his clients, although he said the client found a way not to pay. But he explained that even ransom demands that high are almost always negotiable. 

The heist

 The ransom note, like everything else in this business, is digital. "Your network has been infected!" blares the warning from a recent ransom note Bleicher shared with CNBC. "Follow the directions below but remember you don't have much time."

The note featured a countdown clock, laid out a price, and warned: "If you do not pay on time, the price will be doubled." In this case, the hackers demanded payments in monero, a particularly hard to trace cryptocurrency favored by the hackers.

 In another real ransom note shared by Arete, the hackers said: "To unlock files you need to pay 3.8 bitcoin" — that's the equivalent of more than $200,000. "To confirm our honest intentions, we will unlock two files for free."

 It's alarming but persuasive warnings like these that are forcing companies to make the agonizing decision to ignore the FBI's warnings not to pay off the hackers. "Paying the ransom is always, always the last resort," Bleicher said.

But for many companies, this is an existential threat. "I think at the end of the day that even, you know, the FBI would agree that some of these organizations really don't have any other options if they don't want to lose their business." 

The negotiation

The haggling takes place in a chat room on the dark web. Belicher said he doesn't know who's on the other side of his screen, but they already know a lot about his clients. For publicly traded companies, the hackers know annual revenues and calculate a ransom demand from there.

And the hackers have total visibility into the organization: "They may have access to that company's financials from being inside their network," Bleicher said.

But it's not just size that sets price — it's the sensitivity of the data: "That 10-person law firm may have, you know, politicians as clients, and therefore that ransom may be extremely high versus, you may have a Fortune 50 company where the ransom is lower, and because they only got to a certain portion of their data."

Bleicher didn't want to go into detail about how he negotiates. But an official at another cybersecurity firm, who spoke on condition of anonymity in order not to draw undue attention from hackers, offered some insight. "We create fake profiles, so they don't know they are dealing with professional negotiators," the official told CNBC. "The profiles are usually midlevel employees, allowing us to delay and go back to a manager for approvals."

And even as the negotiation is going on, the official said, the cybersecurity firm's goal may be to delay long enough to conduct an investigation or to extract information from the hackers about what they have and how much they know. "In some cases, we've been able to get full directory listings during the negotiations without paying," the official said. "Which helps us understand what systems the attacker has access to."

 Jason Kotler, founder and CEO of a cyber-negotiation company called Cypfer, said the criminals know what to expect. "They expect a negotiation," he said. "For billion dollar companies, they expect multimillion dollar payments." There's even something of an industry standard: "It's roughly a percentage of their published net revenues — a half a percent for billion dollar companies."

 "I wish I wasn't in the business I'm in," Kotler said. "It's really war. This is warfare." 

The bad guys

 Sometimes warfare is not just a metaphor. Bleicher said companies can get comfortable with paying off crooks — but they don't want to pay terrorists or run afoul of US or Western sanctions. So the most important thing his company does is check with the U.S. Treasury's Office of Foreign Assets Control to see if the entities they are paying have any connection to known sanctioned organizations.

The goal is to make sure the victim companies don't accidentally break U.S. or European laws. The challenge is that on the dark web you can't always know for sure who you're dealing with. The North Korean military, Iranian intelligence and Russian oligarch connected cybercriminals are all vigorously involved in ransomware attacks.

 In February, for example, the Department of Justice unsealed charges against three North Korean programmers alleging that they participated in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks and to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies.

 The U.S. said the three men, Jon Chang Hyok, 31, Kim Il, 27 and Park Jin Hyok, 36, were members of an elite hacking unit of the North Korean military intelligence organization known as the Reconnaissance General Bureau. The U.S. charged the men with creating the destructive WannaCry 2.0 ransomware software in 2017 and "the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data."

 In late 2019, the U.S. government indicted the Lamborghini-driving Russian leader of a hacking group calling itself "Evil Corp," and the FBI announced a reward of up  to $5 million for information leading to the arrest or conviction of Maksim Yakubets, 32, of Moscow. It was the largest such offer for a cybercriminal so far. The government said versions of the malware designed by Evil Corp helped criminals install ransomware.

 At the same time British authorities released a trove of videos and social media postings by Yakubets and other alleged members of Evil Corp doing doughnuts in expensive sports cars on Moscow streets, posing with large amounts of cash and even cuddling up with a pet lion cub.

 Inevitably, it would seem, at least some American corporate funds are being transferred directly into the cryptocurrency wallets of America's enemies. 

The payoff

 But here's the good news, at least for American corporate leaders: Bleicher said there is honor among thieves. When companies pay the ransoms, the criminals almost always live up to their end of the deal. In fact, their business model depends on developing a reputation for reliability.

If they don't release the data for one victim, the next target may decide not to pay at all. And once they send the cryptocurrency to the bad guys, the hackers move quickly: "Nine times out of 10 you can expect delivery of the decryption key within 24 hours or less."

 Bleicher's firm Arete has been able to develop striking detail on the ransomware problem across corporate America. For example, they've determined that the RYUK malware extracts the highest fees: an average payment of more than $1.2 million, while the MAZE malware extracts payments averaging over $923,000. Other malware variants lead to payments that are fractions of the most damaging strains.

 And they see that payment sizes vary dramatically among industries. Health care paid an average ransom of $140,000, while financial firms paid an average of $210,000. But the biggest punch was to the technology, engineering and telecommunications sector, where average payments are over $1 million.

 With payouts like those it's clear the extortion economy, unfortunately, is booming.

Correction: An earlier version misidentified Bleicher's firm's name. It is Arete Incident Response.