THEOS Cybernova
THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.
Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.
Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.
THEOS Cybernova
Geert Baudewijns: Inside Ransomware Negotiations and the Ethics of Paying
What really happens when a company negotiates with ransomware groups?
In this episode of THEOS Cybernova, Paul Jackson speaks with Geert Baudewijns, founder of Secutec and a veteran ransomware negotiator with over 500 real-world cases. Geert explains how ransomware negotiations actually work, from verifying stolen data and confirming the real threat actor to understanding payment dynamics and insurance involvement.
He challenges common myths, including whether attackers remain inside networks after encryption and why some victims end up paying the wrong criminal group. A practical, experience-led look at ransomware negotiation grounded in real incidents, essential for security leaders and incident response teams.
Production Credits:
Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio
This week on the Theo Cybernova podcast.
SPEAKER_00:There is one big rule: no emotions in this kind of deals, because otherwise there is no deal. In my full career, I did more than 550 negotiations, and as I said, the most beautiful job there is. That's fascinating myself to know at which moment they decided to say, and now I'm going from the right way on the other way, and I'm becoming a criminal. A cyber criminal will never take the risk to be to still be on that network. From the moment you are encrypted, they are gone. You would be surprised to see how many victims pay 50 or 100,000 USD, and then they don't hear anything anymore.
SPEAKER_01:The Theos Cybernova Podcast, hosted by Paul Jackson.
SPEAKER_02:Welcome to another episode of Theos Cybernova Podcast. Today I'm in Kuala Lumpa at the RISE Underground Economy event run by Team Cymru, and one of the speakers at the conference was the amazing Heat, and I'm not even going to try and pronounce your surname here, but uh Heat, as you're about to hear, has a very interesting angle on the whole cybercrime ecosystem. And so thank you very much for joining me today here in Kuala Lumpa Heat. It's my pleasure. Yes, it's uh uh you're far away from your home country of Belgium, right?
SPEAKER_00:Indeed, I'm from Belgium, Antwerp, uh the most beautiful city, better than the UK.
SPEAKER_02:Well, I'm I've lived out in Asia for 37 years, so I'm not going to argue about that. Well, I'll I'll I'll try and convince you one of these days. But here, do you during your amazing presentation yesterday, you described your job as the most brilliant job in the world. Why did you say that?
SPEAKER_00:Well, for me, it's the most satisfying job there is. In my case, I deal around three to six negotiations each uh each week. And it means that being the bridge between a victim and a cyber criminal makes myself being in a unique position for uh for the victim. And it's very addicting. And addicting is sometimes a wrong word, but here in my case, uh it's the real it's a real world uh word. It's very addicting to see how companies with sometimes 10, 15, 20,000 people, uh, where the CEO has a lot of people who are listening to him, that you see that he's following you every step that you mention that he has to do, that he's doing that. And at the end, uh, after a successful negotiation, to see that those people are so grateful about everything that you did and your expertise that changed their life, or in in many cases, that's what they say: that they say due to the fact that you were there and that you were able to help us with your advice, we are still there as a company and we survived. And even in some cases, we see men or women from 50-55 years old after an incident and where everything ends positive, that they are crying. Wow. Yeah, it's it's incredible to see, and that makes it the most beautiful job there is.
SPEAKER_02:That's incredible because you're also dealing with the dark side, because you nigga uh, you know, just to be clear to the audience, um, Heat is a negotiator between the criminal or threat actor groups in the cybercrime world who are usually ransomware type incidents, uh, and the victims, of course. You know, helping them to understand what has happened, and we'll talk more about this obviously as we go through, to understand what has happened during an incident and to also try to get out of their predicament in the best possible position. You know, in other words, they may have to pay, they may not, but your role is to uh understand exactly what has happened, and and we'll we'll unravel that as we go through this podcast. I'm really looking forward to this, by the way. Your presentation yesterday was fabulous. But before we kick off in into the nitty-gritty of dealing with the murky underground world of the criminals, um how on earth did you get into this here?
SPEAKER_00:I mean, well, what's your story? Well, my first um so I started my career working for, let's say, the most crazy man in cybersecurity. So uh I worked for John McAfee. Uh oh, yes, that's the uh he'll take some beating. Indeed. So it's a very long time ago. It was in the 90s. There I started my career, and in 2016 I had my first case with my uncle, who was uh ransomed, and um he had some ransomware on his PC. At that time, it was just for normal people. They were not uh hacking uh companies with ransomware, they were just there to ransom your computer and all the pictures of you and your kids. So the the guy told me, Yeah, we have to pay. I said, It's the most stupid thing you can do. They will never give us anything, even if we pay. He said, No, no, I don't have any other opportunity or option. So we need to pay. I said, Look, we are not going to do that. That's stupid. So he said, if you're not helping me, then somebody else has to do it, but I'm going to pay. So that was my first Bitcoin wallet I created at that moment. I hope you bought quite a few bitcoins at that time. Well, let's say that today I do around four to eight million euros of bitcoins each year. And then you have to know those are just the official amounts we do for amounts under 2 million US dollars. Everything above, we are not able, we we are doing that through another another party. That was the the first case, and we paid. And suddenly, two hours later, we received the keys, and I was surprised, I was very surprised. And then a week later I had a second case, and the second case was pretty much the same. So I said, We are not going to pay. I mean, so she the second victim asked me, and did you do that already? I said, Yeah, once last week. And then she said, Yeah, but don't we do it again? I said, No, I mean we had a lot of luck the first time. They will never do that. And then we did it, and again, uh, one hour later we received the keys and and we were able to unlock the systems. That was 2016. Today we are uh 2025. Today we do or I do around three to six negotiations each week. In my full career, I did more than 550 negotiations, and as I said, the most beautiful job there is. Tell us a little bit about your company, because uh it is have I pronounced it right, Secure Tech?
SPEAKER_02:Yeah, SecureTech. SecureTech. S-E-C-U-T-E-C for anybody who wants to. Well, hopefully the audience aren't in that kind of predicament, but if you ever are, then obviously Secure Tech is the company to look for. Is this all you provide? Uh ransomware? No, no. So it may be very strange. It's my hobby that I do. It's a hobby. Negotiating with criminals is a hobby.
SPEAKER_00:Yeah, you cannot ask it to do the to your staff members to do this because there is a lot of money involved, and yeah, criminals they try to manipulate you so that you are working for them. Due to the fact there is so much money involved, I will never take the risk. So this is something I do alone, or it's just me, myself, and I. But Secutech is 20 years old, uh, 110 people all over the world. And what we do is we are a very atypical cybersecurity company. So most cybersecurity companies, and they're doing that very well, they are implementing cybersecurity solutions, they are installing that, they are giving a bit of maintenance on that and support. Those are the things we don't do anymore. We did that in the past, but today we are really in the world of threat intel. We are every day on the red line or at the other side of the red line, where we try to communicate with cybercriminals, not only for ransomware, but also to receive information from things they were able to steal, like password, cookies, like credit cards, for example. So that's what we do. We are on the dark net, we are looking for all the marketplaces what we are able to find and which could be interesting for our customers. And then we contact the customers saying we have found this and this, um, and then we go on that market to try to negotiate and to buy those things or to steal some things.
SPEAKER_02:It's that's really interesting. And uh I'll dig into that a little bit later because obviously, you know, Theos, the company that I work for, we get involved in investigations, right? We're a crisis management company, we deal with incident response, very, you know, sophisticated investigations, but we don't do what you do, right? And I think that's very important. I think, you know, where it comes to negotiations with the threat actors, we distance ourselves a little bit from that component. We focus on finding out the root cause, understanding what's happened, what is, you know, what is at risk, what data has been exfiltrated, etc. Now I've seen some of other companies who do incident response, they also now have realized they can monetize the negotiation piece, and therefore they also include that component as part of their response services. What are your views on that?
SPEAKER_00:I don't believe in that. You really need to be independent. First of all, as I said, this is something you cannot trust to an employee. Each week during my negotiations, there is a certain point that's how I do it. At a certain point, I will say to the criminals that I work as a negotiator. Every time you see that they try to manipulate yourself on and going from the official channel they have created to communicate to a talks channel. For those who don't know TOX, TOX is the WhatsApp for criminals. And then you go in that talks channel and then you have a completely different voice that you receive from them. They are polite, they are they try to be your best friend to manipulate yourself. And one of the things they always try is to say, okay, what is the maximum budget of your customer? So if you have, for example, the customer who says you have 300,000 US dollars is the max I can pay. That's also what I said in the previous channels against the hackers, and then they say, but if you're able to make 400, then we are willing to give you 20% on the delta. So it means on the 100,000 extra you will receive 20%. So that's a lot of money. If you would imagine the fact that an employee who has a normal job in your company would be offered this proposition, I can imagine, and we have seen that in the past with other cybersecurity companies that they came in serious trouble because they did that. And we had in in France we had uh examples of negotiators who were doing the same and who had this issue, and yeah, they were they are in jail for the moment. So, this is something, even if it's the most beautiful job in the world, you need to do it on a serious base and keep it like it is as one job. And don't combine or don't try to combine two or three jobs together. But even you will know that if you do the incident response, it's a very stressy job because you need to work at least 12 to 14 hours in one in at least. Yes, and this will never change. So we if you have on top the function of being the negotiator where you need to be very calm, well, those two things they don't go together. But again, that's my opinion, and who am I to say?
SPEAKER_02:No, I I entirely agree, because as you know here, I'm a former police officer, and of course, in the police we had the negotiation card, we would call it, and they were separate, of course, from the investigation team, and it makes perfect sense that you have people who are experts at dealing with criminals, obviously a different kind of negotiation, kidnap, etc. But the similarities are there, right?
SPEAKER_00:And and even if you're involved in the in the negotiation and in the investigation part, I mean as an incident response, you really need to be keen or clean and and to be able to say this is not my job, because they are really two separate, separate jobs. One has nothing to see with the other.
SPEAKER_02:And and you know, I love the ethics that you're you're talking about here, because I can easily see how corruptible it could be when you're talking about such large sums of money, and I I could absolutely believe that the criminals will try and buy off the negotiator to gain gain an advantage.
SPEAKER_00:In many cases, I received a question that they uh that people are saying, why didn't you go to the other side? It's very easy. I mean, I have a very beautiful life in Belgium, I have six kids, um, we have a company of 110 people. Why would I risk to do this and lose everything? I mean, makes no sense.
SPEAKER_02:And I can kind of understand why you're a good negotiator now if you have six kids. But uh, let's talk a little bit about the criminals, um, because obviously we're seeing the rise, uh, certainly from our point of view, of the threat actors who buy, you know, the ransomware as a service. So the the major players, the big organized crime groups, the ones sophisticated ones, they will sell the tools that they have been using to other criminals on the underground, right? So, how do you differentiate between those really sophisticated organized crime groups and those chances, if you like, that pick up these ransomware tools, they buy them, and they they try their luck?
SPEAKER_00:Well, first of all, you have two kinds of criminals: you have the amateurs and you have professionals. It's a total different world. If you talk with an amateur, they are those talks are going much further and is longer. It's professionals, it's always business talk. It's like a business. But with an amateur, you can talk about the kids. You have to know that once you are going into a negotiation, a good negotiation, you have to feel when you need to go faster and when you need to go slow. And this is what we try to do, and to make a band. You really you need to make a good band between the cyber criminal and yourself as a negotiator. Even if this is a little bit weird of saying that you need a good understanding with the criminal, it is really important. You need to have both mutual respect because you're not able to make a good deal if there is not a mutual respect between both parties.
SPEAKER_02:And that's fascinating. A respect between an ethical person and a criminal group.
SPEAKER_00:Yeah. And yeah, it exists, right? It exists, and if you, as a negotiator, uh are doing your job on a proper way by doing and doing your checks, double checks, sometimes triple check, well, you know that there will be no surprises, especially when at a certain point you say that you are a negotiator, they will never take any risk with the negotiator. Because they know that in several cases that uh after two or three days I said uh that they are saying to me, if you don't pay, we will do this, this, and this. And if you pay, we will do what we promised. That I say, I know. Two weeks ago I was also negotiating with you, and that they are asking at that moment, and who was the victim? Now you need to be sure that you did two weeks ago that negotiation, otherwise you're losing everything. That you say that was the victim, and then you receive a total different call. Then that moment they they say, Okay, let's go to a talks channel, and then you have a total different talk with those criminals, and then you are their best friend, and that's when you they are trying to manipulate, they are offering you money, and even afterwards, if if you made a deal, they are asking you to come back to that talks channel to make uh that they say okay, we have five or six other victims, but they are not responding. Uh, you, as an official negotiator, are you able to contact them and say that we are doing what we promised to do and that you have the proof that it's it's working. We are never doing that. I mean, I'm not going to contact a victim saying that I had contact with the criminal and that uh he's willing to do a good deal. I mean, that's not my job. The only thing we do is we give that kind of information to law enforcement and they have to contact the victim, but we will never do that.
SPEAKER_02:I'm gonna play devil's advocate here because uh, you know, you keep mentioning about uh, you know, the need for ethics and uh you know the criminals will try and manipulate you. How would we know? Because honestly, you know, all the client sees is the end result, right? The amount they have to pay. How do we know that you here are not taking, you know, your 20% of or how would we know that any other cybersecurity company, at the end of the day, it's all invisible, isn't it? So how do we trust?
SPEAKER_00:How do we know? Well, first of all, it's not invisible. A lot of people think that due to the fact that you are paying with bitcoins, that everything is anonymously. But that's really not the case. You are perfectly able, or we are perfectly able to follow the money until the exchange where they are changing the bitcoins against US dollars or euros, whatever. So we are perfectly able to follow them. The only problem is the exchange where they are exchanging their money again. Well, if those are in countries where they are not exchanging anything, then you know that you're screwed and you will never receive the name on which account that money was gone. But knowing what is happening, or if another cybersecurity company would do that, you will never know it, that's for sure. So you just cannot take the risk. Yeah, agreed. Yeah, because you'll never know if they're taking a backhander. No, no. So yeah, that's that's difficult for clients. The most important thing is when you go into a negotiation, as a negotiator, you don't have anything to lose. There is no emotion. If they are hard against you, well, I'm just even as hard as they are against them. And that's the only way. I mean, that's typical. Professional will never threaten me or say uh bad things about me. Amateurs, they are doing that. That's very, you know, an amateur is the the person who has the initial access of your network, but he's also the same person who's going to hack your network, who is in some cases going to exfiltrate your data, and he's also going to do the negotiation. He's the same guy who's doing everything. That's an amateur. The problem is, in most cases, he's more technical than a good negotiator. So in my case, it makes my job difficult. But again, if they are threatening me, well, I just do the same. And again, there is only one way to have a good deal, it's to have the mutual respect. And if that's not the case, there will be no deal. And if for me, I mean, emotions, there is one big rule: no emotions in this kind of deals, because otherwise there is no deal. And this is what we see in many cases. They they try to manipulate you with emotional things. I don't care.
SPEAKER_02:I mean, okay, let's talk about the negotiation side because you are the author of the amazing book, although I haven't read it yet, but I believe it's going to be amazing. Thank you for this gift, by the way. Negotiating in the dark. How millions are lost every day to cyber criminals and their networks. I mean, this should be a bestseller. This should be top of Amazon. I mean, no. No, I'm really looking forward to reading it, and thank you so much. And obviously, uh, I'm sure our listeners are enjoying this, and we'll put a link to the book in the release. So let's talk about the negotiation because, right, I'm a victim client, I've just been hit by ransomware. Why should I negotiate with the threat actors, with the criminals?
SPEAKER_00:Well, that's already some sensible thing, because in many cases, first of all, you need to know it's not the victim that's going to call me. In 90% of the cases, it's the insurance company who's going to call me. An insurance company will never take any risk, and they are always involving a negotiator in that deal. Just to know, to be able to make an economical risk analyze to see what the total damage would cost them. And that's for us as a negotiator, I mean, much. More easy, first of all, it's our daily job. And secondly, yeah, due to the fact that we have access with the criminals, that first we will ask them what they have. And that's our first job to go and to do some scouting, to see what they want. And then we can go into a negotiation. But a lot of customers are afraid about the word negotiating because it means that you are going to pay. And in many cases, they say the first 24 hours, they say, we will not pay. We're not going to pay criminals. And then my response is with all respect, I that's a good that's a good way. I mean, every dollar that you put in a criminal system is a bad dollar. It just makes them more it will make them better and more sophisticated. And it will incentivize them to do more. Yeah, indeed. So but in in most of the cases, I mean, there is no other way. And believe it or not, if there would be another way, we will always choose the other way and not to pay. But it's there is nothing more bad to explain to a customer who has lost everything and he really has nothing anymore from data to go to there and to say, Yeah, but the ethics is that we are not able to pay. You may not pay. If you're saying those things against a victim, that's not the things that he wants to hear at that moment. He needs somebody with experience who's going to help him to solve that situation. And if it's by paying, then it will be by paying. If it's doing another action, it will be by doing other actions. But the most important thing is to be there to support your customer and not to sell drama. Because this is also something that we see in a lot of cases. If you are hit by a ransomware, you will see that your general IT staff, they are very surprised. They will be in shock. And then you will see that other people in your company who has nothing to do with cybercrime or with IT will profilate themselves as the experts to the CEO and to the board of directors. And you will see that there will be a lot of information which they are going to send because that's the moment they are going to promote themselves. That's really a big problem. I mean, keep it in a simple way, keep it in a in a small group of persons and deal the crisis in a small group. That will help you, and that will limit the drama. And because you really don't need drama at that moment. You really need good advice, clear steps, and then you will be help, and there will be no problem to solve this issue.
SPEAKER_02:Okay, so you know, as an investigator, right, we often view the negotiation as an opportunity to delay things, you know, to give you more time to assess the impact. And I know you've brought up a lot of different angles in your presentation yesterday that I hadn't really considered, but I do think that the you know the beginning negotiations or the conversation does help you to buy time.
SPEAKER_00:Indeed. And in many cases, that's the first thing where a customer says is because they are all afraid that the hackers are still on your network. It's incredible to see. Those are always the first questions, yeah, but they may be still on your network. Those are the fake experts who are saying that. Those are the experts who have a theoretical background, but they don't have the expertise. Believe it or not, and believe me, they will never take the risk. A cyber criminal will never take the risk to be to still be on that network. From the moment you are encrypted, they are gone. They will never come back to try to see how far you are into your rebuilding part of your network. They don't take any risk. So that's also something of the myth. Where people are believing that they are still monitoring every step that you are doing, they don't do that. They are gone.
SPEAKER_02:But to play devil's advocate again, though, um, because obviously we do come in and investigate, but you know, I don't think companies can take the risk that there won't be somebody in their network. Because don't forget, if if they if there was a gap or a vulnerability that had been exploited, then other groups may also be trying. So I think it's incumbent upon us as investigators to ensure that the root cause is identified, fixed, and that they they have correct security moving forward. And I I agree with you, uh, you know, uh all of the ransomware groups they just want to get their money, right? So they encrypted and stolen data, so the double whammy of first of all trying to extort you to uh unlock the data, and secondly to not expose the stolen data, right? Yeah, correct. Yeah. So how do you, you know, when you're negotiating, because here's the other thing, right, that you mentioned yesterday is that when uh a company has been hit by ransomware, they are put on the naughty list, right? They are put on the shame The Wall of Shame, yeah. The wall of shame, which lists companies that they've hit, you know, to try and incentivize them or push them to pay, because nobody wants to be on that wall of shame. But then other you you mentioned yesterday other criminal groups see that and then they start to contact the victims, pretending that they were the ones, the threat actor group that actually hacked them. And sometimes the the victims will pay the wrong criminals?
SPEAKER_00:Indeed, correct. So that's one of the first jobs we have. It's to see if we are talking to the right criminals. We need proof of that because once you are on the wall of shame, you have other criminals who are contacting you directly, and they are not afraid of taking a phone call. A real cyber criminal will never call you. That's first of all. They call you and they say, hey, if you want now for six or seven days, let's make a quick deal, a good deal for 50 or 100,000 US dollars. Would you pay it immediately by bitcoins? And today, later on today, you're free, we will give you the keys. And you would be surprised to see how many victims are taking that risk and they pay 50 or 100,000 US dollars. And then yeah, they don't hear anything anymore. Well, it's logic because you're not paying the right criminals. So those are the stories where you hear that people say, Yeah, but you're not sure that if you pay something, you will receive your information. Well, theoretically, you're correct. In practice, if you are using a good negotiator, you will never have this case. Never. So you're telling me that in every single negotiation you've always got the keys. Yes. Until now, so I did more than 550 negotiations, we always received everything.
SPEAKER_02:That's interesting, because that's the question I always get asked. If we pay, what are the chances of getting the keys?
SPEAKER_00:Well, first of all, every negotiator has his techniques. That's logic. For me, the fact of explaining at a certain point that I work as a negotiator, there is, and that's my how I see it and how I feel it until now, there is no cyber criminal who will take the risk from the professionals to screw you up at that moment as a negotiator because they really know that in a week, two or three weeks you will be negotiating against with them. They will never take a risk. That's my experience. That's how I do it. But you need to know at the moment that you are hit by a ransomware and a negotiator will take the call, the first thing he will do is to go into a negotiation and he will ask the file tree. The file tree is the list of all the stolen data. For insurance companies, in most cases, that's the most important thing because that's where the claims will come, and that's the big money they will have to pay. So the file tree I receive, most cases, two to four hours after the first contact I go, they this is something the cybercriminals are sharing with a lot of pleasure because this is the most important thing they think they have. At that moment, I give it to the company, to the victim, and then I say, Can you give me five files on that list that I will ask? And then, first of all, when we see the full list, we have a good idea if it's the right list, yes or no. Because cybercriminals they will never exfiltrate your emails, for example. They will never exfiltrate an Oracle or an SQL database. No, they only do Word documents, PDFs, Excel, and PowerPoints. That's the only thing they will exfiltrate. So that's also a myth where a lot of people are thinking, yeah, but they are taking my complete CRM with everything in so no databases. No databases. It's too big. They will always exfiltrate between 50 and 4, 500 or 600 gigabytes of data. Let's say a normal laptop, nothing more, nothing less. Even for companies for 20,000 people, we are talking about 500 gigabytes of data they will steal. That's the reality. We are asking five files, we receive those five files from the threat actor. That proves that he has the data. It's as simple as it is. But in some cases, we're asking five files and they are sharing six files. This is one of the most important tips I can give to your audience. The sixth file is always the a copy of the cybersecurity insurance policy they have with their insurance company. So they're very important. If you have a cybersecurity policy or an insurance, never store that document on your servers because that's the most important file cyber criminals will look for. And once they have found it, yeah, for me as a negotiator, I mean, I can ask and do whatever I want. If they know that you are covered for four or five million US dollars, yeah, I can try to say uh whatever I want. They are showing me the policy where they say, Yeah, but you are assured for this kind of money. So Yeah, so the insurance company will bear the cost. Indeed, indeed. So that that's one of the most important uh tips I can give. Never store this on your server.
SPEAKER_02:I I never thought of that, but you know, we often tell clients uh don't store your incident response plans on a server because a hacker will know exactly what you're gonna do in the event of a breach. You know, all these kind of obvious things that should be obvious, but yeah, don't store your insurance policies on the server. Yeah, I I could see that clearly. Let's talk a little bit about the threat actor group. Where are they from? Where where are they typically coming from?
SPEAKER_00:I would say here all from uh from Asia, but that's really not the case. That would be stupid for me to say. That's my point of view. If you have 100 people, I think you have five or six criminals, and you will have on those five or six criminals, you will have one or two cybercriminals. Whatever country you are, you will always take or you will always have the same percentage of people who will be cyber criminal. Wherever country you are. So a lot of people think they are all from Russia or from China. Um no, I don't believe that. When you are talking or dealing with amateurs, this is one of the questions I always ask. From where are you? Professionals, they will never answer that. They will say, please keep it professional. That's the answer. Amateurs, in some cases, they will say, I'm from India, or I'm from Venezuela, or I'm from the United States, and then even you can ask from which from where in that country. Yeah, well, which province or which state, and then they will share that, but they will never go uh further than that. Of course, that's that's really interesting. So it's not really country specific, it could be anywhere. No, no, no, no, no, no. It makes also for me to try to make a band with the criminal, that's what I'm I'm trying to do. In in many cases, I'm at a certain point I say, I'm sorry, but I I have to go to uh to a dinner, I need to go to eat. So I will be back in two hours. That's the way of winning some time. Then if two or three hours later I'm coming back, most cases, the first question they are asking, how was your dinner? What have you been eating? And then you answer and you try to again to make a band. That's that's my job. Wow, making bonds with criminals. That's does that not stick in your throat a little bit? It's sometimes difficult because you need to know what your goal is. And even there, I mean, it's just a way of making a deal. They are not my friends. I mean, I don't need to go to the football with them or to go So you've never met them in person? No, I I really would like to do that. Right. Just to have an idea who they are, what's the typical age of a cyber criminal, for example? What was the moment that he decided in his life to go to the other side? That's a point I really would like to know. That's fascinating myself to know at which moment they decided to say, and now I'm going from the right way on the other way, and I'm becoming a criminal.
SPEAKER_02:You mentioned let's uh before we close off, because we're coming up against time. Um you mentioned also, of course, you provide threat intelligence services. What what value does that bring to the client? What kind of things are they looking for?
SPEAKER_00:As a negotiator, they they just need the experience, the way of feeling trust that what you're saying that it will be how it is. And this is something that in in many cases we see that companies are victims after the negotiations. They said, Yeah, at a certain point we even thought that you were the criminal. That's not so positive, but they say that it was incredible to see that you were able to say what all the next steps would be to predict all those next steps and that they were true. Now, that's experience. Give me two or three sentences of a criminal, and I'm able to explain you the next five to ten days what is going to happen based on three sentences. That's experience. That's also a kind of uh intelligence that you can share.
SPEAKER_02:And value that you bring. I mean, you know, same with you know, I see a lot of companies that just start in doing DFIR investigations and they don't have you know, when you've got that experience, it's crucial. The experience is everything, and I can fully understand in your field.
SPEAKER_00:You may not be afraid, and that's the most important thing. If a negotiation would not be successful, it certainly will not change my life. And that's the only way to go into into those negotiations. No emotion.
SPEAKER_02:We could talk for hours about this because it's a conversation. But uh typically we we keep these podcasts to about half an hour or so, uh 30 to 40 minutes. So I'm afraid we butter butted up against time. But I strongly urge you know our listeners to uh A reach out to you if they want to learn more of your company, etc. And I would suggest also because retainers are are critical, right? So in our world, in the investigation world, we often urge companies to be prepared, so to do tabletop exercises, to rehearse, to have muscle memory around dealing with a crisis. And they should involve people like yourselves in these kind of exercises because you're a critical component of any incident, uh especially a ransomware type incident. I think too many companies they don't, you know, involve other players, you know, that are important in the real incidents. And certainly I would urge anybody listening in the corporate world, if you are planning an exercise to do involve someone like here, to understand what the process of negotiations will be, how you will approach it, how would you pay? You know, how would you get the bitcoins, right? And so many things we haven't really touched on in this short conversation, but there is a lot more to this. And of course, you can buy his book, which is Negotiating in the Dark. I'm really looking forward to reading this. It's gonna be a fantastic reading. But I do have one thing though there too, you know. Uh you you've stolen our Cybernova name.
SPEAKER_00:What's going on? Yeah, that's true. Well, um, in Belgium, we are organizing on the 24th of March uh Cybernova. And um we looked for the name. It was in in Europe, it was free, it was able to. But the most important, it's we are organizing Supernova, which is an exposition or it's an event that we organize from MA partners, investors. On top of that, I know the organizator and I said, why don't we why aren't we organizing an extra day just for cyber? And what we try to do is to bring it to make a bridge against law enforcement and companies. So you will see Europol, Interpol, you will see a lot of governmental institutions who will explain how they are working on a daily basis against those cyber criminals. Because it's I know that world, it's it's our world, but a lot of companies they don't have a clue how it is. So that was the start of Cybernova and first edition this year, 24th of March in most beautiful city, Antwerp. The most beautiful city.
SPEAKER_02:Well, I think given what you've told me, you're welcome to share this name because it's a great, great. It's an honor, thank you. Yeah, no, it's seriously an honor for us to be sharing with you. Uh, just uh tell the audience when and where. 24 March in Antwerp, in Belgium. Right. I will try my best to be there.
SPEAKER_00:No, no, you will be there.
SPEAKER_02:You promised me yesterday, did you? All right. Um look, if you've enjoyed this uh episode, everybody, uh please hit that like or subscribe button. It helps us to reach more folks uh with these important informations that we share on this podcast. I have one final question for you though, here, and I always close because you talked about, you know, the stress and the emotions, taking the emotions out. Well, in my job, we have to also take the emotions out, but sometimes when you get home, you want to let the emotions back in. And I do that through music. I really am a music lover, so I'm an old-fashioned, so I've got vinyl records, etc. But I'm always curious, my guests, what they're listening to. So I always have this impression of Belgians listening to accordion music. Put me, put me straight. What do what do you listen to here?
SPEAKER_00:My wife is getting angry when she's in my car because it's always the same. And I uh I cannot I know I don't know why, but I I love old movies. Right. Now, old movies, we have the new movie, but I always listen to the the full list of music of Top Gun. The music of Top Gun. Yes, it's so fascinating, and and this is something I I really love to hear because it's I don't need to think about, I can think about my job why I'm driving and and listening to that. But I'm an old-fashioned guy. But you must drive your kids crazy though, if they have to listen to that. Always. Always, and it's the first thing they do, they change that music, and yeah, I don't have anything to say at home.
SPEAKER_02:So uh what a great way to close this episode. And here, you you are a legend, and thank you so much for joining me here. It's a pleasure Sunny Kuala Lumpur at the Rise event, which again is a fantastic event for those who are more interested in investigations and the and the dark side, if you like, of Sun Event. It's a very unique event. Thank you so much for joining me today here at uh Safe Travels Back to Belgium. Thank you very much. Theos Cybernova was presented by myself, Paul Jackson. The studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos. And this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.