The maritime transport giant, under pressure by the 60 million euros lost per day of breakdown, ends up releasing part of the ransom to restart its container ships.
For the gendarmes, it is only a postponement. The negotiations conducted by the GIGN made it possible to obtain useful clues for the investigation.
A year later, on September 28, 2021, a vast operation led by the gendarmerie, with the support of the FBI and Europol, led to the arrests of two men suspected of being behind a series of attacks, including that against the CMA-CGM.
“For about two years”, the GIGN has intervened in “10 to 20” digital negotiations related to ransomware (or “ransomware”), explains to AFP the general of division Marc Boget, commander of the gendarmerie in cyberspace ( ComCyberGend).
“We are on an exponential trajectory”, underlines the high-ranking, like this crime.
Ransomware attacks targeting companies and institutions increased by 32% between 2019 and 2020, according to a study published in November by the Ministry of the Interior.
The elite unit never acts alone, always within a “triptych”, he says, with high-level technical experts and cybergendarmes from the Center for the Fight against Digital Crimes (C3N), seized after a complaint from the victim company.
In the event of an attack, these three players deploy within an ad hoc command post, set up on company premises.
Known to the general public for intervening in hostage-taking or terrorist attacks, the 24 negotiators of the GIGN national unit, including four permanent staff, have been specially trained. Eventually, 350 regional negotiators will also be.
“We are not here to type lines of code”, specifies Timothy, negotiation officer. “We rely on people who are uninhibited with IT to implement a strategy and save time”.
The talks take place almost exclusively in writing, most often on the Tor encrypted network, with a countdown to increase the pressure. They can last from “a few hours to a fortnight” and “when it starts, it never stops,” says Xavier, head of the negotiation unit.
The negotiation always starts with a phase of technical analysis of the architecture of the network.
“A multinational is hundreds of computers and servers around the world. The attacker was able to penetrate through a server in Brazil to attack those located in Russia”, decrypts Clément, the “geek” head of the GIGN, to the head of the cyber cell.
Understanding how the hacker entered will make it possible to gauge “his level and his credibility”, adds this expert. Identifying it remains “possible but complex”: “who knows if, behind the screen, you are dealing with a State or a 16-year-old newbie hacking the entire Earth?”
With a hostage taker, “we introduce ourselves, we talk to him, we can establish a link, create empathy”, says Timothy. The hacker, he must never know that he is negotiating with the gendarmerie.
“We will coach the victim, she will write with us, with her corporate vocabulary, all these things that we must not betray”, summarizes the negotiator.
It is also she who validates the strategy and can give reduction objectives to be obtained on the starting ransom.
“We help the company to pay as little money as possible and to keep its data”, comments Xavier soberly.
“We try not to pay, but the company that has a fire in progress, it must be able to extinguish it”, concedes Timothy. “Some business leaders are cautious. Others are angry, refuse to pay and give us carte blanche”.
Like this CEO of a private security company, with 2,000 employees, whose data was fully encrypted last March.
The hackers demanded 2 million dollars to deliver the decryption key. Categorical refusal of the boss.
By a “bluff”, according to General Marc Boget, the GIGN negotiator managed to bring down the sum… to 11,000 euros.