Geert Baudewijns (Secutec): “Cyber negotiation is used to frame the situation very early on”

A former collaborator of John McAfee and now head of Secutec, Geert Baudewijns has, over the years, established himself as one of the few European specialists in cyber negotiation. He entered this field in 2016 by chance and now claims more than 600 negotiations conducted. In this interview, he describes a poorly understood profession, lays out the real dynamics of negotiation, and details the evolution of a criminal ecosystem that has become more structured, faster, and increasingly focused on data exfiltration rather than encryption alone.

How did you get into cyber negotiation?

I started my career in 1999 working for John McAfee. A few years later, I created my own company, which today employs 120 people across several offices worldwide. Cyber negotiation came later, in 2016, almost by accident. My uncle had been the victim of a cyberattack and the situation had to be handled. At the time, I knew absolutely nothing about this field, but I had to help him.

Ten years later, I have conducted more than 600 negotiations. It’s a very rare profession. There are few of us with real hands-on experience, and even fewer who speak publicly about it. Many operate without communicating on the subject, which I can understand, as it remains a world apart.

Who actually calls on your services?

Today, my direct clients are mainly insurance companies. I work with four of them. When a company falls victim to a cyberattack, it usually contacts its insurer within a very short timeframe, typically within 24 hours. The insurer systematically decides to bring in a negotiator to take the temperature of the case, assess the amounts involved, and understand how far the crisis could go.

Negotiation is therefore used very early to frame the situation. It is not just about discussing a price. It also helps provide the insurer and the victim with a clearer understanding of the risk, the timeline, and the options that actually exist.

So negotiating does not necessarily mean paying?

No, absolutely not. That is actually a key point. Many people assume that opening a communication channel with hackers already means preparing to pay. That’s not true. Today, around 50% of the communications I initiate end in payment. That means that in one out of two cases, negotiation serves other purposes.

How do you actually get in touch with the attacker? Do they initiate contact?

In practice, the channel almost always already exists when the victim discovers the attack. The attackers have generally left a point of contact on the ransom page, often accessible via Tor, with a dedicated interface used as the basis for negotiation. This is the case for the most structured groups. For more amateur profiles, exchanges can also happen via standard email addresses, sometimes through secure services.

In the vast majority of cases, discussions remain written. We are not on the phone. We exchange either on their platform or via messaging. A typical negotiation today represents between 150 and 250 lines of dialogue. Most often, the attacker has already set the initial framework by leaving instructions and a contact channel. We then enter that space to open the discussion, clarify what they are demanding, verify what they actually hold, and gradually regain control of the negotiation.

What does a negotiation concretely make it possible to obtain?

The first thing is often the list of stolen data. In practice, it is much easier for me to request this information from cybercriminals than to ask the victim to reconstruct it from their systems. So far, I have never seen a victim capable of providing a complete view of what has been exfiltrated on their own.

Next, we look for the root cause, meaning the initial cause of the intrusion. This is important for understanding the attack and what comes next. We also request proof. For example, when attackers send us a list of files, I ask the victim to select a few. Then I request those files from the cybercriminals. When they send them back, it allows us to verify that we are dealing with the right interlocutors and that they actually possess the data they claim to have.

Has the ransomware ecosystem evolved significantly in recent years?

Specialization has increased considerably. Today, the most professional groups resemble real organizations. Some have ten people, others 200 or even 250. And above all, these organizations do not necessarily create the initial access to their target’s information system themselves.

That access is often purchased from other specialized actors. Some exploit a specific vulnerability. Others distribute infostealers, small programs capable of retrieving passwords or other useful information. The initial access is then resold. And this is where a major change has occurred. Before, it might be sold once, with the hope of receiving a share of the ransom. Today, since fewer companies are paying and amounts are decreasing, many hackers prefer to sell the same access three or four times, very quickly, to several different groups.

What impact does that have on negotiation?

It speeds everything up. Groups know they are competing with others, so they want to move much faster. Where a negotiation might have lasted ten or fifteen days a few years ago, it now has to conclude within three or four days. The pace has changed.

We also see that their level of professionalization has clearly increased. Eight or nine years ago, their infrastructures were often more fragile. Today, that is no longer the case. Their organization is much more solid and their way of working much more rigorous.

Why are victim companies paying less than before?

Because they are better prepared. Networks are better protected and backups have improved significantly. A few years ago, encryption was often the main blocking point. Today, in many cases, victims know how to restore from a backup that has not been affected.

The center of gravity has therefore shifted. The real leverage for attackers is no longer just encryption. It is data exfiltration and the threat of publication. Today, in a large majority of cases, the victim’s main concern is not technical recovery, but the dissemination of sensitive data on the darknet.

How is the decision to pay or not made?

It is a purely economic decision. On average, a company is down for 24 days in the event of a ransomware attack. It therefore has to ask itself: wouldn’t it cost less to pay the ransom quickly rather than see its operations paralyzed?

You have to lay out both scenarios very concretely. If you pay, we move toward a certain amount, a certain timeline, and expected deliverables. If you don’t pay, it will take a certain amount of time, resources, and effort to rebuild. My role is to lay these elements out and, if a negotiation takes place, try to reduce the amount paid to reach something the victim can consider acceptable.

What matters is thinking in terms of crisis resolution. Negotiation must also be synchronized with the technical work carried out in parallel. Most of the time, as soon as attackers make contact with the victim company, a team begins rebuilding a new network. The negotiation must conclude at the right moment. It would make no sense to obtain a decryption key if, at the same time, the environment is not ready or if reconstruction follows a different timeline.

You describe a highly exposed profession. How far does that exposure go?

It goes very far. Cybercriminals know exactly who I am and what I do. And there is one point that is rarely discussed: corruption attempts. Very often, when discussions progress, attackers suggest moving away from the official channel to another one, for example Tox. There, they can say very clearly: “If your client wants to pay $500,000, push it to $700,000 and you’ll take a share of the difference.”

That is precisely why I remain the only negotiator in my organization. If you expose a regular employee to that kind of proposition for several months, you open Pandora’s box. I don’t want to take that risk.

What do these negotiations teach you about the real causes of attacks?

They show first that public explanations are often very incomplete. More than 90% of victim companies share almost nothing afterward. And when they say something, they often cite phishing. Yet, in a minimally structured company, a standard user does not have sufficient rights to install software on a server. The reality is therefore often more complex.

My advantage is being in the cockpit of negotiations and seeing the real root causes. It is on that basis that we have developed new security products. The problem is that victims are ashamed. They do not explain what really happened. As a result, other companies do not learn, and criminals retain an informational advantage.

What do you think is most misunderstood about your profession?

The idea that everything should be approached purely in moral terms. It is very easy, from the outside, to say that you should never pay. But when a victim is in the middle of a crisis, with operations halted, potentially exfiltrated data, and strong pressure, you first need to help them understand their options.

A good negotiator must remain rational. They must never become emotional, because that is precisely what attackers are trying to provoke. Of course, there is stress, especially when amounts exceed $500,000 or $1 million. My role is also to absorb part of the client’s stress, to tell them: “This is my job, I do this every day, we are going to look at what is possible.” I never promise certainty. In this profession, there is none. But we can at least give the victim a clear reading of the situation and try to guide them toward the most favorable outcome possible.