An analysis of four months of chat logs spanning more than 40 conversations between the operators of Conti and Hive ransomware and their victims has offered an insight into the groups’ inner workings and their negotiation techniques.
In one exchange, the Conti Team is said to have significantly reduced the ransom demand from a staggering $50 million to $1 million, a 98% drop, suggesting a willingness to settle for a far lower amount.
“Both Conti and Hive are quick to lower ransom demands, routinely offering substantial reductions multiple times throughout negotiations,” Cisco Talos said in a report shared with The Hacker News. “This signals that despite popular belief, victims of a ransomware attack actually have significant negotiating power.”
Conti and Hive are among the most prevalent ransomware strains in the threat landscape, cumulatively accounting for 29.1% of attacks detected during the three-month period between October and December 2021.
A key takeaway from the review of the chat logs is the contrast in communication styles between the two groups. While Conti’s conversations with victims are professional and marked by the use of different persuasion tactics to convince victims to pay the ransom, Hive employs a “much shorter, more direct” informal approach.
Besides offering holidays and special discounts, Conti is also known to offer “IT support” to prevent future attacks, sending its victims a so-called security report that lists a series of steps the affected entities can take to secure their networks.
Additionally, the financially motivated group has made use of scare tactics, cautioning victims of the reputational damage and legal issues stemming as a consequence of a data leak and threatening to share the stolen information with competitors and other stakeholders.
“After encrypting victim networks, ransomware threat actors increasingly used ‘triple extortion’ by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident,” CISA noted in an advisory earlier this year.
Another point of distinction is Conti’s flexibility when it comes to payment deadlines. “These behaviors suggest Conti operators are highly opportunistic cybercriminals who ultimately would prefer some payment as opposed to none,” Talos researcher Kendall McKay said. Read more:https://bit.ly/3kAXRKS
You can also read this: Universities lose over £2m to ransomware