What to expect when negotiating with Conti and Hive ransomware gangs

Today, the Cisco Talos threat intelligence team released a blog post revealing new findings about the negotiation tactics of Conti and Hive ransomware gangs. The logs include conversations spanning over 4 months and provide a goldmine of insights into the tactics used by the attackers to manipulate their victims. 

One of the most significant findings of the research is that both groups are quick to lower ransom demands and negotiate with target organizations. At the same time, both attackers deploy persuasion techniques such as offering “IT support” to prevent further cyber attacks in exchange for a ransom. 

VentureBeat caught up with two of the researchers from the Cisco Talos team, head of outreach, Nick Biasini, and senior intelligence analyst, Kendall McKay, to discuss some of the key findings and find out whether organizations should try to negotiate during a ransomware attack, and what types of manipulation techniques they should expect. 

Here’s an edited transcript of the interview. 

VentureBeat: Should organizations ever try to negotiate with a ransomware gang? 

Nick Biasini: This really depends on the organization and the attack scenario. I understand the desire to refuse to negotiate, but for some organizations it could be a matter of negotiation or their business not being viable anymore. 

Kendall McKay: This is a decision that any victim organization should carefully consider based on their tolerance for public data exposure and potential repetitional consequences, along with financial cost. 

VentureBeat: What’s the first thing an organization should do when someone encrypts their data and sends a ransom demand? 

Biasini: Hopefully they have an established and well-tested backup and recovery procedure and begin emergency response with an incident response team, either external, internal or both, depending on the organization. 

McKay: Organizations who have been compromised by ransomware actors should immediately consult their IT staff and third-party security providers. More likely than not, it will not be possible to retrieve the data after it has been encrypted, but there are ways to make sure the adversary does not cause more damage, such as dropping additional malware or deploying persistence mechanisms that would enable them to stay in the victim’s environment long after the initial incident is closed.

VentureBeat: What can organizations expect if they’re targeted by Conti or Hive? 

Biasini: As with most ransomware attacks today, there will be obvious indications that systems have been ransomed and that data has been exfiltrated. The most important thing is to try and understand the scope of the breach and what potential exposure exists. Leverage that knowledge in your negotiations to hopefully achieve a satisfactory outcome. 

McKay: These actors are extremely determined to get payment from the victim by any means necessary. Compromised organizations can expect that Conti and Hive will be somewhat flexible when negotiating in terms of ransom amount and payment deadline, but rest assured they will follow through on their promise to publish the victim’s stolen data if their terms are not met.

VentureBeat: The report mentions that threat actors will offer to provide “IT support,” with a decryption tool and a full security report. Can you elaborate on that? 

Biasini: Some of the ransomware cartels will offer to provide some information about how they accessed the network and what types of things you can do to improve your security. Most of the time these tend to be generic and offer boilerplate recommendations that could be applicable to a large swath of companies.

McKay: One of Conti’s persuasion techniques is to try to make the victim feel like there is some positive result to come out of the unfortunate experience of being extorted by a ransomware gang. A way they do this is by offering to provide “IT support” to protect against another attack happening again in the future. Based on our findings, this was a ploy to entice victims to pay and never amounted to anything more than Conti issuing generic guidance to the victim upon payment. 

VentureBeat: Any comments on double or triple extortion techniques that you’ve discovered? 

Biasini: Double extortion is incredible common as attackers have realized that customers are still willing to pay to keep the data private, even if they have fully tested and valid backups for all ransomed data. 

McKay: Triple extortion is a relatively new technique that an increasing number of attackers are adopting. Ransomware actors are highly motivated by financial gain, and as we saw in this study, will use any means necessary to persuade victims to pay ransoms. 

Therefore, it seems reasonable to expect that these types of cybercriminals will continue to diversify their persuasion techniques, including adopting additional extortion methods going forward. 

VentureBeat: Are there any techniques attackers will use to try to persuade organizations to pay ransoms? 

Biasini: Sure they’ll use every technique they have at their disposal. They’ll offer to be friendly, they’ll be demanding and aggressive. Basically they will try a variety of tactics until they find one that works.

McKay: For cybercriminals like Conti and Hive, ransomware is a business, and thus we see them employing all sorts of techniques to persuade victims to pay ransoms, just like any normal salesperson. They will use any approach necessary, from threats and fear mongering to marketing ploys like offering holiday discounts. While their approaches may vary, the goal never changes: say or do whatever is necessary to get the victim to pay.

VentureBeat: Any advice for organizations who are considering responding to an attacker’s persuasion attempts or scare tactics? 

Biasini: Realize that you are communicating with a group of criminals whose one goal is to separate you from as much money as possible. As with any negotiation, there is give and take on both sides, the ultimate goal being you reaching a compromise with which you can be comfortable. 

McKay: At the end of the day, the threat of having your data leaked is very real in these situations. The attackers will follow through on this if their terms are not met. That being said, there appears to be some room for negotiation based on our findings. The adversaries would rather get some amount of money rather than nothing.

VentureBeat: How can organizations prevent ransomware attacks in the first place? 

Biasini: These cartels gain access through a variety of means, including active exploitation, stolen credentials and directly buying access. The most important thing is going back and re-assessing any accepted risk the organization has taken on. These types of risks can be footholds for these groups to start their attacks. 

However, there are ample ways to defend against the attacks, including making access and administrative access difficult. 

Technologies like multifactor authentication can make it more difficult for the attackers to gain access to the systems they need. Likewise, having strong security fundamentals in place can help limit the damage from these types of attacks, even after they occur. 

McKay: Ransomware attackers first must find a way to gain access to the victim’s network before they start carrying out additional malicious activities. 

Therefore, it’s important for organizations to remember to exercise security fundamentals, like phishing awareness, employing multifactor authentication (MFA), and keeping systems patched and up to date.