Chats analyzed by Cisco Talos show how ransomware groups determine ransom amounts and force organizations to pay but also are willing to negotiate with victims.
A report released Tuesday by Cisco Talos, the networking company’s cybersecurity research arm, looks at how ransomware gangs target and negotiate with victims to get paid as quickly and easily as possible. Titled “Behind the keyboard: Understanding Conti and Hive ransomware operations through their chats with victims,” the report uses internal chats of ransomware cybercriminal group members to illustrate their tactics and provide advice for organizations on how to combat ransomware.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
To compile its report, Talos obtained more than four months of chat logs with 40 separate conversations between Conti and Hive group members and their victims. The chats provide insight into the communications methods, persuasion strategies, negotiation steps and other techniques used by attackers seeking to collect their bounty.
The Conti group uses a structured and almost scripted approach to convince victims to pay the ransom. With some marketing savvy, group members will offer holiday discounts on the ransom payment, promise IT support to prevent future attacks and threaten to publicly release the data.
The Hive group takes a looser and more direct approach without the persuasive tactics used by Conti. Hive affiliates don’t rely on any standard plan and instead improvise different ways to force victims to play, including offering kickbacks to negotiators who facilitate payment of the ransom. This group lacks a certain internal security and often reveals details about its encryption methods and other processes.
Both Hive and Conti research their victims beforehand. The two groups typically ask for a ransom of about 1% of a company’s annual revenue and target organizations based on how quickly and easily they may be able to pay. Both groups will lower their ransom demands by offering large discounts during the negotiations.
Based on the internal chats, Cisco Talos has several tips designed to help organizations prevent or combat ransomware attacks.
Keep up with patching. Calling the Conti and Hive members “opportunistic actors,” Cisco Talos said these criminals typically choose the easiest and quickest way to compromise their victims, notably by exploiting known security vulnerabilities. As such, all organizations should implement a strong patch management policy to keep all hardware, software and systems up to date.
Look for suspicious network traffic. One way to prevent attackers from compromising sensitive data is to scan for unusual or anomalous activity on your network. Such activity often is a sign of malicious scanning through which criminals are looking for unpatched or unprotected software. These types of scans usually collect software and version numbers, listening ports and other network resources to help the attackers find weaknesses to exploit.
Harden your systems. Remove any endpoint services or protocols that are no longer necessary. Make sure that any needless ports and services are fully closed to keep them from being discovered and exploited. Further, consider hardening systems, networks and security devices to prevent attacks. This means adding applications to the allow list and blocklist to control which programs are accessible.
Prevent attackers from using stolen credentials. Cybercriminals will often exploit account credentials that have been leaked in data breaches or sold on the darknet. To keep these credentials from being used in actual attacks, require all employees to use multi-factor authentication when accessing critical systems and resources. At the very least, require MFA for all users with administrative rights as well as for those using remote access. Many ransomware incidents could be prevented if MFA is required on critical services, such as a VPN.
Reset passwords. If any accounts are compromised or exploited, run a full password reset for all your accounts. Make sure you at least reset passwords for all privileged domain accounts.