DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Conti and Hive ransomware operations: Leveraging victim chats for insights

Posted on May 7, 2022 by Dissent

Kendall McKay and colleagues Paul Eubanks and Jaime Filson of Talos issued a report this week with some interesting insights.

EXECUTIVE SUMMARY

  • Through open-source research, we obtained and analyzed over four months of chat logs — more than 40 separate conversations — between Conti and Hive ransomware operators and their victims. The findings in this paper give an overview of the actors’ communications styles, persuasion techniques, ransom negotiations, operational and targeting information, and more.
  • Conti and Hive have markedly different communication styles, with Conti employing a range of persuasion tactics in what often seem like scripted and somewhat organized exchanges. Hive communications, by contrast, are much shorter, more direct, and void of many of the persuasion techniques that Conti employs. These differences possibly reflect varying levels of organizational oversight for affiliates or may simply exemplify the unique communication styles employed by various ransomware actors.
  • Both groups are very quick to lower ransom demands, routinely offering substantial reductions multiple times throughout their negotiations. It is clear that the actors’ initial ransom demand is rarely their bottom line.
  • Conti and Hive do research on victim organizations before determining the ransom amount, with both groups typically asking for about one percent of the company’s annual revenue. Both threat actors appear to target entities indiscriminately, likely based on what they assess to be the easiest victims to compromise for quick financial gains.
  • Hive operators displayed surprisingly poor operational security, revealing sensitive information about their encryption process and other operational details. Other evidence suggests that Hive affiliates do not adhere to any sort of standard operating procedure and employ any and all means necessary to convince their victims to pay, including offering kickbacks to victim negotiators once the ransom payment is made.

Access the full Talos whitepaper (12 pp, pdf) 

Category: Breach IncidentsCommentaries and AnalysesMalwareOf Note

Post navigation

← IKEA Canada confirms data breach involving personal information of approximately 95,000 customers
OpenSea Discord server hacked, increasing the risk of phishing scams →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.