Kendall McKay and colleagues Paul Eubanks and Jaime Filson of Talos issued a report this week with some interesting insights.
EXECUTIVE SUMMARY
- Through open-source research, we obtained and analyzed over four months of chat logs — more than 40 separate conversations — between Conti and Hive ransomware operators and their victims. The findings in this paper give an overview of the actors’ communications styles, persuasion techniques, ransom negotiations, operational and targeting information, and more.
- Conti and Hive have markedly different communication styles, with Conti employing a range of persuasion tactics in what often seem like scripted and somewhat organized exchanges. Hive communications, by contrast, are much shorter, more direct, and void of many of the persuasion techniques that Conti employs. These differences possibly reflect varying levels of organizational oversight for affiliates or may simply exemplify the unique communication styles employed by various ransomware actors.
- Both groups are very quick to lower ransom demands, routinely offering substantial reductions multiple times throughout their negotiations. It is clear that the actors’ initial ransom demand is rarely their bottom line.
- Conti and Hive do research on victim organizations before determining the ransom amount, with both groups typically asking for about one percent of the company’s annual revenue. Both threat actors appear to target entities indiscriminately, likely based on what they assess to be the easiest victims to compromise for quick financial gains.
- Hive operators displayed surprisingly poor operational security, revealing sensitive information about their encryption process and other operational details. Other evidence suggests that Hive affiliates do not adhere to any sort of standard operating procedure and employ any and all means necessary to convince their victims to pay, including offering kickbacks to victim negotiators once the ransom payment is made.
Access the full Talos whitepaper (12 pp, pdf)