Detection and Response
Ransomware Negotiation Scenarios: What to Expect
We wanted to get a better understanding of what victims go through during the aftermath and recovery process of a ransomware attack to help others in case they find themselves in a similar situation. To do this, we analyzed victim support chats for five ransomware families.
We all know the risk of a ransomware attack. Headlines of the latest victims might haunt the dreams of chief information security officers (CISOs) and security operations centers (SOCs) due to the multi-extortion models used by modern ransomware groups.
We wanted to get a better understanding of what victims go through during the aftermath and recovery process of a ransomware attack to help others in case they find themselves in a similar situation. To do this, we analyzed victim support chats for five ransomware families: Conti, Lockbit 2.0, AvosLocker, Hive, and HelloKitty for Linux. Each of these ransomware groups uses unique victim identifiers to offer negotiation and “support” while the victim tries to recover their data.
We identified trends and commonalities across the actors and affiliates and offer guidance for organizations based on what we have seen so far.
Why chat support?
Ransomware-as-a-service (RaaS) actors and affiliates previously used email to communicate with victims. This email correspondence served as a way to negotiate a price for the decryption key and for victims to find a way to keep their data from being published on the groups’ leak sites. However, this way of communicating introduced complications. After all, the ransom note was displayed on every system in a victim organization. What happened when multiple people from the same company contacted the threat actors? It became unsustainable for the criminals to maintain multiple email conversations with the same victim, as they might accidentally contradict themselves or offer varying prices in different email threads.
To solve this problem, ransomware actors began using unique victim identifiers for every victim organization. For Conti, AvosLocker, and HelloKitty for Linux, these unique IDs are part of the ransom note, and the ransom file itself must be uploaded to the group’s Tor or cleartext website (as specified in the ransom note) for a victim to access a specific chat site.
In contrast, Lockbit 2.0 uses the unique victim ID itself as a login to the group’s chat site, along with a CAPTCHA.
It is also interesting to note that despite the victim organization “logging in” with their unique credentials, the criminals always ask which organization they are talking to at the start of the negotiation. This implies that from their end, the criminals do not correlate specific logins with assigned victim organizations. Alternately, it could be a way to verify that they are in fact speaking with a victim organization rather than a researcher or a member of law enforcement.
The unique victim identifier model ensures that even if 30 employees attempt to negotiate for the company, everyone will go to the same chat page. This includes researchers and law enforcement officers, who might also monitor these chat sites.
How are these chats accessible?
One problem posed by this chat support model is that anyone with the ransom note can access the chat. While the unique victim IDs are, as implied by their name, specific per victim, this does not mean that they can only be used by that victim. In fact, anyone — researchers, law enforcement, and investigative journalists, among others — could be monitoring their conversation with a victim, and ransomware groups are aware of this.
The MountLocker ransomware group addressed this by requiring their victims to set their own password upon initial login to their chat site. This requirement to create their own password thus adds a layer of privacy to the chat site.
The implication here is this: In the event that an organization becomes a victim and starts negotiating with the criminal group involved, they must consider the conversation public. If the confidentiality of the negotiation needs to be preserved, it is best to keep the ransom notes from being published on publicly accessible platforms.
What we learned
The Conti ransomware has the most active chats based on available ransom notes. Each chat begins the same way, with a standard message to each victim. From what we’ve seen, these messages are always in English regardless of the victim’s location.
This standard introduction shows a level of professionalism, indicating that the ransomware group uses a standard playbook for negotiating staff. While other ransomware families do not start every conversation with the same introductory message, chat conversations from the ransomware families we analyzed typically include a few key points, which we list here.
What was stolen
While the amount and nature of stolen data varies, it always includes items that are critical to the company, including but not limited to financials, contracts, databases, and employee and customer personally identifiable information (PII). The criminals always offer to decrypt some sample files as proof, and in some cases they will provide a file tree of what has been stolen.
Many victims state that they are willing to pay to decrypt data and prevent it from being leaked, but they simply cannot meet the initial demand. The criminals’ main defense or justification for the price includes either the victim’s bank account balance or insurance policy information.
Discounts and price drops
We observed price drops from the initial demands that are anywhere from 25 to 90%. Each group appears to have their own philosophy and standard with regard to discounts they will provide. However, what the criminals initially claim as their discount policy does not stay true for long. In some cases, a price is agreed upon and the actors publish the stolen data anyway. In other cases, the final discount goes far beyond what the criminals initially identify as their lowest possible offer.
Shift in tone
There is also a distinct shift in tone at some point in the majority of conversations. The criminals begin by firmly reassuring that the best possible option for their victim is for them to pay. They reinforce their argument by reminding the victim that having their data leaked would result in legal trouble and regulatory fines, or that using a data recovery service is not worth their time and money. During these early stages, they even claim that they are here to help the victims.
However, this approach eventually turns sour as ransomware actors become impatient, pushy, and aggressive. One likely reason for their impatience is that they do not want the victim organization to grow comfortable, forget the severity of their situation, or mitigate the threat without any “help” from the criminals themselves. Their statements thus start from something along the lines of “Please let us know if you have further questions!” to “As you may have noticed, your website is currently unavailable. It's the initial phase of our campaign for your company liquidation...We are well aware you don't have any backup, so we will be waiting while you will be suffering losses.”
What potential victims should do
It is generally understood today that for organizations, it is not a question of if they will be targeted by ransomware but when. Knowing and accepting that is critical to preventing a ransomware attack from inflicting severe damage to any organization.
To prepare for the possibility of a modern ransomware attack, organizations of all sizes and verticals should consider the following
- Make a plan and just as importantly, test it. Develop a ransomware incident response plan and run simulations or tabletop exercises with all relevant teams. Run it through with the board and C-suites to reach an agreement. Every team member must know their role and how to accomplish it before an actual crisis arises. For instance, one decision that needs to be reached is whether or not your organization is willing to pay the ransom. While we do not recommend paying, should it be the path that your organization opts for, we do advise that you have a plan in place to follow through with financial logistics.
- Hire a professional negotiator. Certain organizations specialize in this exact field of negotiating ransom terms on behalf of companies. Based on our observations, most ransomware actors don’t care if they are speaking with a negotiator or an employee of the victim organization. However, the Grief ransomware has recently stated otherwise.
The goal of negotiating is often to buy yourself time while you recover data from any of your backups. Indeed, generally victims want to prevent data leakage or further extortion, but they ultimately don’t plan to pay the ransom, either. If this is true for your organization’s incident response plan as well, then it will be critical to know that and have everyone understand that goal before an attack occurs.
It is also important to be aware that there are multiple extortion models that criminals might use, so it is important to understand and plan for the possibility of double, triple-, and quadruple extortion. Ultimately, of course, preventing a successful ransomware attack is the best option. This requires a comprehensive security plan, which is a challenge for many organizations.
How to avoid becoming a victim
While it is essential to know the plan in case it is needed, organizations would naturally prefer any attack to fail. Still, it bears repeating that all organizations should expect to be targeted and plan accordingly, as doing so is the critical first step to prevention.
- Configure hardware and software correctly for your environment.
- Follow the principle of least privilege and limit administrative access as much as possible.
- Patch and maintain software updates. Leverage virtual patching when you need time to implement patches.
- Audit and monitor event logs. Logging security events is only helpful if someone is monitoring those logs against a baseline to know when something abnormal is occurring.
- Use the 3-2-1 rule for data backup: Create three backup copies in two mediums, with one that is physically separate.
- Train employees and test systems to make sure your security assumptions are verified when tested.
To help you reach these security goals and protect your organization against a successful ransomware attack, Trend Micro Vision One™ compares detections across the IT environment with global threat intelligence to correlate data and draw actionable conclusions. Named the industry’s best by Forrester, the security platform adds the strongest protection against ransomware and other attacks.