Four months of chat records spanning more than 40 discussions between the operators of Conti and Hive ransomware and their victims have been analyzed, providing insight into the gangs’ inner workings and negotiation strategies. The Conti team is alleged to have decreased the ransom demand from a startling $50 million to $1 million in one exchange, a 98 percent reduction, indicating a readiness to negotiate for a much smaller amount. Conti and Hive are two of the most common ransomware strains, accounting for 29.1% of all attacks recorded between October and December 2021. The difference in communication techniques between the two groups is a crucial lesson learned from the chat log analysis. Conti’s interactions with victims are formal and use several techniques to persuade victims to pay the ransom, while Hive takes a shorter and more direct conversational approach. Conti also offers IT support to its victims in order to prevent future attacks, sending them a so-called security report that outlines a number of steps the affected companies can apply to defend their networks.
“After encrypting victim networks, ransomware threat actors increasingly used ‘triple extortion’ by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident,” reported the Cybersecurity and Infrastructure Agency (CISA) earlier this year. Conti also stands out for its flexibility when it comes to payment dates. Conti operators would prefer to get at least some payment as opposed to none. Hive, on the other hand, increases its ransom demands if a victim fails to pay by the deadline. Hive’s focus on speed over quality in the encryption process makes it vulnerable to cryptographic mistakes and increases the possibility of recovering the master key. “Like many cybercriminals, Conti and Hive are opportunistic actors who likely seek to compromise victims through the easiest and fastest means possible, which often include exploiting known vulnerabilities. This is a reminder to all organizations to implement a strong patch management system and keep all systems up-to-date,” Talos researcher Kendall McKay stated.