What to expect when dealing with the Conti and Hive ransomware organizations

What to expect when dealing with the Conti and Hive ransomware organizations ...

A blog post by the Cisco Talos threat intelligence organization reveals new findings about Conti and Hive ransomware gang tactics. The logs encompass conversations lasting over four months and provide a goldmine of insights into the attackers'' tactics to manipulate their victims.

Both organizations are quick to reduce ransom demands and negotiate with target organizations, according to one of the most significant findings. Using same-day persuasion techniques as offering IT support to prevent future cyber attacks in exchange for a ransom, both organizations are successful in reducing ransom charges.

Here''s a full transcript of the interview.

Nick Biasini: This is very important for the organization and the attack scenario. I understand the desire to be reluctant to negotiate, but for some organizations it may be a matter of negotiation or their business becoming more viable.

Kendall McKay: This is a decision that any victim organization should carefully consider based on their tolerance for public data exposure and potential repetitional consequences, as well as financial costs.

Biasini: Hopefully they have a well-established backup and recovery procedure, and will begin emergency response with a team of emergency responders, either external, internal, or both, depending on the organization.

McKay: Organizations who have been compromised by ransomware should immediately consult their IT staff and third-party security providers. Although it is unlikely to be possible to recover the data after it has been encrypted, there are alternatives to imposing additional threats, such as dropping additional malware or deploying persistence mechanisms that would allow them to stay in the victims'' environment long after the initial incident is ended.

Biasini: As with most ransomware attacks today, there will be obvious indications that systems have been ransomed and that data has been removed. The most important thing is to investigate the scope of the breach and what potential exposure exists. Leverage that knowledge in your negotiations in hopes of achieving a satisfactory outcome.

McKay: These actors are extremely willing to pay the victim by any means necessary. Compromised organizations may anticipate that Conti and Hive will be somewhat flexible when it comes to ransom amounts and payment deadline, but be cautious that they will follow through on their promise to release stolen data if their terms are not met.

Biasini: Some of the ransomware dealers will provide information about how they accessed the network and what types of things you can do to improve your security. Most often these are generic and offer boilerplate recommendations that might be applicable to a wide range of businesses.

McKay: One of Contis''s persuasion methods is to make the victim feel that there will be some positive outcome to come out of the tragic experience of being extorted by a ransomware gang. A way they do this is by offering to provide IT support to protect against another attack again in the future, according to our findings. This was a ploy to entice victims to pay and never constituted to anything more than Conti issuing generic guidance to the victim upon payment.

Biasini: As attackers realize that customers are still willing to pay to keep the data private, even if they have thoroughly tested and valid backups for all ransomed data.

McKay: Triple extortion is a relatively new strategy that an increasing number of attackers are adopting. Ransomware employees are highly motivated by financial gain, and, as we saw in this study, will use any means necessary to persuade victims to pay ransoms.

It seems therefore appropriate to anticipate that these types of cybercriminals will continue to diversify their persuasion methods, including adopting additional extortion methods in the future.

Biasini: Sure they will use every technique they have available. Theyll offer to be friendly, theyll be demanding, and aggressive. Basically they will try a variety of tactics until they find one that works.

McKay: For cybercriminals like Conti and Hive, ransomware is a business, and thus they are seeing them employing all kinds of techniques to persuade victims to pay ransoms, like any regular salesperson. They will use any approach required, from threats and fear mongering to marketing tactics like offering holiday discounts. However, their goal never changes: say or do whatever is required to get the victim to pay.

Biasini: Be aware that you are talking with a group of criminals who are whose one aim is to save you money as much as possible. As with any negotiation, there is give and take on both sides, and the ultimate goal is to reach a compromise with which you can be comfortable.

McKay: At the end of the day, the possibility of having your data leaked is very real in these situations. If their terms are not met, the attackers will follow through on this. However, there appears to be room for negotiation based on our findings. The adversaries prefer to get a fair amount of money rather than a result.

Biasini: These cartels gain access through diverse means, including active exploitation, stolen credentials, and direct purchasing access. The most important thing is returning and re-evaluating any accepted risk the organization has faced. These types of risks may be useful grounds for these organizations to initiate their attacks.

There are a variety of methods to protect against attacks, including making access and administrative access difficult.

Many applications, including multifactor authentication, may hinder the attackers'' ability to access the system they need. Similarly, having strong security standards in place can help alleviate the incidence of these types of attacks, even after they occur.

McKay: Before they start executing additional malicious activities, attackers must first find a way to gain access to the victims network.

De aceea, it''s important for organizations to remember to exercise security basics, including phishing awareness, using multifactor authentication (MFA) and keeping systems updated and up to date.

You may also like: