An analysis of four months of chat logs spanning more than 40 conversations between the operators of Conti and Hive ransomware and their victims has offered an insight into the groups’ inner workings and their negotiation techniques.
In one exchange, the Conti Team is said to have significantly reduced the ransom demand from a staggering $50 million to $1 million, a 98% drop, suggesting a willingness to settle for a far lower amount.
“Both Conti and Hive are quick to lower ransom demands, routinely offering substantial reductions multiple times throughout negotiations,” Cisco Talos said in a report shared with The Hacker News. “This signals that despite popular belief, victims of a ransomware attack actually have significant negotiating power. “
Conti and Hive are among the most prevalent ransomware strains in the threat landscape, cumulatively accounting for 29. 1% of attacks detected during the three-month-period between October and December 2021.
The key finding from the analysis of chat logs was the stark contrast between their communication styles. Conti uses professional tactics and persuasion techniques to get victims to agree to the ransom. Hive, on the other hand, employs an informal, shorter approach.
Conti offers holidays and discounts. However, it is well-known for providing “IT support” in order to avoid future attacks. It sends its victims an so-called security report, which lists steps they can take to protect their networks.
Additionally, the financially motivated group has made use of scare tactics, cautioning victims of the reputational damage and legal issues stemming as a consequence of a data leak and threatening to share the stolen information with competitors and other stakeholders.
“After encrypting victim networks, ransomware threat actors increasingly used ‘triple extortion’ by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident,” CISA noted in an advisory earlier this year.
Another point of distinction is Conti’s flexibility when it comes to payment deadlines. These behaviors indicate that Conti operators may be highly opportunistic and would rather receive some payment than none, according to Talos researcher Kendall McKay.
Hive on the other side has been noted to quickly raise ransom demands if a victim fails to pay the agreed date.
Another thing that is notable about Hive’s encryption processes is its emphasis on speed and accuracy. This makes it susceptible to cryptographic errors, which allow for the recovery of the master key.
“Conti and Hive, like many cybercriminals are, opportunistic agents who seek to compromise victims by the fastest and easiest means possible. This often includes exploiting vulnerabilities known,” McKay stated. This is an important reminder for all companies to have a robust patch management system in place and to keep their systems current. “
