I devoted the previous article to the OSINT method – how to work with information that is publicly available online. Using the available info, we found one critical vulnerability in Vltava Basin, which could have been the entry point for hackers into their network. The article was subsequently “republished” at Lupa.cz [CZ] and I have received positive feedback from many of you. Thank you all very much for that! I will continue to try to bring you fresh information and practical procedures.
I received a recording of communication between ransomware victims and attackers last week. As I worked on it, I realized that a lot had been written about ransomware, but not as far as much about communicating with attackers. 🙂 Basically, I saw but two articles that show the communication („How to Haggle With Your Hacker“ and unfortunately, I did not manage to find the second article). I have decided to share the record of the ransom negotiations with you. Including observations that I found interesting in communication with hackers.
I understand that communicating with attackers and paying the ransom is beyond that imaginary line for some people. But let’s leave the moral dimension aside now, please. The situation has already happened. Let’s use communication to expand our knowledge of ransomware “business“.
What Do I Find Interesting Regarding The Ransom Communication
My observations on communicating with hackers …
The original and final price of the ransom
Negotiating a ransom is reminiscent of bargaining at a Turkish bazaar. The attackers demanded 2 BTC (at that time about 440,000 CZK) at the beginning. The final price paid by the victim was 0.4 BTC (approx. CZK 88,000 CZK), which is just about 20% of the original amount. Getting an 80% discount is, in my experience, a very good performance. What discounts can be achieved depends on the customer’s willingness to take risks (there is a risk that you will annoy/offend the attacker and the communication would stop) and the time urgency to get the data back (it depends whether you need it within an hour or a week).
It’s like playing poker. Each side knows its “cards”, tries to keep the “poker face” and guess the “cards” of its opponent.
- The victim knows the price of its data (how much it is willing to pay) and knows the seriousness of the situation (whether there are current/historical backups, how much data is irretrievably lost). However, the victim needs to play a game that nothing really happened and that most of the data can be restored from the backup. So there are just a few non-critical documents encrypted, but it would be nice to have them back. At the same time, the victim tries to estimate the lowest ransom amount the attackers would be willing to accept but tries not to offend them enough to refuse further negotiations.
- The attackers know who was attacked, which was deleted/encrypted in the victim’s network, and what is the lowest price at which they will release the data. However, they need to estimate how bad the victim´s situation is (whether any backups survived or not) and what value the data has. They must “price” the ransom on that basis. The most willingly paying companies are the ones that find themselves with no data. Partial backups are already lowering their likelihood and those that have a backup of all data are the least likely to pay. They uncompromisingly face the victim, creating time ultimatums with a risk that the victim will never see the data.
- The negotiation is much easier from the third person view of an uninterested person rather than from the side of a company that might end its existence. The victim’s initial counter-offer of EUR 500 (less than 3% of the requested amount) was bold, but in my opinion, it helped to significantly reduce the ransom (kind of “price counterpart”). The attackers demonstratively paused for half a day. The victim “did not push” the case, making it clear to the attackers that the data was not really critical, which led to a significant ransom discount.
- The negotiation reminded me of a „Never Split The Difference“ book by Chriss Voss. If you are interested in the psychology of negotiation, I highly recommend it (at the same time you will support one great publishing house, especially in these hard times).
Hackers Like To Brag
One would expect hackers to remain “anonymous.” However, they seem to be proud and happy to boast about their history and the name they have earned. In communication, they boast that they are the Matrix group, have been working since 2013, and receive 20-30 payments a day. Of course, it remains to be discussed whether this information is true. From our experience in other cases, it is common for hackers to brag about their name – they try to “guarantee” the victim that the data will really be provided once the payment is through using their reputation as leverage.
Hackers Are Organized
It can be seen that more people take turns in communication. Two at least. One get´s called boss, who, unlike the first person, has access to the decryption keys. There are hierarchies and different authorizations pointing towards “professionalization“.
Most of the communication took place during the weekend, day, and night. The attackers mentioned that they were in GMT+4 and the answers were even received in a matter of minutes. Likewise, hackers were willing to help decrypt files that their program did not decrypt.
This shows that they really care about “good” reputation. It is the only thing, based upon which the victims are willing to risk paying the ransom, even before the data is decrypted. Unlike the “legal” business, there is no exchange through “lawyer/notary custody”. 🙂
Communication And Payment
Few more notes from our experience:
- The communication is in English and via e-mail. The attackers leave a “ransomnote” (blackmail letter) in the victim’s network with instructions on how to contact them (the attackers are currently also creating self-service “stores”). A letter oftentimes mentions multiple email addresses. This is in case one of the e-mail boxes is blocked (eg by the police). The attackers we encountered most often use the protonmail.com and cock.li email servers.
- A ransom is usually requested in Bitcoins. It´s their go-to coin due to the irrevocability of payments, the prevalence of cryptocurrency, and “pseudo-anonymity”. However, it is possible that due to higher anonymity, other cryptocurrencies will be preferred. For example ransomware group Sodinokibi/REvil started to use Monero.
- Ransom negotiation is not always that long as in this case. It sometimes takes only a few emails. Especially when the customer is really in a hurry to recover the system and the ransom is “badly” (meaning low) priced by the attackers. Personally, however, I would recommend to “cry” a little before the ransom is paid. So that the attacker would not feel like the victim could pay more and would try to increase the price.
In conclusion, let me remind you of the very important: Paying a ransom supports the ransomware “business” and leads to other compromised companies. If it is possible to restore data from backups, I recommend doing so and avoid paying the ransom.
If you have noticed any other interesting things in communication, please share more in the comments. I would also appreciate any feedback or ideas. 🙂
If you are interested in the ransomware topic, have a look at my previous articles:
- „How To Restore A Network After A Ransomware Attack“ – how to restore a corporate network after a ransomware attack? Where to start? I share the (hard-earned) experience so that you can resume operations as soon as possible.
- „How Hackers Attack Companies Through Their IT Providers“ – It doesn’t matter how much you invest in IT security, as long as your provider slacks. Beware of hacker attacks through IT providers.
- „ Hackers Came Up With a New Trick. They Learned To Improve Their Blackmailing With Ransomware“ – Not even a good backup would resolve the new ransomware scam. Hackers blackmail victims by disclosing their sensitive data if they do not pay up.
- „What Hackers Can Do In Your Network“ – companies end up with no data nor backups after a ransomware attack because they underestimate the hackers´ abilities. Learn what a hacker can do on your network and improve your security.