We all know the script – Jeff takes a soft approach to getting the suspect to spill the beans, while Mutt rolls up his sleeves and threatens to beat it out of him. Research by Cisco Talos has revealed some striking parallels between the classic detective drama trope and the real-life negotiation tactics of two notorious ransomware groups.
More than 40 conversations between the ransom gangs and their respective victims were monitored over four months, to reveal strikingly different ways of communicating.
Conti, aka “Jeff the good cop,” employed soothing tactics, using a veneer of professionalism and courtesy to reassure targets prior to extorting them. “Fortunately, Conti is here to prevent any further damage!” one gang member announced, after notifying a victim that its defenses had been breached and its data stolen.
“IT support” in the form of a “decryption tool” and a vaguely worded “security report” was then offered, furthering the illusion that the ransomware group was just another cybersecurity outfit, happy to offer its services for a reasonable fee.
Hive, aka “Mutt the bad cop,” was far more blunt in its approach. “Hello,” it greeted one victim. “The ransom payment demand starts at $2 million in Bitcoin [...] You have a week to make an agreement with us until the price goes up to $10 million.”
Busting the ‘good cop’ myth
However, the Cisco report stressed that both gangs are using intimidation tactics: only in Conti’s case these appear to be somewhat more subtle.
“Hive almost never employs any of the persuasion strategies we observed with Conti, such as marketing ploys, fear, or coercion,” said Cisco. “In many instances, Conti operators remind victims about the consequences of having data leaked, including such information being sold on the dark web to cybercriminals who will leverage the data in their own operations, including social engineering attacks.”
In further evidence that Jeff isn’t such a nice guy after all, Cisco said Conti members would then threaten to notify a victim’s “customers, vendors, employees and investors” of a breach, but quickly adding “they can resolve these problems immediately upon payment.”
Hive, by contrast, rarely bothered with phony charm offensives or implicit threats, preferring instead to have Mutt roll up those sleeves and give recalcitrant victims a good sound thrashing if they refused to comply.
“We observed Hive quickly become more aggressive if the victim failed to respond to the ransomware operator’s initial greeting,” said Cisco. “In one case, Hive declared that their patience was gone and threatened to send a copy of the victim’s data to the Securities and Futures Commission (SFC), a Hong Kong regulatory agency. The operator even provided individual email addresses of SFC members he planned to send the data to.”
We’re reasonable people…
One thing both gangs shared in common was their willingness to bargain on ransom demands. Once again, Conti was quick to couch this street-level haggling in superficially corporate terms.
“Conti employed marketing techniques to convince victims to pay, including offering Christmas and holiday discounts and other price reductions intended to make the victim feel like they are getting a good deal,” said Cisco. “Many of these deals are incentivized by quick payments, with Conti offering in one instance that the victim can receive a ‘special discount’ if ‘we make a deal in the next 72 hours.’”
Hive set its benchmark for ransom payouts at roughly 1% of a target organization’s annual revenue, but often came down on the final asking price as well – to anywhere between one-tenth and two-thirds less than the original sum demanded.
“Much like Conti, Hive appears very willing to lower their ransom demand, indicating their initial figure is rarely their bottom offer,” noted the report. “The deduction percentage varied widely across victims and did not appear to follow any particular rule or structure. Changes to the ransom demand were usually made rather easily, with little to no hesitation.”
Cisco said such findings suggested that – whether disguised as softly-spoken Jeff or Mutt the bully-boy – both ransomware outfits are crewed by cunning criminals who will do anything to ensure they get their illicit payoff in the end.
“These operators are highly opportunistic and will make compromises during their operations to compel victims to pay,” said Cisco, noting that in the case of one Hive negotiation this even extended to paying a middleman a 10% commission for helping to facilitate a ransom payout.
It added: “These conversations reveal that, like many cybercriminals, Conti and Hive likely seek to compromise victims through the easiest and fastest means possible, which often include exploiting known vulnerabilities. This is a reminder to all organizations to implement strong patch-management and keep all systems up to date.”
Unless they wish to find themselves in a windowless room with Mutt and Jeff, so to speak, businesses are well advised to take note of this advice.
More from Cybernews:
Subscribe to our newsletter