Double extortion ransomware attacks have reached very high numerical values. One of the key elements, when suffering such an attack, concerns the negotiation that can be initiated (not always!) with the ransomware gang. The analysis, carried out by the SEC4U team, of hundreds of negotiations makes it possible to apply a scientific approach to this fundamental phase.
The database from which we started to carry out this analysis is the Ransomchat project (https://github.com/Casualtek/Ransomchats) by Valéry Marchive, whom we thank. Within the project, 122 ransomware gang chats were collected, listed below (the name of the ransomware gang and the number of chats analyzed for each gang is given):
A quick summary of the macro phases that are present within a ransomware attack:
The objective of our research was to analyze in depth phase 6: “Extortion and Communication,” focusing on the aspects related to negotiation that can occur during this stage.
Negotiation is an interpersonal decision-making process that becomes necessary when it’s not possible to achieve one’s goals unilaterally.
The negotiator is the entity, one for each party, who conducts the negotiation.
Negotiation during a ransomware attack typically takes place in a restricted-access chat.
There are 3 different types of negotiation in the literature:
Let’s now look together at the important elements of the 3 different types of negotiations.
Obviously, we would never go so far as to suggest paying a ransom to a ransomware gang, as this only funds other illicit activities by the ransomware gang itself, but we certainly believe it is critical that any organization have the ability to secure alternative scenarios for handling the attack, because:
Below we specify some assumptions that are good to know when faced with the need to handle ransomware attacks:
There is an Incident Response team within our Security Operations Center that, by virtue of its experience, has decided to point out a list of recommendations of do’s and don’ts during a ransomware-related negotiation activity.
Here are the things we suggest handling during a negotiation:
Instead, here are the things we absolutely recommend you not do during a negotiation!
We will now move on to carefully analyze the results of our analysis, going into detail about the ransom chats analyzed:
To automate our analysis as much as possible we wrote a script in Python that reports in output, for each ransomware gang:
These elements, if carefully analyzed, can allow us to identify the typical tactics used during negotiations and to inspire important ideas to better manage future negotiations.
$ index Victim: -38 #15 $ index Conti: 160 #15 not$ index Victim: -153 #17 not$ index Conti: 290 #17 $ delta: 17 #15 not$ delta: 25 #17
Based on the words used in communications, we drew up 2 lists:
We therefore calculated, for the Threat Actor and for the Victim, an aggressiveness index for the various communications.
The analysis, as is clear from the chart below, led us to understand that the ransomware gang tends to use more aggressive language as the negotiation gets longer and it becomes more difficult to come to an agreement related to ransom.
The analysis, as shown in the graph below, led us to understand that the victim tends to use more aggressive language during negotiations leading to a ransomware-related agreement with the ransomware gang.
Below we provide evidence of the most frequently used words within ransomware chats by ransomware gangs and victims, respectively:
Ransomware gangs’ words:
We detected some repeated phrases, even within different gang ransom chats. This potentially indicates 2 things:
Below we show the most important identical phrases detected:
1) Hello and welcome to Hive. How may I help you? 2) The price is not a subject to discuss. 3) You need pay for decrypt your files. Your price is $xxxxxx. 4) We will also try to find a buyer for your data and access to your network if you refuse to pay. 5) Your offer has been rejected. Make a realistic offer based on our offer. 6) We will send you 30% of the file tree, you will select any 3 pcs of non-sensitive information and we will provide them to you as evidence. 7) Evaluate our steps. You can negotiate with us. But offering funny amounts is not the best way for you. It leads to publication. 8) Make a reasonable offer based on our offer. 9) Well, we are waiting, do not delay, this will entail negative consequences of publication. 10) Then we will not be able to agree. 11) Let's not delay the negotiations. This has a negative effect on the fact of publishing you. Be more active.
We later focused on Threat Actor Conti’s ransom chats, as there is an excellent number of chats from this ransomware gang to analyze, both among those that led to an agreement between the parties and those that did not.
As we can see from the chart below, the moment the negotiation succeeds in achieving its purpose, that is, to initiate a constructive discussion between the parties during which the negotiation steps are many, it is then that agreements can be found that are decidedly different compared to the initial request.
Indeed, in the 13 ransom chats of the Conti ransomware gang that were analyzed, there was an average savings of over $900,000 and an average number of 7 negotiation steps. On average in the negotiations in which the steps were higher (i.e., equal to or above the average) there were the highest discount percentages compared to the initial ransom demand.
Another element we want to show concerns the duration of negotiations. We can see that the Conti and Lockbit groups historically have been the Threat Actors who have undertaken the longest negotiations.
Negotiation is a fundamental activity, which allows you to increase the number of communication steps (and consequently the possibility of obtaining better conditions) with the ransomware gang.