Yet another ransom payment to a ransomware group in order to, perhaps, reuse their files. A decision to give in to extortion that always leaves us perplexed.
A ransom in bitcoins paid by a debt collection company headquartered in Bauru, Brazil, in favor of the Hive group of cybercriminals. The company has three other operating offices in Brazil, in Marília, Agudos and Ribeirão Preto.
The initial ransom amount involved the payment of $700,000, an amount negotiated and concluded on November 17 for $500,000 (about 30 bitcoins) through a BTC wallet. According to the research we conducted, the wallet was opened on the same day with about 5 bitcoins (80,000 dollars), at this moment the wallet appears to be active, but empty.
From the wallet with the ransom paid by the debt collection company (30.30 bitcoins) virtual money was then directed by Hive to two wallets, 6.05994360 bitcoins were paid into the first while 24.24 bitcoins were deposited into the second, the largest part of the ransom.
SuspectFile followed all the negotiation between the victim and the ransomware group, negotiation that we can define as unusual for the short duration. The first message posted by the ransomware group within its chat is dated November 5, a second message with the ransom amount is posted by Hive a day later.
6 November
Hive: Hello [EDIT from SuspectFile]
The ransom payment demand starts at 700,000 USD paid in bitcoins
If the payment is made:
-Fast decryption of all of your data will be provided
-Exfiltrated data will be purged along with any data relating to your clientsHowever if you don’t this is what happens:
– The ransom payment will increase
– Your data will be placed on auction to be sold to the highest bidder
– the rest of your data will be disclosed for the public
– All client related data will be sent directly to your clients
For eleven days the victim kept silent, but on November 17th he began to publish his first messages stating that he wanted to discuss the payment by proposing to Hive to make an agreement for the sum of 50,000 dollars, an offer rejected by the cybercriminals.
17 November
Victim: I would like to talk about payment.
We are a small Brazilian company, we don’t have as much money as US companies.
We are willing to negotiate, can you come up with a value of 50K USD for payment today?
What can we do to solve /
pay everything in the next few minutes?
Could you please send me all the procedure to do the payment?Hive: Hello 50K is out of question and not even close to our demand
our initial demand is 700K if you are serious offer us a real offer once we agreed on the price we will send you the payment procedure
The surprising thing is that after only nine minutes the victim responds with these words
Victim: Hello, I received payment authorization for 500K usd today.
we have a deal
Whats the next step sir?
A figure that turns out to be ten times higher than what they were initially willing to pay.
Hive: we will send you btc address
once payment recieved , you will be able to download decryption tools and procedures
The victim asks questions and asks Hive for reassurance, informs the cybercriminals that they will not report the incident to law enforcement. Hive reassures the collection company that the negotiation and payment will remain secret
Victim: After payment, I need some help to understand:
1 – How did you explore our environment?
2 – Make sure to remove encryption.
3 – Anonymity – That all our information will be excluded from your base, and that you do not talk about our payment.
On our side, we will not make formal complaints to law enforcement.Hive: Our intention is not to damage you completely. After payment is made, you will have complete anonymity about the payment. Also , we can provide how we accessed your network once the amount is secured send us here
Victim: 1 – you have my word of payment.
2 – Let’s transfer the amount of 500K USD to the bitcoin wallet
3 – We will transfer from the bitcoin wallet to your addressHive: yes, once you have the funds in the wallet let us know
Victim: Cold you please confirm the value ? 30.19 btc?
I don’t want to make mistakes
I have to pay you 30.19 btc, right?Hive: yes correct
After making the payment, the victim asked Hive questions about the exploited vulnerability to break into corporate computer networks. It will be six days before the ransomware group reopens the chat and gives the victim a response
23 November
Hive: for the access, we accessed your network through vulnerable RDP public facing
SuspectFile has contacted the Brazilian debt collection company in recent days for its question
statement before this article was published, to date we have received no responses.