Update 3.23.2022: What real risks are there for a victim of a ransomware attack when negotiating a ransom?

Update 3.23.2022: What real risks are there for a victim of a ransomware attack when negotiating a ransom? 1

Within the same chat, a (fake) negotiator carrying out three different negotiations on behalf of as many victims, interrupts communications with the affiliate of the ransomware group. Yesterday Hive decides to make public the name of the third victim as well.

During these weeks we wanted to describe what real risks can be hidden, in terms of security and privacy, behind a negotiation between a victim and an affiliate of a ransomware group, noting that, often, those who claim to deal on behalf of the victim are often an impostor.

In a chat, * now no longer online, between a negotiator (or presumed one) and an affiliate of the Hive ransomware group, we were able to detect the total lack of “professionalism” on the part of the affiliate and how simple it is to pretend to be another person .

* SuspectFile has a copy of the entire chat.

The chat goes on for three months and starts on November 18th, when a Hive affiliate posts the first message

18 November
Hello and welcome to Hive. How may I help you?
09:12

and ends, after several warnings, on February 16 when the affiliate, annoyed by the continuous slowdowns in negotiations by the (fake) negotiator, decides to permanently block the chat

10 February
If you will not reply today I’ll block your account here and will stop negotiations with you
08:25

The name of the third victim, as we have already written, appeared yesterday for the first time on the blog of the ransomware group Hive and is the Mexican Grupo Rotoplas, a multinational founded in 1978 and which operates in the field of water treatment.
Grupo Rotoplas includes 27 companies (10 subsidiaries and 17 branches), according to data provided by Dun & Bradstreet, in 2020 the sales volume amounted to over 427 million US dollars. Overall, the people employed at the Mexican multinational are 2901.

In these three months of published messages we have been able to observe the total absence of seriousness and “professionalism” on the part of the Hive affiliate and how easy it is for anyone to make believe that they are another person. The (fake) negotiator for three months made Hive believe that he could negotiate on behalf of three victims of the ransomware group, all by doing it within the same chat:

  • Center D’Odontologia Integrada Miret-Puig (initial price of the ransom requested by Hive $ 200,000 in bitcoin). Cyber โ€‹โ€‹attack date November 18, 2021, publication date on the Hive blog January 20, 2022
  • ITS InfoCom (initial price of the ransom requested by Hive $ 1.5 million in bitcoins). Date of the cyber attack 25 January 2022, publication date on the Hive blog February 24, 2022
  • Grupo Rotoplas (initial price of the ransom requested by Hive $ 500,000 in bitcoin). Date of the cyber attack 17 October 2021, publication date on the Hive blog 22 March 2022

At the URL below you can download the full text of the entire chat in PDF format, we have partially obscured some data such as e-mails and links.

 



Update 02.16.2022

After the publication of this article, a legitimate discussion on the credibility of the “negotiator” began on our Twitter channel.

The negotiator, it was asked, is he really who he claims to be, or is he the classic chat “polluter” as we have often seen?

We are not sure about his real identity, but there are some details that make us believe he may be.

As we have already written, within the same chat window that refers to the victim whose name had already been published on the website of the ransomwarea group, the negotiator (or the alleged one) tries to simultaneously negotiate the price of the ransom of further two victims.

In the chat we were able to read how the negotiator claims to work for a data recovery company. He explains to the ransomware group that the 3 companies that are victims of the cyber attack, on behalf of which he is dealing, trust him and his abilities – he claims to have worked in data recovery for over 7 years – and that also the company for which works nourishes the trust of the 3 victims.

The negotiator, in order to be able to discuss the details in a secure manner, asks the ransomware group to provide him with new credentials to access the chat. Shortly thereafter, the new credentials are sent to him by e-mail.

The chat resumes after a few hours with some messages from the negotiator, and this is where he starts referencing the second victim of the cybercriminals.

I need the best price for the case: ************ [CASE SECOND VICTIM: EDITED]

*** [SECOND VICTIM EDITED ACRONYM], please give me the lowest price and I will get them to pay in less than 72 hours

Through the case number, the ransomware group is unable to trace the name of one of the other two victims, let alone with the acronym provided by the negotiator. At this point he asks him some questions.

1) What is ************? [CASE SECOND VICTIM: EDITED] Is ita computer name? 2) It seems you are recovery company. Which one? There is no option like to decrypt single machine, all or nothing

 

The negotiator responds by writing plainly the name of one of the other two victims

 

I need please the minimum price for the decryption of the entire company ********** [NAME OF THE SECOND VICTIM IN CLEAR: EDITED]

They have hired me for the whole process, they trust me and my company and I know that we can reach an agreement, but in reality I need the lowest price so that they can pay.

The negotiator makes a proposal to the ransomware group regarding the ransom price of the chat victim. He asks if $ 40,000, a figure 5 times lower than what he asked for, would suit him.

On the other hand, I want to know if you accept 40,000 for the ************ [NAME IN THE LIGHT OF THE VICTIM CHAT: EDITED] process

The ransomware group finds the offers too low

As for ********** [NAME IN CLEAR OF SECOND VICTIM: EDITED] the final price is $ 1,500,000. For this company [VICTIM CHAT] is $ `180,000

The negotiator takes 24 hours

Ok, please give me 24 hours yo answer. I’m going to meet with the two clients.

The 24 hours have not passed and after just over an hour the negotiator returns to the chat again writing about the second victim

Friend, I’ve already talked to them and they really don’t have more than 450,000 USD
This company is an IT service company, they cannot pay more money.

Please I ask you to check the possibility of making a discount.

If you accept, tell me and I will try to get them to pay in less than 4 or 5 days.

at this point the group wants to know more about the negotiator

Let be clear. I want to know how they rate your services.

replies the negotiator

Hello, sorry, I did not understand. Do you want to know the cost of my intermediation?

Please tell me how much you can lower the price. You know I respect you and your business, I have been doing this for 7 years. I only ask that you check if you can make a better discount so that they can pay

If I understood your question, in most cases I take between 5 and 10% for myself.

The group is unwilling to drop below the $ 1,350,000 price tag for one of the other two companies because they believe it is a large company and have over 300GB of exfiltrated data available. At this point the negotiator still asks for 24 hours to deal with the company.

The following day the group asks for news

How is it going?

The negotiator wants to reassure the group by explaining that he is doing everything to be able to close the deal and make the victim pay the ransom.

We are in negotiations, I am doing everything possible to make them pay. I will give you news in less than 24 hours

My clients are making the decision and getting the money. Please give me some test files to convince them to do it fast. Test files: https://ufile.io/********

At this point the negotiator publishes the name of the third victim in the chat

On the other hand I have a new client that was encrypted a long time ago but they need to recover some data. Company name: ******** [NAME IN CLEAR OF THE THIRD VICTIM: EDITED] Login (User): *************** [CASE: EDITED]

Please give me the lowest price I can offer them

Upload the test files to a different storage without any kind of autorization

The response of the cybercriminals is not long in coming, after a few minutes they publish the price of the ransom

The price for ********** [CLEAR NAME OF THE THIRD VICTIM: EDITED] is $ 500,000.

after some negotiations between the two, the price of this third victim drops to $ 350,000
After a few days of total silence on the part of the negotiator, the ransomware group begins to lose patience and writes

I have to know what situation around all three companies

after two days the ultimatum

If you will not reply today I’ll block your account here and will stop negotiations with you

Next time account suspension will be permanent

On February 12, the negotiator’s apologies arrived

I apologize for the delay in responding

I lost the access credentials and just so far I can access

I’m going to give you updates of everything:

************ [EDITED VICTIM CHAT NAME IN CLEAR] is not going to do it, they say they do not have money.

************ [EDITED SECOND VICTIM ACRONYM], they are still trying to recover the data from some backup and will take the decision when they see what information is needed. They have a budget but they will not spend it until they finish evaluating.

************ [NAME IN CLEAR OF THE THIRD VICTIM EDITED], they have meeting of directors next Tuesday to request the approval of the payment and that they can go forward with the payment

Again I apologize for the delay in responding. I’ll be giving you news
In the last few hours, the ransomware group has returned to ask the negotiator for news.

We are not sure that whoever is dealing with the group of cybercriminals is really a negotiator, certainly some passages and details of the chat (among these the files to be decrypted sent by the negotiator) suggest that it is.

We will continue to follow the case and update it in case of new details.



Victims of ransomware groups: the role of the negotiator is not marginal ($) when negotiating a ransom. According to a chat from a negotiator, the commissions on one’s work vary from 5 to 10% on the final price of the ransom.

But when a victim’s name has not yet been listed on the sites of ransomware groups, what negative repercussions (not just image) could they have if their name is made public by the negotiator in the chat opened by the ransomware group?

How serious and reliable can a negotiator have when he negotiates the ransom price of 3 different victims at the same time in the same chat?

What relationship is created, over time, between the negotiator and the ransomware group?

These 3 victims are all native speakers of Spanish: Europe (dental clinic), North America (company that offers services for the storage, management, purification and treatment of water), Central America (company that designs and supplies integrated solutions of information and communication technology).

Let’s start by saying that there are certainly serious and reliable data recovery companies. But in this specific case, the 3 victims, are they victims twice?