Within the same chat, a (fake) negotiator carrying out three different negotiations on behalf of as many victims, interrupts communications with the affiliate of the ransomware group. Yesterday Hive decides to make public the name of the third victim as well.
During these weeks we wanted to describe what real risks can be hidden, in terms of security and privacy, behind a negotiation between a victim and an affiliate of a ransomware group, noting that, often, those who claim to deal on behalf of the victim are often an impostor.
In a chat, * now no longer online, between a negotiator (or presumed one) and an affiliate of the Hive ransomware group, we were able to detect the total lack of “professionalism” on the part of the affiliate and how simple it is to pretend to be another person .
* SuspectFile has a copy of the entire chat.
The chat goes on for three months and starts on November 18th, when a Hive affiliate posts the first message
18 November
Hello and welcome to Hive. How may I help you?
09:12
and ends, after several warnings, on February 16 when the affiliate, annoyed by the continuous slowdowns in negotiations by the (fake) negotiator, decides to permanently block the chat
10 February
If you will not reply today I’ll block your account here and will stop negotiations with you
08:25
The name of the third victim, as we have already written, appeared yesterday for the first time on the blog of the ransomware group Hive and is the Mexican Grupo Rotoplas, a multinational founded in 1978 and which operates in the field of water treatment.
Grupo Rotoplas includes 27 companies (10 subsidiaries and 17 branches), according to data provided by Dun & Bradstreet, in 2020 the sales volume amounted to over 427 million US dollars. Overall, the people employed at the Mexican multinational are 2901.
In these three months of published messages we have been able to observe the total absence of seriousness and “professionalism” on the part of the Hive affiliate and how easy it is for anyone to make believe that they are another person. The (fake) negotiator for three months made Hive believe that he could negotiate on behalf of three victims of the ransomware group, all by doing it within the same chat:
- Center D’Odontologia Integrada Miret-Puig (initial price of the ransom requested by Hive $ 200,000 in bitcoin). Cyber attack date November 18, 2021, publication date on the Hive blog January 20, 2022
- ITS InfoCom (initial price of the ransom requested by Hive $ 1.5 million in bitcoins). Date of the cyber attack 25 January 2022, publication date on the Hive blog February 24, 2022
- Grupo Rotoplas (initial price of the ransom requested by Hive $ 500,000 in bitcoin). Date of the cyber attack 17 October 2021, publication date on the Hive blog 22 March 2022
At the URL below you can download the full text of the entire chat in PDF format, we have partially obscured some data such as e-mails and links.
All’interno della stessa chat, un (falso) negoziatore che portava avanti tre negoziati diversi per conto di altrettante vittime, interrompe le comunicazioni con l’affiliato del gruppo ransomware. Ieri Hive decide di rendere pubblico anche il nome della terza vittima.
Durante queste settimane abbiamo voluto descrivere quali reali rischi possono celarsi, in termini di sicurezza e privacy, dietro un negoziato tra una vittima e un affiliato di un gruppo ransomware osservando che, spesso, chi afferma di trattare per conto della vittima è un impostore.
In una chat, *ora non più online, fra un negoziatore (o presunto tale) e un affiliato del gruppo ransomware Hive, abbiamo potuto rilevare la totale mancanza di “professionalità” da parte dell’affiliato e quanto sia semplice fingersi un’altra persona.
*SuspectFile è in possesso di una copia dell’intera chat.
La chat va avanti per tre mesi e ha inizio lo scorso 18 Novembre, quando un affiliato Hive pubblica il primo messaggio
18 November
e termina, dopo svariati ammonimenti, lo scorso 16 febbraio quando l’affiliato, infastidito dai continui rallentamenti nelle trattive da parte del (finto) negoziatore, decide di bloccare definitivamente la chat
10 February
- Centre D’Odontologia Integrada Miret-Puig (prezzo iniziale del riscatto chiesto da Hive 200.000 $ in bitcoin). Data dell’attacco informatico 18 Novembre 2021, data pubblicazione sul blog Hive 20 Gennaio 2022
- ITS InfoCom (prezzo iniziale del riscatto chiesto da Hive 1,5 milioni $ in bitcoin). Data dell’attacco informatico 25 Gennaio 2022, data pubblicazione sul blog Hive 24 Febbraio 2022
- Grupo Rotoplas (prezzo iniziale del riscatto chiesto da Hive 500.000 $ in bitcoin). Data dell’attacco informatico 17 Ottobre 2021, data pubblicazione sul blog Hive 22 Marzo 2022
All’URL riportato qui sotto è possibile scaricare il testo integrale dell’intera chat in formato PDF, abbiamo parzialmente oscurato alcuni dati come e-mail e link.
Update 02.16.2022
After the publication of this article, a legitimate discussion on the credibility of the “negotiator” began on our Twitter channel.
The negotiator, it was asked, is he really who he claims to be, or is he the classic chat “polluter” as we have often seen?
We are not sure about his real identity, but there are some details that make us believe he may be.
As we have already written, within the same chat window that refers to the victim whose name had already been published on the website of the ransomwarea group, the negotiator (or the alleged one) tries to simultaneously negotiate the price of the ransom of further two victims.
In the chat we were able to read how the negotiator claims to work for a data recovery company. He explains to the ransomware group that the 3 companies that are victims of the cyber attack, on behalf of which he is dealing, trust him and his abilities – he claims to have worked in data recovery for over 7 years – and that also the company for which works nourishes the trust of the 3 victims.
The negotiator, in order to be able to discuss the details in a secure manner, asks the ransomware group to provide him with new credentials to access the chat. Shortly thereafter, the new credentials are sent to him by e-mail.
The chat resumes after a few hours with some messages from the negotiator, and this is where he starts referencing the second victim of the cybercriminals.
I need the best price for the case: ************ [CASE SECOND VICTIM: EDITED]
*** [SECOND VICTIM EDITED ACRONYM], please give me the lowest price and I will get them to pay in less than 72 hours
Through the case number, the ransomware group is unable to trace the name of one of the other two victims, let alone with the acronym provided by the negotiator. At this point he asks him some questions.
1) What is ************? [CASE SECOND VICTIM: EDITED] Is ita computer name? 2) It seems you are recovery company. Which one? There is no option like to decrypt single machine, all or nothing
The negotiator responds by writing plainly the name of one of the other two victims
I need please the minimum price for the decryption of the entire company ********** [NAME OF THE SECOND VICTIM IN CLEAR: EDITED]
They have hired me for the whole process, they trust me and my company and I know that we can reach an agreement, but in reality I need the lowest price so that they can pay.
The negotiator makes a proposal to the ransomware group regarding the ransom price of the chat victim. He asks if $ 40,000, a figure 5 times lower than what he asked for, would suit him.
On the other hand, I want to know if you accept 40,000 for the ************ [NAME IN THE LIGHT OF THE VICTIM CHAT: EDITED] process
The ransomware group finds the offers too low
As for ********** [NAME IN CLEAR OF SECOND VICTIM: EDITED] the final price is $ 1,500,000. For this company [VICTIM CHAT] is $ `180,000
The negotiator takes 24 hours
Ok, please give me 24 hours yo answer. I’m going to meet with the two clients.
The 24 hours have not passed and after just over an hour the negotiator returns to the chat again writing about the second victim
Friend, I’ve already talked to them and they really don’t have more than 450,000 USD
This company is an IT service company, they cannot pay more money.Please I ask you to check the possibility of making a discount.
If you accept, tell me and I will try to get them to pay in less than 4 or 5 days.
at this point the group wants to know more about the negotiator
Let be clear. I want to know how they rate your services.
replies the negotiator
Hello, sorry, I did not understand. Do you want to know the cost of my intermediation?
Please tell me how much you can lower the price. You know I respect you and your business, I have been doing this for 7 years. I only ask that you check if you can make a better discount so that they can pay
If I understood your question, in most cases I take between 5 and 10% for myself.
The group is unwilling to drop below the $ 1,350,000 price tag for one of the other two companies because they believe it is a large company and have over 300GB of exfiltrated data available. At this point the negotiator still asks for 24 hours to deal with the company.
The following day the group asks for news
How is it going?
The negotiator wants to reassure the group by explaining that he is doing everything to be able to close the deal and make the victim pay the ransom.
We are in negotiations, I am doing everything possible to make them pay. I will give you news in less than 24 hours
…
My clients are making the decision and getting the money. Please give me some test files to convince them to do it fast. Test files: https://ufile.io/********
At this point the negotiator publishes the name of the third victim in the chat
On the other hand I have a new client that was encrypted a long time ago but they need to recover some data. Company name: ******** [NAME IN CLEAR OF THE THIRD VICTIM: EDITED] Login (User): *************** [CASE: EDITED]
Please give me the lowest price I can offer them
Upload the test files to a different storage without any kind of autorization
The response of the cybercriminals is not long in coming, after a few minutes they publish the price of the ransom
The price for ********** [CLEAR NAME OF THE THIRD VICTIM: EDITED] is $ 500,000.
after some negotiations between the two, the price of this third victim drops to $ 350,000
After a few days of total silence on the part of the negotiator, the ransomware group begins to lose patience and writes
I have to know what situation around all three companies
after two days the ultimatum
If you will not reply today I’ll block your account here and will stop negotiations with you
…
Next time account suspension will be permanent
On February 12, the negotiator’s apologies arrived
I apologize for the delay in responding
I lost the access credentials and just so far I can access
I’m going to give you updates of everything:
************ [EDITED VICTIM CHAT NAME IN CLEAR] is not going to do it, they say they do not have money.
************ [EDITED SECOND VICTIM ACRONYM], they are still trying to recover the data from some backup and will take the decision when they see what information is needed. They have a budget but they will not spend it until they finish evaluating.
************ [NAME IN CLEAR OF THE THIRD VICTIM EDITED], they have meeting of directors next Tuesday to request the approval of the payment and that they can go forward with the payment
Again I apologize for the delay in responding. I’ll be giving you news
In the last few hours, the ransomware group has returned to ask the negotiator for news.
We are not sure that whoever is dealing with the group of cybercriminals is really a negotiator, certainly some passages and details of the chat (among these the files to be decrypted sent by the negotiator) suggest that it is.
We will continue to follow the case and update it in case of new details.
Aggiornamento 16.02.2022
Dopo la pubblicazione di questo articolo si è aperta sul nostro canale Twitter una discussione, legittima, sulla credibilità del “negoziatore”.
Il negoziatore, è stato chiesto, è davvero chi sostiene d’essere, o è il classico “inquinatore” di chat come spesso ci è capitato di vedere?
Non abbiamo certezze sulla sua reale identità, ma ci sono alcuni dettagli che ci fanno credere possa esserlo.
Come abbiamo già scritto, all’interno della stessa finestra della chat che fa riferimento alla vittima il cui nome era già stato pubblicato sul sito web del gruppo ransomwarea, il negoziatore (o il presunto tale) cerca di trattare contemporaneamente il prezzo del riscatto di ulteriori due vittime.
Nella chat abbiamo potuto leggere come il negoziatore sostiene di lavorare per un’azienda di recupero dati. Spiega al gruppo ransomware che le 3 società vittime dell’attacco informatico, per conto delle quali sta trattando, si fidano di lui e delle sue capacità – sostiene di lavorare nel recupero dati da oltre 7 anni – e che anche l’azienda per la quale lavora nutre della fiducia delle 3 vittime.
Il negoziatore, per poter discutere dei dettagli in modo sicuro, chiede al gruppo ransomware di fornirgli nuove credenziali d’accesso alla chat. Poco dopo gli vengono inviate le nuove credenziali via e-mail.
La chat riprende dopo alcune ore con alcuni messaggi del negoziatore, ed è qui che inizia a fare riferimenti sulla seconda vittima dei cybercriminali
I need the best price for the case: ************ [CASO SECONDA VITTIMA: EDITATO]
*** [ACRONIMO SECONDA VITTIMA EDITATO] , please give me the lowest price and I will get them to pay in less than 72 hours
Attraverso il numero del caso il gruppo ransomware non riesce a risalire al nome di una delle altre due vittime, tantomeno con l’acronimo fornitogli dal negoziatore. A questo punto gli pone alcune domande.
1) What is ************? [CASO SECONDA VITTIMA: EDITATO] Is ita computer name? 2) It seems you are recovery company. Which one? There is no option like to decrypt single machine, all or nothing
Il negoziatore risponde scrivendo in chiaro il nome di una delle altre due vittime
I need please the minimum price for the decryption of the entire company ********** [NOME IN CHIARO DELLA SECONDA VITTIMA: EDITATO]
On the other hand, I want to know if you accept 40,000 for the ************ [NOME IN CHIARO DELLA VITTIMA CHAT: EDITATO] process
As for ********** [NOME IN CHIARO DELLA SECONDA VITTIMA: EDITATO] the final price is $1,500,000. For this company (VITTIMA CHAT) is $`180,000
Ok, please give me 24 hours yo answer. I’m going to meet with the two clients.
Friend, I’ve already talked to them and they really don’t have more than 450,000 USD
This company is an IT service company, they cannot pay more money.Please I ask you to check the possibility of making a discount.
If you accept, tell me and I will try to get them to pay in less than 4 or 5 days.
a questo punto il gruppo vuole conoscere qualcosa di più sul negoziatore
Let be clear. I want to know how they rate your services.
risponde il negoziatore
Hello, sorry, I did not understand. Do you want to know the cost of my intermediation?
If I understood your question, in most cases I take between 5 and 10% for myself.
How is it going?
…
On the other hand I have a new client that was encrypted a long time ago but they need to recover some data. Company name: ******** [NOME IN CHIARO DELLA TERZA VITTIMA: EDITATO] Login (User): *************** [CASO: EDITATO]
The price for ********** [NOME IN CHIARO DELLA TERZA VITTIMA: EDITATO] is $500,000.
…
Victims of ransomware groups: the role of the negotiator is not marginal ($) when negotiating a ransom. According to a chat from a negotiator, the commissions on one’s work vary from 5 to 10% on the final price of the ransom.
But when a victim’s name has not yet been listed on the sites of ransomware groups, what negative repercussions (not just image) could they have if their name is made public by the negotiator in the chat opened by the ransomware group?
How serious and reliable can a negotiator have when he negotiates the ransom price of 3 different victims at the same time in the same chat?
What relationship is created, over time, between the negotiator and the ransomware group?
These 3 victims are all native speakers of Spanish: Europe (dental clinic), North America (company that offers services for the storage, management, purification and treatment of water), Central America (company that designs and supplies integrated solutions of information and communication technology).
Let’s start by saying that there are certainly serious and reliable data recovery companies. But in this specific case, the 3 victims, are they victims twice?
Entità vittime dei gruppi ransomware: durante la negoziazione di un riscatto il ruolo del negoziatore non è marginale ($), anzi. Secondo quanto dichiarato in una chat da un negoziatore, le commissioni sul proprio lavoro variano dal 5 al 10% sul prezzo finale del riscatto.
Ma quando il nome di una vittima non è stato ancora elencato sui siti dei gruppi ransomware, quali ripercussioni negative (non solo d’immagine) potrebbero avere se il proprio nome viene reso pubblico proprio dal negoziatore nella chat aperta dal gruppo ransomware?
Quale serietà r affidabilità può avere un negoziatore quando tratta contemporaneamente nella stessa chat il prezzo del riscatto di 3 diverse vittime?
Quale rapporto si crea, nel tempo, tra il negoziatore e il gruppo ransomware?
Queste 3 vittime sono tutte di madre lingua spagnola: Europa (clinica dentale), America settentrionale (azienda che offre servizi per lo stoccaggio, la conduzione, la depurazione e il trattamento dell’acqua), Centro America (azienda che progetta e fornisce soluzioni integrate di tecnologia dell’informazione e della comunicazione).
Premettiamo dicendo che sicuramente esistono aziende di recupero dati serie e affidabili. Ma in questo caso specifico le 3 vittime, sono vittime due volte?