After announcing their support of the Russian invasion of Ukraine, Conti was the subject of their own breach and data leak. A Ukrainian security researcher obtained and leaked moths worth of internal chat logs as well as source code for the group’s ransomware tools. Analysist have been pouring over the internal chat logs and are still uncovering nuggets about the group. Meanwhile Cisco Talos combined this and other intelligence with chat logs between Hive and Conti to get a good understanding of their methods and actions when it comes to victims of each group’s efforts. To say that the report on this is interesting would be an understatement. It shows similar basic tactics, but very different interactions with the victims once their systems are encrypted.
Communications related to Conti seem to be much more professional and even empathic as they will have open discussions about not only the initial impact of the data loss but will talk about the potential for reputational losses and future financial impact. They go into detail about the potential for employee and client harm if data is leaked to the dark web in the form of identity theft. All these items are covered in security education training and are often brought up during security roadmap discussions and security sales calls happen. It is an effective way of highlighting new risks and the results of not being able to prevent the initial infection. The overall effect is one of, hey this is a business transaction that you could have avoided so let’s get this over without further harm to you or your employees/clients.
Conti does have their professional limits though and the chats reviewed show that they can become frustrated with a victim’s slow responses of unwillingness to pay. Oddly, when questioned about the chances of not delivering the encryption keys after payment, Conti operators appear to become offended. Going back to our earlier statement they once again make it clear that the transaction is a business one and even use the term “customers” and “contract obligations” when talking about victims of their ransomware. As noted in this rather telling statement identified in the Talos report:
“The chances that Hell will freeze are higher than us misleading our customers. We are the most elite group in this market, and our reputation is the absolute foundation of our business and we will never breach our contract obligations”
This is a business to Conti and like their communication to their “customers” around reputation they have a stake in ensuring they are trusted to do their part. They have gone to great lengths to show they are not operating a scorched earth style business but are reputable and can be trusted to not only provide a proper decryption key, but also that they will delete all exfiltrated data. They have been observed to allow victims to download logs proving deletion and have even demonstrated their ability to decrypt files by decrypting sample files for a victim.
To further illustrate that Conti is a business and profit focused, they will often negotiate for lower ransom amounts and offer special time limited discounts (like a car dealer). These discounts have ranged anywhere from 10% to a whopping 98% off the original ransom demands. They also have been observed to be flexible on the deadlines if they feel they are negotiating in good faith with the “customer”. In the end, they want some payment rather than none.
In another odd twist for Conti, they also seem to operate under the “leave things better than you found them” principal. They take the effort to explain why they were able to get into the victim’s environment and how the victim can prevent another attack like this. Like we said before, the Cisco Talos report was interesting to say the least.
The Hive group takes a much more direct and demanding route. Their messages are short and to the point. No helpful information, not attempt at emotional rapport, and no professional language. The messages are clear, here is the ransom, pay by the deadline or we raise it to a much higher amount. Once the communication starts, they seem to mellow a bit and will reduce the ransom amount when asked. If they will also abruptly raise it if they feel the victim is taking too long to respond.
Unlike Conti, Hive seems much less disciplined and organized (although no less dangerous) as the chats show a lack of operational security in more than one instance. The chats show that Hive operators going into detail about the ransomware payload, how it functions and even giving the hash of the variant used on the target organization (no talk of customers here). Although it is still clear they operate as a business they are a bit more emotional and undisciplined when communicating with their targets. It is important to note that Talos indicates that the chat logs are from before a recent update to the Hive ransomware payload so there may have been internal changes in communication as well.
Both Hive and Conti do research on the targeted organization as the ransom demands tend to be 1% of the company’s annual revenue. They are both opportunistic in their attacks looking to find the easiest method for access (including potentially using initial access brokers). They rely on exiting vulnerabilities and built-in tools like RDP and PowerShell. They are sophisticated enough to mutate their payload so that simple hash comparisons will not be effective. This means they can get around most signature based anti-malware. For more modern statistics/math based anti-malware (AI) they still look for vulnerabilities or bank on the fact that they are not properly/fully configured.
To counter groups like Conti and Hive the recommendations are pretty much the same as always. Have a good vulnerability scanning and patch management program. Set up proper email filters, URL scanning, identity protection (account protection including MFA), and invest in modern anti-malware services instead of older legacy ones. Further steps include detecting and removing services that are not needed or that are vulnerable to attack (like RDP) set up firewall rules at the endpoint and organizational level that block unneeded or unused ports. Lastly, work on building aa security first culture so that employees are aware of how ransomware groups operate so they are less likely to click on that phishing email when it shows up. Ransomware groups are dangerous and should always be taken seriously, but with the right preventative/proactive steps you can significantly reduce the risk of becoming the victim of one.