[BreachExchange] Ransomware Groups Are Calling Victims to Remind Them For Paying Ransom

Destry Winant destry at riskbasedsecurity.com
Mon Dec 7 10:21:11 EST 2020


https://techdator.net/ransomware-groups-are-calling-victims-to-remind-them-for-paying-ransom/

After the double extortion strategy of threatening victims by leaking
stolen data, ransomware groups have now evolved with yet another step.
It’s reported that groups like Ryuk, Maze, Sekhmet, and Maze have been
calling victims to know whether they had restored from backups and
avoid paying the ransom.

Cold Calling Victims to Remind Them

Ransomware groups are not only evolving with their tactics of
attacking a target, but also with the post-hack process.

This includes persuading the victim into paying the ransom amount.
Maze ransomware group, which is now defunct, has started a new
technique of stealing the unencrypted sensitive data before encrypting
systems.

This gives them the advantage of threatening to leak the stolen data
publicly if they don’t pay up. While individuals may skip,
institutional victims don’t risk leaking their data due to their
reputation.

Thus, this double-extortion method worked for a while, and even
adopted by many other ransomware groups.

But now, even this seems to be old, since victims are trying to
restore their stolen data from earlier backups, and warning their
customers about potential cyberattacks to make the data leaks useless.
Thus, to make their operation successful, ransomware groups are now up
with a new plan.

It’s seen some ransomware operators are hiring a third-party call
center to call the victim and remind him of the attack, and to pay up
the ransom. This way, they’re able to know if they had restored
encrypted data from backups, and are trying to avoid paying the
ransom.

This technique was observed since August this year, reports Evgueni
Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident
Response. Groups included in this method are Conti, Ryuk, Maze, and
Sekhmet. While Maze and Sekhmet were discontinued their operations
now, the rest two continue.

As per Bill Siegel, CEO of Coveware “We think it’s the same outsourced
call center group that is working for all the [ransomware gangs] as
the templates and scripts are basically the same across the variants.”
A redacted transcript provided to ZDNet as an example read as below;

“We are aware of a 3rd party IT company working on your network. We
continue to monitor and know that you are installing SentinelOne
antivirus on all your computers. But you should know that it will not
help.”

Further; “If you want to stop wasting your time and recover your data
this week, we recommend that you discuss this situation with us in the
chat or the problems with your network will never end.”

This shows how well the ransomware groups are trying to tune their
success rate with multiple post-hack methods.


More information about the BreachExchange mailing list