Ransomware is one of the main cyber threats to Russian companies. Last year alone, according to FACCT , the number of ransomware attacks on businesses increased 2.5 times. In some cases, the ransom amounts reached 321 million rubles.
We studied real correspondence with ransomware over the past two years. We looked at how hackers communicate in chats with victims. The most illustrative examples and conclusions are in this article.
View from above
In the fall, 50 states led by the United States announced that they would no longer transfer money to ransomware. The new alliance was called The International Counter Ransomware Initiative . It includes Japan, Canada, France, the UAE, Israel, Lithuania and other countries that are suffering from massive ransomware attacks on businesses.
The goal of the alliance is to deprive extortionists of billions of dollars in income. It’s simple: criminals will not have money, which means that groups will stop multiplying and developing. That is why states want to quickly exchange data about the channels and crypto-wallets that attackers use in their schemes. By closing the arteries, governments plan to prevent new criminal transactions or, at a minimum, stop them for a while.
Russia did not join the alliance. But the point is different: it becomes more difficult for states to solve the problem on their own. Every year there are more incidents with ransomware, including in Russia. Although there is little information about actual attacks. The victims can be understood: they don’t want to risk their reputation, they value the trust of their clients, and that’s all . And the attackers themselves usually do not publish data about attacks if they have already received a ransom or are still negotiating.
An example of a high-profile ransomware attack in Russia is the story of Miratorg. In 2022, 15 agricultural holding enterprises were affected by ransomware. The attackers used the Win32:Bitlocker/l!rsm malware, which exploits vulnerabilities in Microsoft-based systems. As a result, the company had to suspend the processing of production and transport veterinary documents in electronic form, which slowed down the shipment and sale of goods.
In 2023, ransomware more often attacked Russian telecom operators. One of them, TransTeleCom, was damaged on October 30. What kind of encryption virus the criminals used and how the story ended is not reported anywhere. The company itself later stated that its defenses fend off hundreds of external attacks every day.
Another example with a telecom operator is the story of IPilsin. The largest Internet provider in Krasnogorsk came under attack on the night of May 2, 2023. There is also no official confirmation that the cause was ransomware. It took almost a week to eliminate the consequences. All this time, clients had problems with the Internet, including military-industrial complex enterprises in the Moscow region.
Now let’s look at the correspondence
We studied real dialogues with ransomware at ransomch.at . The authors of the project on Github collect proofs using parsers and post them on the website. Each contact with a group is formatted in a JSON file. Typically, the names of the victim companies are not disclosed. In any case, they remain anonymous until the incident is reported by the media or attackers.
How do they communicate?
Encryptors in correspondence bear little resemblance to criminals. It feels like you are communicating with the technical support of a provider or vendor. The entire dialogue is based on scripts, in a polite and restrained manner.
As can be seen in the example above, Akira representatives speak directly: this is a chat with support, a list of stolen data is being prepared and someone from the “company” will be in touch soon. Everything is clear, without the desire to disorient the victim and hit the jackpot quickly.
Based on the correspondence, we see other attributes of a typical IT company. The groups have their own analytics departments, demo versions of decryption programs, and even use a service approach.
Instead of threats, the victim receives a list of paid services: full assistance in decrypting files, a report on the vulnerabilities found, and recommendations for protecting data from themselves . Although there are also plenty of promises to “hurt”.
What are they threatening?
The prospect of files remaining encrypted is scary. But for many victims, it’s worse if confidential data is published or sold to other attackers. This way you can lose everything, including your reputation and customers. Criminals certainly know this and skillfully use it in their blackmail.
It is especially dangerous, according to hackers, if they gain access to personal data. As a Black Basta representative writes, darknet users know how to take advantage of such information.
What is recommended
If the victim makes a deal, then hackers willingly tell how exactly they managed to get into the corporate network. Judging by the cases studied, phishing (banal email campaigns with malware) or software vulnerabilities are usually the entry point.
From the outside, such reports look like the results of a pentest. However, judging by the correspondence between Akira and Black Basta, the text is always the same (scripts again) . In it, attackers also give recommendations for the future, namely:
Conduct training for staff as often as possible, since people are the most vulnerable point in the system. Employees should not open suspicious emails, dubious links, or mindlessly download or open third-party files.
Use sandboxes to analyze incoming emails.
Use strong passwords for different applications, change them as often as possible (1-2 times a month at least).
Enable multi-factor authentication wherever possible.
Create jump hosts for VPN, the credentials for which must be different from other logins and passwords used in the company.
Keep your operating systems and software updated, as older versions often contain vulnerabilities. Hackers especially recommend paying attention to updating the Microsoft Defender antivirus.
Implement and carefully configure modern security measures – from firewalls to SIEM systems.
Make backup copies and, preferably, store them on a remote site. It is important here not to confuse backup with Disaster Recovery (and we have encountered such misunderstandings in practice). In this case, you will simply replicate the same encrypted data to the backup site as on the main one.
Although there are examples where companies use backups, they still decide to pay the attackers. The reasons may be incorrect backup settings, due to which you can lose some data. This happened, for example, in the case of Bakker Heftrucks (a dealer of agricultural special equipment).
Good advice, but…
In correspondence, the groups call themselves IT corporations and pentesters. But in reality, extortionists are not contractual counterparties. And of course, you shouldn’t expect them to fulfill guarantees.
Although reputation is important for Akira or BlackBasta, nothing prevents them from disappearing from the radar immediately after receiving a ransom from the victim or transferring the base to other groups, for example. Some attackers threaten this in the very first messages of correspondence.
Aerobatics is when attackers threaten to complain to regulatory authorities that the victim did not file a report on the incident on time or does not comply with other legal requirements. There are such examples too.
In general, transferring money to international criminals is such an idea. Especially in Russia and even more so now. In addition to problems with encrypted data and information leakage, liability before the legislation of the Russian Federation is added. With fines and other troubles, of course.
That’s why the simplest strategy here is to reduce your risk of infection in the future. Moreover, the attackers themselves say what needs to be done for this. And here we agree with the enemy: at least make regular backups and test them. It’s better to seek help from professionals. So the likelihood that you will have to communicate with extortionists will be clearly lower
https://github.com/Casualtek/Ransomchats
