After the double extortion strategy of threatening victims by leaking stolen data, ransomware groups have now evolved with yet another step. It’s reported that groups like Ryuk, Maze, Sekhmet, and Maze have been calling victims to know whether they had restored from backups and avoid paying the ransom.
Cold Calling Victims to Remind Them
Ransomware groups are not only evolving with their tactics of attacking a target, but also with the post-hack process.
This includes persuading the victim into paying the ransom amount. Maze ransomware group, which is now defunct, has started a new technique of stealing the unencrypted sensitive data before encrypting systems.
This gives them the advantage of threatening to leak the stolen data publicly if they don’t pay up. While individuals may skip, institutional victims don’t risk leaking their data due to their reputation.
Thus, this double-extortion method worked for a while, and even adopted by many other ransomware groups.
But now, even this seems to be old, since victims are trying to restore their stolen data from earlier backups, and warning their customers about potential cyberattacks to make the data leaks useless. Thus, to make their operation successful, ransomware groups are now up with a new plan.
It’s seen some ransomware operators are hiring a third-party call center to call the victim and remind him of the attack, and to pay up the ransom. This way, they’re able to know if they had restored encrypted data from backups, and are trying to avoid paying the ransom.
This technique was observed since August this year, reports Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response. Groups included in this method are Conti, Ryuk, Maze, and Sekhmet. While Maze and Sekhmet were discontinued their operations now, the rest two continue.
As per Bill Siegel, CEO of Coveware “We think it’s the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants.” A redacted transcript provided to ZDNet as an example read as below;
“We are aware of a 3rd party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers. But you should know that it will not help.”
Further; “If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end.”
This shows how well the ransomware groups are trying to tune their success rate with multiple post-hack methods.