Ransomware negotiation chats - what can we learn ?

Ransomware Negotiations as JSON Files

Ransomware negotiations, typically conducted behind closed doors, are being made accessible through this github project: https://github.com/Casualtek/Ransomchats
A json viewer for the negociations chats of the project is available here: https://ransomch.at/

Chats are anonymized as long as the victim hasn’t been publicly disclosed, either by the attackers or in the media.

Ransomware negotiations available with the following actors:

the 2023/08/08

• Avaddon
• Avos
• Babuk
• BlackMatter
• Conti
• Darkside
• Hive
• REvil
• Ranzy
• lockbit3.0
• mount-locker

What can we learn ?

Most of the conversations details a negotiation process where the cybercriminals demand payment for decryption keys and the deletion of stolen data, while the victim attempts to verify the authenticity of the stolen data and negotiate a lower payment.

The exchanges showcases some common tactics in ransomware negotiations:

• Pressure and Time Constraints: The attackers consistently pressurize the victim with deadlines and threats of public exposure.
• Demonstrating Authenticity: The attackers provide links to files to demonstrate they have legitimate access to sensitive information.
• Negotiation Tactics: Both sides are trying to negotiate a suitable price. The attackers initially offer a high amount and then appear willing to negotiate, while the victim (negociator) attempts to gain time and lowball the offer or create doubt about the authenticity and relevance of the stolen data, while also trying to collect information about the cybercriminal ! (/lockbit3.0-lapostemobile_fr is my favorite)

The conversations even takes on some personal tones sometimes and both parties chat casually, it is really interresting to see.

Threat Hunting

An interesting observation on the file-sharing platform preferences derived from the negotiations chats with the victims, they used the following platforms to share data with the victims:
- http://temp.sh
- http://file.io
- http://sendspace.com
- http://anonfiles.com
- http://transfert-my-files.com
- http://tempsend.com
- http://transfer.sh
- http://bashupload.com
- other *.onion sites

Detect data collection and exfiltration on these platforms:

Exfiltration:

HTTP POST requests to:

• https://temp.sh/upload
• https://file.io/?title=*
• https://*.sendspace.com/upload
• https://api.anonfiles.com/upload
• https://transfert-my-files.com/inc/upload.php
• https://tempsend.com/send
• transfer.sh
• bashupload.com
• *.onion/* (if the victim request the site without being connected to the TOR network)

Collection:

HTTP GET requests to:

• https://temp.sh/*/*
• https://file.io/*
• https://www.sendspace.com/file/*
• https://anonfiles.com/*/*
• https://transfert-my-files.com/files/*
• https://tempsend.com/*
• https://transfer.sh/*
• https://bashupload.com/*
• *.onion/* (if the victim request the site without being connected to the TOR network)

Reminder

Ransomware attacks are very common, making up 90% of the incidents responses we receive in my company. While these chats may provide insight into the tactics used by both sides in negotiations, i must remind anyone reading to never to pay the ransom (you can gather intel with the negotiation but never pay)

Its payment does not guarantee the obtaining of a means of decryption, encourages cybercriminals to continue their activities, and thus maintains this fraudulent system. Additionally, paying the ransom will not prevent your entity from being targeted again by cybercriminals and experience shows that obtaining the decryption key does not always allow for the complete restoration of the encrypted files. In particular, files that have been modified by an application and encrypted at the same time by the ransomware are highly likely to be corrupted.