Interesting Ransomware Negotiation Chats

[dogememe]

I heard about this through a YouTube video... basically you can read the chats between the people trying to get their files decrypted and the criminals.

Some of them are serious, some of them are hilarious, some of them are sad... but in many of them, the "customers" actually receive "good" customer service from the criminals and the "customers" even thank them for being so professional.

What a weird world we are in. But if you're bored and want to read some, here you go:

https://www.ransomware.live/nego

And yes, I think in some of these chats the "customers" actually are treated with more respect than you get when you deal with real big corporations over live chat. Sad!

 

[Pew]

We had our cyber security law firm handle all our negotiations but they told us the threat actors will normally be decently nice and bargain. They're only worried about money so they know if they put the asking price too high (it's usually 10% of yearly revenue) or act like complete d-bags then the bargaining gets stretched out and lower the probability of the affected firms willingness to pay.

 

[JohnnyJohnson]

Bragin I can replace my whole PC for less than $800

 

[Pew]

Bragin I can replace my whole PC for less than $800

But a firm cannot afford to lose all their data.

 

[Marcozi]

But a firm cannot afford to lose all their data.

Back ups are the key.

 

[Pablo]

I don't even want to click on that!

All I know, every group, in person (last night at a meeting), etc someone has been hacked. Wow, is China, Russia, Iran pouring water on the lithium or what???

 

[alarmguy]

It happens all the time, most only know the small fraction of times that it does. Companies dont advertise it.
My wife's industry, well, its not simple as it sounds when backups are mentioned and stuff like that.
I am talking companies (some BIG) systems being shut down, unable to do business until the hackers unlock their system.
Sure you can hold out, then what? Turn over all your business and orders to another company. It's really rough and a fine line if you pay or not. I never heard of someone paying and then the hackers not upholding their end of the bargain though I am sure it must happen.

Its also not easy, lets say when some say dont open files. Sometimes e-mails get spoofed, other times there are hacks into the cloud systems and files being accessed, my wife's company tech team is pretty good and on top of it, has not been hacked but many incursions that they caught, companies she deals with, not so lucky, everyone here would know one of the names. Many industries business involves intense transfer of graphics files, again, it's a fine line.

 

[Pew]

Back ups are the key.

Absolutely, on prem and online backups are key (3-2-1 method) but on-prem backups can also be hit. The one that got us went straight to ESXI and double encrypted the drives and datastores. Luckily our online backups saved us. Unfortunately most companies don't want to spend the money for any kind of cloud backup until it's too late; which results in the company licking their wounds and paying a cyber security firm a monthly stipend for monitoring.

 

[JohnnyJohnson]

But a firm cannot afford to lose all their data.

True but you see that is why all of the smart ones have what the call Backups.

 

[Pablo]

I just did a full wipe and back up. Need a shower now.

 

[Pew]

I just did a full wipe and back up. Need a shower now.

Sounds like you need a nurse LOL

 

[Pablo]

Sounds like you need a nurse LOL

Please!! I tip generously

 

[supton]

Absolutely, on prem and online backups are key (3-2-1 method) but on-prem backups can also be hit. The one that got us went straight to ESXI and double encrypted the drives and datastores. Luckily our online backups saved us. Unfortunately most companies don't want to spend the money for any kind of cloud backup until it's too late; which results in the company licking their wounds and paying a cyber security firm a monthly stipend for monitoring.

Isn't one of the tricks to infect but be dormant for 6-12 months? A restore might have the trojan buried in there.

 

[Pew]

Isn't one of the tricks to infect but be dormant for 6-12 months? A restore might have the trojan buried in there.

I think that was the old virus way but I'm not 100% sure. Ransomware is automated and tends to hit around the weekends and holidays, where there's nobody in the office to notice anything awry. The longer they wait the higher the chances of them getting caught and stopped. And the more time they get to run, the more data they steal and encrypt.

I also noticed they seem to run on a keyword-filter of sort. The small list of files they took from us all were keywords like "health" "taxes" "money".

 

[Ws6]

Please!! I tip generously

How much you offering big man?

 

[Pablo]

How much you offering big man?

Nurse must work hard and bring food like @Jdeere562 nurses

 

[Ws6]

Nurse must work hard and bring food like @Jdeere562 nurses

Want some Dilaudid with that? I'm a pure mercenary. Pay.

 

[bunnspecial]

My work(public community college) got hit with ransomware right at 3 years ago-in fact we were saved a lot of damage because our director of IT checked on something from home, noticed suspicious activity, and went to campus to literally pull the plug on everything as quickly as he could.

It took 2 weeks to get back to some level of functionality, and even then a lot of things just didn't work. We didn't have email for another month. It took about that long to get copiers back too.

One of the things we were told was we had a negotiations team talking to the hackers, although there was no consideration of actually paying the ransom. We were told that it would take as long to un-encrypt everything once we got the keys from them as it was taking them to restore from backup, and also that there was no guarantee that the keys would work. In the end it was all alright for us, although when I started there I always thought our IT policies were pretty lax(no mandatory password resets, all users were administrators on their local computers, things like that). Since, they've really tightened down on that.

With that said, I've heard/been told that some of what was said about ransomware isn't always true. I've been told, for one, that most of the guys doing this actually do deliver valid keys once the ransom is paid. I've heard it said that there's-so to speak-honor among thieves-and that people who don't deliver on this "harm" the whole industry and make it less likely that future attacks will opt to pay the ransom. It's a twisted way to look at it but makes sense to me.

The second thing I've been told is that the encryption "bug" often gets planted well ahead of time and is good at disguising itself. That means that you may have to go way back to get a safe backup, and that can mean data loss. I don't know what current practices are, but when my dad was working in IT for Kentucky state government in the 90s/early 2000s their back-up tapes were kept on-sight for a week, offsite for 2 weeks, and then cycled back to be used again. That meant that they had MAYBE 3 1/2 weeks of backup, realistically just 3...

 

[zzyzzx]

Linux for the win!