How Ransomware Extortionists Work

How Ransomware Extortionists Work

Victims of a ransomware attack often consider the payment of the ransom as the best means of damage control. But the cost of the ransom does not stop there. […]

The disclosure of internal documents of the extortion group behind the Conti ransomware was used by the security researchers at Check Point to analyze data records of ransomware victims. They found out that the ransom paid is only a small part of the actual costs for victims of a ransomware attack. The research team estimates the total cost to be seven times higher.

In addition to the data sets from the leaks of the Conti Group, Check Point also analyzed cyber incidents from the database of the start-up Kovrr, which specializes in the visualization of cyber risks.

Already in the first quarter of 2022, Check Point observed an increase in cyber attacks. According to the research, one in 53 companies worldwide is affected. In the first quarter of 2021, only one of 66 companies was affected. This is an increase of 24 percent.

In order to find out how much ransom is to be extorted from a company, the Conti hacker group uses data sets from ZoomInfo and the German National Library. According to the analysts, this research is very important for the hacker group. Because the victims want to end the extortion as soon as possible and the extortionists want to attack as many companies as possible. The more realistic the ransom note, the faster the interaction will be completed.

In addition, it could be disadvantageous for Conti in later ransom negotiations if they have once set the price too high and not payable for the victim. Because then the group would have to lower the ransom, which other victims could use for themselves if they found out about it.

Check Point found that Conti’s average ransom demand is around 2.82 percent of a victim’s annual turnover.

This percentage is accounted for by the ransom in the turnover of victims.

Check Point examined some of the negotiation processes between the ransomware victims and Conti. The manufacturer observed five recurring steps.

  1. Threat to the victims: Before starting the negotiations, the Conti members go through the stolen data and look for particularly sensitive data that they can use as a means of pressure. They later upload these files to a private blog post on the ContiNews leak page and threaten the victim with publication of the post if the payment is not made.
  2. Discounts for quick payment: In order to keep the negotiations short, the group often grants discounts for victims who pay quickly.
  3. Negotiations: Victims often try to explain why they cannot pay the ransom demand or why it takes a very long time to pay. At this stage, Check Point observed that victims are demanding additional discounts.
  4. Renewed threats: If the victim is not willing to pay, Conti begins to publish small parts of the confidential data in order to build up more pressure. In many cases, this step motivates the victims to pay the ransom.
  5. Agreement: In the last step, the attackers and their victims reach an agreement on the ransom. Otherwise, all confidential data will be uploaded to the Conti Leak page.

The financial impact of an attack is not limited to the ransom paid. In addition, there are reaction and recovery costs and, if necessary, legal fees.

Check Point has summarized some examples and documented the actual costs:

The cost of a ransomware attack is not limited to the ransom money paid.

Among the serious consequences of a ransomware attack for companies is the interruption of ongoing operations. Using Kovrr’s database, the analysts were able to determine the average duration of business interruptions caused by ransomware.

The data shows that the duration of an attack, i.e. the time from the beginning of the attack itself to the resumption of normal operation, has steadily increased from 2017 to 2020. In 2021, the duration has decreased. Check Point believes that this is due to the fact that in 2020, criminals began to carry out double extortion.

Average duration of a ransomware attack in days

Double extortion is understood to mean that, in addition to publishing stolen data, criminals have other means of pressure against their victims in their hands, for example, DDoS attacks or the publication of legal violations. This lengthened the negotiation phases. According to Check Point, this trend continued into 2021. The companies, in turn, created better response plans to mitigate ransomware events and thus shorten the duration of an attack.

In addition, the increase in attacks between 2017 and 2020 is due to the fact that the actors are increasingly using big game hunting tactics. In this attack tactic, not individual computers are attacked, but the entire organization is targeted. Due to this, the duration of the interruption of operations is longer, since the recovery is more complex.

Another data point from the graph shows that the median duration decreased between 2017 and 2018. According to analysts, this is due to the fact that in 2018 there were many short events that lowered the median.

The investigations by Check Point show that the attacked companies have succeeded in adapting and improving the reaction guidelines. At the same time, however, cybercriminals would also optimize their processes. The tip of the security experts to the victims of ransomware attacks: it is a threat caused by real people. Therefore, companies that want to respond to ransom demands should communicate clearly and carefully plan their negotiations in order to achieve the best possible result.

*Melanie Staudacher is a Junior Editor at CSO. Her focus is IT security.

Development Outsourcing | Unreal Outsourcing

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: