Breach Notification , Cybercrime , Cybercrime as-a-service

Ransomware: Call Centers Cold-Call Victims to Demand Ransom

Such Specialization Highlights Ransomware Operators' Increasing Business Savvy
Ransomware: Call Centers Cold-Call Victims to Demand Ransom
Photo: Mad Fish Digital, via Flickr/CC

Ransomware innovation seems to know no bounds, as crime gangs seek new ways to make crypto-locking malware ever more profitable.

See Also: Gartner Guide for Digital Forensics and Incident Response

Some gangs, for example, have reportedly taken to cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation. Of course, this is just the latest in a long list of shakedown tactics, which includes not just using crypto-locking malware but, lately, also leaking data to increase the psychological pressure on victims to pay.

Experts say the quantity of ransomware attacks and amount of ransom payments continue to rise. In part, they say, this is due to so-called human-operated ransomware, referring to gangs that don't just rely on malware and opportunistic infections, but which instead bring advanced network penetration and other skills to bear. Many such operations also appear to have focused more on big-game hunting - meaning attempting to take down larger targets - so they can demand relatively larger ransoms for every given attack (see: Ransomware: Cybercrime Public Enemy No. 1).

Ransomware incident response firm Coveware, based in Connecticut, says that, of the thousands of cases it helped investigate from July through September, the average ransom payment - when a victim paid - was $233,817, which was an increase of 31% from the previous quarter.

The average ransom paid by victims has continued to increase. (Source: Coveware)

But for big-game victims, the individual ransoms are often much higher. "Back in the day, we saw ransom demands of $100,000 or a few hundred thousands, but these days, we are seeing ransom demands in the millions, more and more often," Oleg Skulkin, lead digital forensics specialist at cybersecurity firm Group-IB, said in a presentation at the company's CyberCrimeCon last month.

Call Centers Offer Extortion-as-a-Service

Just like legitimate businesses, ransomware gangs have long looked to maximize their prospects and then attempt to convert as many of them as possible into paying customers, sometimes via lengthy negotiations (see: Ransomware Gangs Practice Customer Relationship Management).

Now, in a push by gangs to convert more prospects - or, in this case, victims - into paying a ransom, multiple gangs appear to have been outsourcing these efforts to one or more call centers, as ZDNet first reported.

Ransomware operations cold-calling victims has been a fact of life since at least August, when Maze contacted an organization it had hit, Brett Callow, a security analyst at Emsisoft, tells Information Security Media Group.

In September, the operators behind Conti ransomware telephoned Galstan & Ward Family and Cosmetic Dentistry, a dental practice in Georgia, to tell them they'd been victims of a ransomware attack and to demand a ransom, Databreaches.net has reported.

The full list of gangs known to have used this tactic includes Sekhmet, which is now defunct; and two other defunct groups - Ryuk and Maze - as well as their successors, which are respectively Conti and Egregor.

Based on comments made by Maze members, "it appears that they are using a third-party team to do those calls," Evgueni Erchov, director of incident response and cyber threat intelligence at IR firm Arete, tells ISMG. "Based on voicemail recordings, the messages appear to be very scripted and it sounds like a person reading the pre-written message."

"We think it's the same outsourced call center group that is working for all the [ransomware gangs], as the templates and scripts are basically the same across the variants," Bill Siegel, CEO of Coveware, tells ZDNet.

Sekhmet may have been the first ransomware operation to rely on this tactic. "We can't say for sure but we think that we are the first group that tries to contact the companies by phone as soon as possible after the incident," the operators behind Sekhmet posted to their leaks site, according to Callow.

Note posted by the now-defunct Sekhmet group to its leaks site (Source: Emsisoft)

The use of call centers demonstrates some ransomware operators' increasing business savvy. "The segmentation and specialization that is implied by the use of call centers to handle victim negotiations demonstrates the evolution and maturity of the cyber extortion industry," Siegel tells ISMG.

"Some of these groups have staffing and budgets akin to a midsized company," he adds. "They have the same problems, as well, with miscommunications, poor training and vendor and staff turnover that impact their operations."

Innovation Continues

Outsourcing boiler-room operations to threaten victims is just the latest in a long line of innovations that ransomware gangs have been using to maximize their returns. Others include:

  • Leak sites: In November 2019, the Maze gang pioneered the practice of exfiltrating data and then leaking samples of it. Since then, more than a dozen gangs have created name-and-shame sites where they leak victim names and data samples or threaten to auction stolen data to the highest bidder.
  • Data-deletion promises: As more organizations have put better defenses in place, ransomware gangs have shifted from requiring a ransom in exchange for the promise of a decryption tool to falsely promising to delete stolen data if victims pay.
  • Ransomware-as-a-service affiliate programs: In RaaS programs, ransomware operators provide malware to affiliates, who share in the profits whenever a victim pays. Such programs help maximize the returns for both parties, and they have been thriving.
  • Recruiting specialists: Driven in part by RaaS, as well as the lure of big-game hunting profits, more gangs have been recruiting specialists across numerous disciplines, ranging from network penetration and encryption to negotiations and working with cloud-based data.
  • Easier access to victims: As part of the burgeoning cybercrime-as-a-service ecosystem, there's been a surge in initial access brokers who sell ready-to-use, remote access into penetrated corporate networks, typically gathered by brute-forcing remote desktop protocol connections. Buying such access means ransomware-wielding gangs don't have to focus on amassing victims themselves but can move immediately to trying to steal data, infect organizations' systems and then extort organizations.

The increased use of these tactics, sometimes in combination, means that ransomware attacks can leave victims not just having to recover from a crypto-locking malware outbreak but, oftentimes, having to investigate a suspected data breach, which can trigger a host of notification rules (see: Ransomware + Exfiltration + Leaks = Data Breach).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.