# Conti and Hive  ransomware operations:

## Leveraging victim chats for insights

###### WRITTEN BY  KENDALL MCKAY with contributions from  PAUL EUBANKS and JAIME FILSON


-----

### p

###### Leveraging victim chats for insights

##### TABLE OF CONTENTS

**Executive summary..................................................................................................................................................................... 3**

**Introduction................................................................................................................................................................................. 3**

**Conti............................................................................................................................................................................................. 4**

Communication strategies........................................................................................................................................................ 4

Ransom negotiations................................................................................................................................................................ 5

Reputation matters................................................................................................................................................................... 6

Operational insights and TTPs.................................................................................................................................................. 6

**Hive.............................................................................................................................................................................................. 7**

Communication strategies........................................................................................................................................................ 7

Ransom negotiations  ............................................................................................................................................................. 8

Operational insights and TTPs.................................................................................................................................................. 9

**General guidance and mitigation strategies............................................................................................................................ 11**


-----

### p

###### Leveraging victim chats for insights

##### EXECUTIVE SUMMARY

###### • Through open-source research, we obtained and analyzed over four months of chat logs — more than 40 separate conversations — between Conti and Hive ransomware operators and their victims. The findings in this paper give an overview of the actors’ communications styles, persuasion techniques, ransom negotiations, operational and targeting information, and more.

 • Conti and Hive have markedly different communication styles, with Conti employing a range of persuasion tactics in what often seem like scripted and somewhat organized exchanges. Hive communications, by contrast, are much shorter, more direct, and void of many of the persuasion techniques that Conti employs. These differences possibly reflect varying levels of organizational oversight for affiliates or may simply exemplify the unique communication styles employed by various ransomware actors.

 • Both groups are very quick to lower ransom demands, routinely offering substantial reductions multiple times throughout their negotiations. It is clear that the actors’ initial ransom demand is rarely their bottom line.

 • Conti and Hive do research on victim organizations before determining the ransom amount, with both groups typically asking for about one percent of the company’s annual revenue. Both threat actors appear to target entities indiscriminately, likely based on what they assess to be the easiest victims to compromise for quick financial gains.

 • Hive operators displayed surprisingly poor operational security, revealing sensitive information about their encryption process and other operational details. Other evidence suggests that Hive affiliates do not adhere to any sort of standard operating procedure and employ any and all means necessary to convince their victims to pay, including offering kickbacks to victim negotiators once the ransom payment is made.

##### INTRODUCTION

The ransomware space is dynamic, continually marked by new emerging ransomware variants, groups rebranding under
different names or shutting down operations altogether, and new strategic partnerships between different cybercrime gangs.
The focused crackdown on ransomware operations by U.S. authorities and international partners has introduced even more
change into this threat space, pushing ransomware actors into the focus of law enforcement’s targeted efforts to disrupt their
operations. Current events on the international stage have also recently affected at least one major ransomware player, the


-----

### p


From there, we observed the threat actors employing a
variety of different persuasion techniques. In many instances,
the adversaries attempt to empathize with victims, equating
themselves to business people just like the compromised
entity and claiming that they want to help restore the victim’s
data. They appear to make the ransom payment seem like
it is in exchange for their help, in one instance proclaiming,
“Fortunately, Conti is here to prevent any further damage!”


-----

### p

###### Leveraging victim chats for insights

The actors say they will provide “IT support” by offering a “decryption
tool,” even offering to give the victim a full security report upon payment
to ensure that such an attack does not happen again in the future. We
obtained one such security report, which is illustrated in Figure 1.

These are vague, generic recommendations with no specific
implementation steps. Such guidance would be very easy to reuse across
interactions with numerous victims.

The actors further mask these extortion attempts by saying they provide
“damage prevention services,” again purporting to be helpful assistants
who can help protect the victim. In many instances, Conti operators
remind victims about the consequences of having data leaked, including
such information being sold on the dark web to cybercriminals who will
leverage the data in their own operations, including social engineering
attacks. The victim’s customers, vendors, employees and investors will all
be notified about the breach, Conti warns, but the threat actors claim they
can resolve these problems immediately upon payment.

Conti also employed other marketing techniques to convince victims to
pay, including offering Christmas and holiday discounts and other price
reductions intended to make the victim feel like they are getting a good
deal. Many of these deals are incentivized by quick payments, with a
Conti actor offering in one instance that the victim can receive a “special
discount” if “we make a deal in the next 72 hours.”

The tactics outlined so far are Conti’s attempts to be more empathetic
and make the victim feel like Conti is helping them or cutting them a deal.
However, we also observed Conti employ more aggressive techniques,
including fear and coercion. The threat actors remind victims of the
reputational damage and legal troubles that will result from a data leak,
citing media reports about other companies who have faced multi-million
and billion-dollar lawsuits for data breaches. They use scare tactics by
telling the victim that the company’s stock value will nosedive if Conti leaks
their data and threaten to provide competitors with the stolen information.
The actors remind the victim of the various governmental bodies and
regulatory acts that punish organizations for data leaks and revisit the
notion of employees becoming identity theft victims if the data is sold on
the Dark Web. These threats seemed to intensify as Conti’s frustration with
the victim’s slow responses or perceived lack of urgency grew.

These more aggressive tactics are consistent with recent trends reported
by the U.S. government. According to CISA’s 2021 global ransomware
[trends report, ransomware actors are diversifying their approach to](https://www.cisa.gov/uscert/ncas/alerts/aa22-040a)
extorting money, including informing the victim’s partners, shareholders,
or suppliers about the incident.

**RANSOM NEGOTIATIONS**

There were several indications that the Conti operators determine victims’
ransom amounts on a case-by-case basis dependent on the organization’s


**_Figure 1. Example of security report sent to Conti_**
_victims by the threat actor._


-----

### p

###### Leveraging victim chats for insights

#### "The chances that Hell will freeze are higher than us misleading our customers. We are the most elite group in this market, and our reputation is the absolute foundation of our business and we will never breach our contract obligations." - Conti operator to victim


annual revenue, with the actors stating as much in several
of the communications we reviewed.

Conti actors are very willing to negotiate and almost
always offered or approved a lower ransom amount in the
conversations we reviewed. These reductions were initiated
by either Conti or the victim depending on the situation, but
in instances where the victim requested a lower ransom
payment, the threat actors almost always obliged quickly and
with little or no hesitation. In some instances, a lower ransom
payment would still cost the victim data exposure: In one
case, a Conti operator agreed to lower the amount by nearly
80 percent, but with the stipulation that 80 percent of the
victim’s data would be published to their leak site.

The price reductions that Conti offered were generally
substantial, including 10, 24, 57and 74 percent, and even
higher. In one exchange, Conti dropped the ransom demand
five times, with the amount dropping a net 98 percent from
$50 million to $1 million. Despite Conti’s willingness to
negotiate, they had limits to how low they would drop the
ransom amount and would eventually hold firm on a final
figure. In one case, the lowest figure they were willing to
accept was $100,000, although we did not have insight into
the initial ransom offer or that company’s annual revenue.
These findings highlight the actors’ willingness to negotiate
and also indicate that Conti’s initial ransom demand is more
of a starting point for negotiations rather than a final offer.

Conti also appears similarly flexible on their payment dates,
with deadlines frequently being pushed out at victims’
requests. These behaviors suggest Conti operators are
highly opportunistic cybercriminals who ultimately would
prefer some payment as opposed to none, even if that
means capitulating to repeated requests by the victim.


**REPUTATION MATTERS**

Like most legitimate business operations, cybercriminals
depend on maintaining a “good” reputation, at least as
it relates to following through on agreements with victim
organizations. This is also top of mind for Conti, as the threat
actors repeatedly reiterated their strong intent to uphold their
end of the deal, even appearing angry at times when they
perceived victims were questioning their trustworthiness.
In one exchange, a Conti operator exclaimed, “THERE IS
NO WAY that we will not fulfill our promises after you pay.”
In another conversation, a Conti actor noted the group’s
“vast experience” in this field, even encouraging the victim
to Google the group to find evidence that they never “bluff.”
Conti further echoed these sentiments in the following
remarks: “The chances that Hell will freeze are higher than
us misleading our customers. We are the most elite
group in this market, and our reputation is the absolute
foundation of our business and we will never breach our
contract obligations.”

This level of confidence and bravado is likely an important
component of Conti’s ability to establish some level of
trust — albeit under unique circumstances — with their
“customers.” The only assurance a victim organization has
in believing that their stolen data won’t be leaked is the
threat actor’s word and, by extension, the group’s broader
reputation. If Conti hopes to maximize payments, they have
to employ a combination of coercive and persuasive tactics
with firm assurances that they will uphold their end of the
deal. This likely explains Conti’s firm, sometimes emotional
language we observed in these types of interactions.

**OPERATIONAL INSIGHTS AND TTPS**

These conversations also yielded insight into some of Conti’s
operational details and tactics, techniques and procedures


-----

### p

###### Leveraging victim chats for insights

(TTPs). Conti uses ProtonMail, an encrypted email service,
to communicate with victims. They also use various
temporary mail and file storage sites, as revealed in their
conversations with victims, including SendSpace, qaz[.]im
and PrivatLab. The file hosting sites are especially useful, as
Conti leverages them to share files with victims. In one case,
the Conti operator directed the victim to download a deletion
log from a PrivatLab site as proof that Conti destroyed all
exfiltrated data after the victim paid the ransom. In another
case, the same site was used to demonstrate that Conti
could — and planned to — decrypt the victim’s files upon
payment, with the victim uploading sample encrypted files
and the threat actor returning their decrypted versions via
the same file share site. Conti also mentioned using Disk
Wipe, a free Windows application for permanent volume data
destruction, to delete the victim’s files they exfiltrated after
the victim paid the ransom.

Conti also uses a variety of other publicly available tools
in their operations, based on our observations in CTIR
engagements and open-source reporting. These tools and
utilities enable every phase of their attack, including initial
access, discovery, persistence, lateral movement, defense
evasion and more. In addition to these publicly available
tools, such as Cobalt Strike and ADFind, Conti also leverages
utilities that are natively found on Windows operating
systems, such as Windows Management Instrumentation
(WMI), the Windows command-line utility Nltest, and remote
desktop protocol (RDP).

In one instance, we observed the Conti operator
making vague references to additional TTPs, including the
infection vector. The actor informed the victim that they had
infiltrated the victim’s network, “researched them, and found
critical vulnerabilities, which enabled [Conti] to access and
exfiltrate [the victim’s] documentation and encrypt [their]
file servers, SQL servers, subdomains, and local networks.”
Based on our observations in CTIR engagements, Conti
actors leverage many different vulnerabilities for initial
access and lateral movement. Specifically, we have seen
them exploit the widely reported vulnerabilities affecting the
[Apache Log4j logging utility. We have also observed Conti](https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html)
targeting vulnerable Microsoft Exchange servers as the point
of initial infection via PowerShell execution of webshells,
according to CTIR findings. This serves as a reminder of the
importance of organizations applying a patch management
system and keeping all software up-to-date with proper
security updates.


-----

### p

###### Leveraging victim chats for insights

**_Figure 2. Example of communications between Hive ransomware_**
_actors and a victim._

Hive almost never employs any of the persuasion
strategies we observed with Conti, such as marketing
ploys, fear, or coercion. In the few times we did observe a
Hive operator attempt to use persuasive language, it was
short, matter-of-fact, and usually prompted by a question
from the victim rather than Hive leading with a forceful
appeal. We also observed Hive quickly become more
aggressive if the victim failed to respond to the ransomware
operator’s initial greeting. In one case, after a victim failed
to respond 14 days after Hive’s initial communication,
the Hive operator declared that their patience was gone
and threatened to send a copy of the victim’s data to the
Securities and Futures Commission (SFC), a Hong Kong
regulatory agency. The operator even provided individual
email addresses of SFC members he planned to send
the data to. Hive operators also quickly and dramatically
increased the ransom demand if the victim did not respond,
as seen in the excerpt above, where the ransom payment
eventually jumped from $2 million to $10 million after seven
days without communication from the victim.

**RANSOM NEGOTIATIONS**

Hive’s ransom demands are typically valued at 1
percent of the victim company’s annual revenue, according
to Hive operators. Based on our analysis, we largely found
this to be the case, but in some instances, the ransom
was slightly higher at around 1.5 percent. Much like Conti,
Hive appears very willing to lower their ransom demand,


-----

### p

###### Leveraging victim chats for insights

**_Figure 3. Customized victim page._**

indiscriminately target organizations they may perceive are
the easiest to compromise or extort.

This exchange between Hive and the negotiator may also
represent the lack of standard operating procedures within
the Hive group. Relatedly, it possibly represents the potential
for individual affiliates to be either less disciplined — or
more innovative, depending on one’s interpretation — during
their operations to do anything necessary to convince
their victims to pay. The notion of being undisciplined is
strengthened by another observation we made, mentioned
in the next section, where we saw when a Hive affiliate
displayed poor operational security.


**OPERATIONAL INSIGHTS AND TTPS**

The Hive operators revealed a surprising amount of
information about various components of their operation,
including details pertaining to the ransomware payload, the
encryption process, and various tools and communication
platforms they use. They mentioned that the ransomware
payload is unique or custom for each individual victim,
noting that for this reason, the file hash will not be useful for
security personnel and network defenders. The operators
were also forthcoming about sharing the ransomware hash
with the victim when asked, even going so far as to
provide the VirusTotal URL linking directly to the file
sample in one case.


-----

### p

###### Leveraging victim chats for insights

In one of the communications we reviewed, the Hive
operator stated that it is impossible to recover the
decryption keys from memory and decrypt files. The
ransomware overwrites the decryption key in memory to
prevent its recovery.

In terms of the encryption process, the threat actor revealed
that the ransomware only encrypts about 100KB of each
file, including the first 4KB, the last 4KB, and several blocks
in the middle of the file. The Hive operator noted that the
ransomware acts fast, which is probably enabled by this
partial encryption. The Hive ransomware is not aware
ahead of time how big or small the files are that it will need
to encrypt, so it has to make a tradeoff decision between
speed and accuracy. That tradeoff is seen in the ransomware
encrypting files quickly, but not thoroughly. Mistakes the
Hive developers made in their encryption schema make key
recovery trivial. The malware only partially encrypts files,
and reuses a small key for every file it encrypts. The Hive
malware authors likely thought they were being clever by
overwriting the key in memory after the encryption process
was complete to prevent investigators from recovering the
key directly from device memory, but they were not clever
enough to realize that they made the classic cryptography
blunder of one-time-pad reuse, which allows the user to
recover the key simply by comparing the encrypted contents
together bitwise. This type of error suggests the malware
developers are not well-versed in crucial cryptography
mechanisms. We assess that many other ransomware
groups likely have similarly glaring problems, especially the
ones that advertise speed as a performance metric.

The encryption process is started by a random field value,
according to the Hive operator, and after the encryption
is completed, the program overwrites the area of memory
where the key was stored to prevent key recovery. They note
that private and public RSA keys are only used to encrypt/
decrypt the random field value, and it is only possible to
decrypt the files if you know that random field value. While
the actor specified the “random field” is not generated by
a pseudo-random number generator (PRNG), this detail
appeared to be a sarcastic comment made in jest, based
on the context of the chat. A PRNG is an algorithm used to
create a value which appears random, and is often used as a
seed to generate entropy in cryptography systems for tasks
related to key security and modes of operation.
They also noted that encryption is done using public
RSA keys, decryption is done using private RSA keys. It's
important to note this is only the case for encrypting the


During these conversations, the Hive operator noted that
they had never disclosed this encryption information to
anyone before, raising questions about why they elected to
share such details in that particular instance. It is possible
that they were boasting about that component of their
operation and they simply did not understand, or care
about, the significance of sharing this type of information.
Regardless, these disclosures again suggest a lack of


-----

### p


It is also essential for organizations to implement policies to
prevent adversaries from using credentials that are either
sold on dark web cybercriminal forums or that have been
leaked in other data breaches. Organizations should require
employees to use multi-factor authentication (MFA) to


-----

### p

###### Leveraging victim chats for insights

provide a higher level of security and ensure that leaked or
stolen credentials cannot be used to access systems and
resources. Creating long, complex passwords and enabling
MFA will help prevent threat actors from using stolen or
default and valid credentials. If feasible, require MFA for all
users with administrative privileges, as well as external login
and remote access methods for applications used within
the environment. MFA is the most effective method for
preventing remote-based compromises and can stop access
to compromised accounts by requiring all users to provide a
second form of authentication.

If valid accounts are compromised or leveraged,
conduct a full password reset, especially for all privileged
accounts in the domain. The lack of MFA remains one
of the biggest impediments to enterprise security. Many
ransomware and phishing incidents could have been
prevented if MFA had been properly enabled on critical
services, such as a virtual private network (VPN) or endpoint
detection response (EDR) solutions.


-----