Ransomware gangs are a dark mirror of legitimate marketing organizations

Ransomware gangs are “alarmingly similar” to legitimate organizations with their management structures and HR policies, and there is a clear logic to the way to target companies that they are certain would pay for the ransom to decrypt their data, a new report by Check Point Research (CPR) and Kovrr has found.

By analyzing the chat logs of the Conti ransomware group which were leaked by a Ukrainian researcher, CPR noted that the gang operates similarly to a start-up company – complete with an organizational structure, HR processes, and even assigned responsibilities. The Conti gang had over a hundred “employees,” who have managed to streamline the operation from automatic payload generation to the very ransom negotiation process itself, CPR noted.

“Conti’s negotiation team is responsible for talking to the victims, negotiating ransom payments, writing blog posts about the victims on the Conti leaks site, and eventually providing the decryption software if the ransom demand is met,” CPR said in a cybersecurity blog post. “Their internal communications shed light on the inner workings of their negotiation processes.”

The report also shows how ransomware gangs set the initial ransom demand, and what the “ground rules” are from the point of view of the cybercriminals. Based on Kovrr’s cyber incidents database, the report had concluded the following:

• For ransomware groups like Conti, one of the most important factors in a successful extortion negotiation is settling for a realistic price that both the victim and attacker are willing to accept. Ransom operators want the ransom event to be concluded as quickly as possible, so sensible demands go a long way in ensuring the negotiations are short.
   
• The Conti group, in particular, does not use the same formula for determining the initial ransom amount per victim – though the gang has directly based it on the victims’ estimated revenue derived from publicly available databases such as ZoomInfo and DNB. The average ransom demand from Conti’s victims is around 2.82% of their annual revenue. It was noted that the higher the annual revenue of the victim, the lower the percentage of revenue demanded since that percentage will represent a higher numerical value in dollars
   
• The Conti gang would even go as far as to offer ransom “discounts” for fast payment – as much as 20% to 25% off from the initial ransom amount – for victims willing to pay within days of encryption.
   
• A successful ransomware negotiation for groups like Conti boils down to several factors: the victim’s ability to pay; the quality of exfiltrated data from the victim; reminding negotiators that the ransomware group’s reputation of making good with their threats; the victims having excellent third-party negotiators that the gang can connect with; and most disturbingly: whether the victims have cyber insurance or not.

CPR underlined that Conti prefers targets that have cyber insurance in place, as those groups offer a higher chance of paying off the demands. Kovrr’s records even show that some of Conti’s targets were prioritized over others simply because they had cyber insurance.

Read more: Ransomware pandemic: The rise of 'triple extortion'

The report also came to the conclusion that the extortion amount is only a single part of the total cost of a ransomware attack. On average, all other related expenses – such as response and restoration expenses, legal fees and monitoring costs, and so on – will outweigh the extortion cost. According to CPR, this is due to the rise of so-called “double extortion” and big-game hunting, which have led to the “industrialization” of ransomware.