Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Ransomware Criminals Cold-Calling Their Victims if They Restore From Backups

December 8, 2020

ZDNet reported on December 5 that some ransomware gangs are now cold-calling victims if they suspect that a hacked company might try to restore their data from backups and avoid paying ransom demands.

"We've seen this trend since at least August-September," Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet.

Ransomware groups that have been seen calling victims in the past include Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk, a spokesperson for cyber-security firm Emsisoft told ZDNet.

"We think it's the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants," Bill Siegel, CEO and co-founder of cyber-security firm Coveware, said to ZDNet in an email.

Arete IR and Emsisoft said they've also seen scripted templates in phone calls received by their customers.

According to a recorded call made on behalf of the Maze ransomware gang, and shared with ZDNet, the callers had a heavy accent, suggesting they were not native English speakers. ZDNet shared a redacted transcript of a call:

"We are aware of a 3rd party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers. But you should know that it will not help. If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end."

The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they've encrypted business networks.

Of course, there have been other tactics used to "up the ante." These have included the use of ransom demands that double in value if victims don't pay by a given date and time, threats to tell journalists about the victim company's breach, or threats to leak sensitive documents on"leak sites" if the companies don't pay.

On a side note, I am fascinated by how many bar associations are now clamoring for us to provide a webinar that focuses exclusively on ransomware. It goes to show how many law firms have been hit – and how many fear being victims. And yes, we are doing just that and will be ready to offer that webinar in early January.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson