Conti and Hive

ransomware operations:
Leveraging victim chats for insights

WRITTEN BY
KENDALL MCKAY
with contributions from
PAUL EUBANKS and JAIME FILSON

Updated May 2, 2022

Conti and Hive ransomware operations:
Leveraging victim chats for insights

TABLE OF CONTENTS
Executive summary..................................................................................................................................................................... 3

Introduction................................................................................................................................................................................. 3

Conti............................................................................................................................................................................................. 4

Communication strategies........................................................................................................................................................ 4

Ransom negotiations................................................................................................................................................................ 5

Reputation matters................................................................................................................................................................... 6

Operational insights and TTPs.................................................................................................................................................. 6

Hive.............................................................................................................................................................................................. 7

Communication strategies........................................................................................................................................................ 7

Ransom negotiations ............................................................................................................................................................. 8

Operational insights and TTPs.................................................................................................................................................. 9

General guidance and mitigation strategies............................................................................................................................ 11

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 2
Conti and Hive ransomware operations:
Leveraging victim chats for insights

EXECUTIVE SUMMARY
• Through open-source research, we obtained and analyzed over four months of chat
logs — more than 40 separate conversations — between Conti and Hive ransomware
operators and their victims. The findings in this paper give an overview of the actors’
communications styles, persuasion techniques, ransom negotiations, operational and
targeting information, and more.

• Conti and Hive have markedly different communication styles, with Conti employing
a range of persuasion tactics in what often seem like scripted and somewhat organized
exchanges. Hive communications, by contrast, are much shorter, more direct, and void
of many of the persuasion techniques that Conti employs. These differences possibly
reflect varying levels of organizational oversight for affiliates or may simply exemplify the
unique communication styles employed by various ransomware actors.

• Both groups are very quick to lower ransom demands, routinely offering substantial
reductions multiple times throughout their negotiations. It is clear that the actors’ initial
ransom demand is rarely their bottom line.

• Conti and Hive do research on victim organizations before determining the ransom
amount, with both groups typically asking for about one percent of the company’s
annual revenue. Both threat actors appear to target entities indiscriminately, likely based
on what they assess to be the easiest victims to compromise for quick financial gains.

• Hive operators displayed surprisingly poor operational security, revealing sensitive

information about their encryption process and other operational details. Other
evidence suggests that Hive affiliates do not adhere to any sort of standard operating
procedure and employ any and all means necessary to convince their victims to pay,
including offering kickbacks to victim negotiators once the ransom payment is made.

INTRODUCTION
The ransomware space is dynamic, continually marked by new emerging ransomware variants, groups rebranding under
different names or shutting down operations altogether, and new strategic partnerships between different cybercrime gangs.
The focused crackdown on ransomware operations by U.S. authorities and international partners has introduced even more
change into this threat space, pushing ransomware actors into the focus of law enforcement’s targeted efforts to disrupt their
operations. Current events on the international stage have also recently affected at least one major ransomware player, the

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 3
Conti and Hive ransomware operations:
Leveraging victim chats for insights

notorious ransomware-as-a-service (RaaS) group known This report builds on Talos’ growing body of work that
as Conti. After Conti publicly supported Russia’s invasion of highlights the human interest component of high-profile
Ukraine, a cybersecurity researcher took revenge against the adversaries, research that brings to light important
ransomware gang by leaking information about the group, information of intelligence value, like threat actor motivations,
including the malware’s source code and internal chats communications methods, operational insights, and more.
between affiliates. A similar research endeavor from last year, for example,
resulted in our paper based on chats with a self-proclaimed
The theme of constant change is also at play as it relates to
Lockbit ransomware operator from which we gleaned
the Hive ransomware group, as we have recently seen the
valuable, first-hand details of the operator’s cybercriminal
threat actors update the malware after security researchers
activities. Likewise, this report, which is based on an analysis
published methods for decrypting infected data. The Korea
of more than 40 chats over a four-month period, highlights
Internet and Security Agency (KISA) subsequently released
several important takeaways for executives and the broader
a decryption utility, presumably based on this research. Hive
cybersecurity community at a time when ransomware
developers updated their malware after the research was
attacks remain a major threat to organizations globally.
published, and it appears KISA’s tool only works against
earlier versions of Hive ransomware, not updated versions.

Conti and Hive are currently positioned as two of the CONTI

biggest players in the ransomware scene. With Conti, while
their leaks exposed interesting information from internal COMMUNICATION STRATEGIES
messages between Conti operators, such as various job
Based on the chat logs we reviewed between Conti
roles within the organization and their process for hiring new
operators and victims, we observed several interesting
affiliates, the chat conversations covered in this report are
themes and techniques the actors use to accomplish their
from entirely different sources and focus on communications
ultimate goal of extorting organizations for large amounts of
between the threat actors and victims. By analyzing their
money. Conti’s communication style is relatively professional,
chats with compromised organizations, we gained insight
marked by seemingly scripted introductions and a matter-
into how the actors determine ransom amounts, their
of-fact tone that is mostly void of emotion and hyperbole.
willingness to negotiate lower prices, sales tactics and
The actors stay on message, explaining to the victim they’re
coercive means to compel victims to pay, and many other
infected and pointing out what consequences the victim
details about their operations.
is likely to face if they fail to pay the ransom, and trying to
Similarly, the Hive chats that we analyzed for this report convince the victim to pay as quickly as possible.
between the actors and victims come as the group
The actors’ initial chats with compromised organizations
continues to make headlines for high-profile breaches and
are direct and to the point. The actors typically introduce
the security community seeks to better understand and
themselves — “We are the Conti Team” — and often ask
protect against such attacks. The Hive chats we reviewed
for the person communicating on the other end to identify
provided an interesting contrast to Conti, allowing us to
themselves with their name, company name and position.
compare various operational and communications methods
They proceed to explain that Conti has compromised the
between the two groups. The conversations also exposed
victim’s network, exfiltrated all sensitive information and
important information about the Hive ransomware payload
encrypted the victim’s files.
and encryption methods, highlighting at least one affiliate’s
poor operational security in their willingness to disclose From there, we observed the threat actors employing a
such sensitive information. While Cisco Talos Incident variety of different persuasion techniques. In many instances,
Response (CTIR) engagements have included remediation the adversaries attempt to empathize with victims, equating
of ransomware infections of all types, these chats were themselves to business people just like the compromised
obtained strictly via open-source investigatory means, and entity and claiming that they want to help restore the victim’s
not through CTIR engagements. data. They appear to make the ransom payment seem like
it is in exchange for their help, in one instance proclaiming,
“Fortunately, Conti is here to prevent any further damage!”

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 4
Conti and Hive ransomware operations:
Leveraging victim chats for insights

The actors say they will provide “IT support” by offering a “decryption
tool,” even offering to give the victim a full security report upon payment
to ensure that such an attack does not happen again in the future. We Security report
obtained one such security report, which is illustrated in Figure 1. We have penetrated your network using
These are vague, generic recommendations with no specific email compromise. So, first of all —
implementation steps. Such guidance would be very easy to reuse across provide all your employees with strict
interactions with numerous victims. instructions regarding security measures.

The actors further mask these extortion attempts by saying they provide Basic recommendations
“damage prevention services,” again purporting to be helpful assistants regarding network:
who can help protect the victim. In many instances, Conti operators 1. Implement better email
remind victims about the consequences of having data leaked, including filtering policies
such information being sold on the dark web to cybercriminals who will
2. Implement better password policies
leverage the data in their own operations, including social engineering
attacks. The victim’s customers, vendors, employees and investors will all 3. Consider blocking some particular
be notified about the breach, Conti warns, but the threat actors claim they attacks like pass-the-hash and
can resolve these problems immediately upon payment. pass-the-ticket

Conti also employed other marketing techniques to convince victims to 4. Update all of your internal systems
pay, including offering Christmas and holiday discounts and other price to the latest versions
reductions intended to make the victim feel like they are getting a good 5. Review network segmentation and
deal. Many of these deals are incentivized by quick payments, with a take care about buying hardware
Conti actor offering in one instance that the victim can receive a “special firewalls with filtering policies
discount” if “we make a deal in the next 72 hours.”
6. Block kerberoasting attacks
The tactics outlined so far are Conti’s attempts to be more empathetic
7. Conduct full penetrations tests
and make the victim feel like Conti is helping them or cutting them a deal.
(both external and internal)
However, we also observed Conti employ more aggressive techniques,
including fear and coercion. The threat actors remind victims of the 8. Implement better AV/EDR systems
reputational damage and legal troubles that will result from a data leak,
9. Review group policies, remove
citing media reports about other companies who have faced multi-million
domain and local admin rights for
and billion-dollar lawsuits for data breaches. They use scare tactics by
some users.
telling the victim that the company’s stock value will nosedive if Conti leaks
their data and threaten to provide competitors with the stolen information. 10. Implement better DLP
The actors remind the victim of the various governmental bodies and software system.
regulatory acts that punish organizations for data leaks and revisit the 11. Secure your employees email,
notion of employees becoming identity theft victims if the data is sold on filter incoming mail and install EDR
the Dark Web. These threats seemed to intensify as Conti’s frustration with (Sentinel, Carbon Black)
the victim’s slow responses or perceived lack of urgency grew.
12. Monitor the update of
These more aggressive tactics are consistent with recent trends reported network programs
by the U.S. government. According to CISA’s 2021 global ransomware
13. Pay attention to password policies,
trends report, ransomware actors are diversifying their approach to
no saving in systems
extorting money, including informing the victim’s partners, shareholders,
or suppliers about the incident. 14. Backups. Must have offline
backups on cassettes, and use
online backups
RANSOM NEGOTIATIONS

There were several indications that the Conti operators determine victims’
ransom amounts on a case-by-case basis dependent on the organization’s Figure 1. Example of security report sent to Conti
victims by the threat actor.

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 5
Conti and Hive ransomware operations:
Leveraging victim chats for insights

"The chances that Hell will freeze are higher than us misleading
our customers. We are the most elite group in this market, and our
reputation is the absolute foundation of our business and we will
never breach our contract obligations." - Conti operator to victim

annual revenue, with the actors stating as much in several REPUTATION MATTERS
of the communications we reviewed.
Like most legitimate business operations, cybercriminals
Conti actors are very willing to negotiate and almost depend on maintaining a “good” reputation, at least as
always offered or approved a lower ransom amount in the it relates to following through on agreements with victim
conversations we reviewed. These reductions were initiated organizations. This is also top of mind for Conti, as the threat
by either Conti or the victim depending on the situation, but actors repeatedly reiterated their strong intent to uphold their
in instances where the victim requested a lower ransom end of the deal, even appearing angry at times when they
payment, the threat actors almost always obliged quickly and perceived victims were questioning their trustworthiness.
with little or no hesitation. In some instances, a lower ransom In one exchange, a Conti operator exclaimed, “THERE IS
payment would still cost the victim data exposure: In one NO WAY that we will not fulfill our promises after you pay.”
case, a Conti operator agreed to lower the amount by nearly In another conversation, a Conti actor noted the group’s
80 percent, but with the stipulation that 80 percent of the “vast experience” in this field, even encouraging the victim
victim’s data would be published to their leak site. to Google the group to find evidence that they never “bluff.”
Conti further echoed these sentiments in the following
The price reductions that Conti offered were generally
remarks: “The chances that Hell will freeze are higher than
substantial, including 10, 24, 57and 74 percent, and even
us misleading our customers. We are the most elite
higher. In one exchange, Conti dropped the ransom demand
group in this market, and our reputation is the absolute
five times, with the amount dropping a net 98 percent from
foundation of our business and we will never breach our
$50 million to $1 million. Despite Conti’s willingness to
contract obligations.”
negotiate, they had limits to how low they would drop the
ransom amount and would eventually hold firm on a final This level of confidence and bravado is likely an important
figure. In one case, the lowest figure they were willing to component of Conti’s ability to establish some level of
accept was $100,000, although we did not have insight into trust — albeit under unique circumstances — with their
the initial ransom offer or that company’s annual revenue. “customers.” The only assurance a victim organization has
These findings highlight the actors’ willingness to negotiate in believing that their stolen data won’t be leaked is the
and also indicate that Conti’s initial ransom demand is more threat actor’s word and, by extension, the group’s broader
of a starting point for negotiations rather than a final offer. reputation. If Conti hopes to maximize payments, they have
to employ a combination of coercive and persuasive tactics
Conti also appears similarly flexible on their payment dates,
with firm assurances that they will uphold their end of the
with deadlines frequently being pushed out at victims’
deal. This likely explains Conti’s firm, sometimes emotional
requests. These behaviors suggest Conti operators are
language we observed in these types of interactions.
highly opportunistic cybercriminals who ultimately would
prefer some payment as opposed to none, even if that
means capitulating to repeated requests by the victim. OPERATIONAL INSIGHTS AND TTPS

These conversations also yielded insight into some of Conti’s

operational details and tactics, techniques and procedures

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 6
Conti and Hive ransomware operations:
Leveraging victim chats for insights

(TTPs). Conti uses ProtonMail, an encrypted email service, We also gleaned some insight into Conti’s dwell time, with
to communicate with victims. They also use various an operator mentioning in one conversation that they had
temporary mail and file storage sites, as revealed in their infiltrated the victim’s network and “stayed there for 18
conversations with victims, including SendSpace, qaz[.]im days,” which, the actor noted, was enough time to “study
and PrivatLab. The file hosting sites are especially useful, as all [of the victim’s] documentation and gain access to [the
Conti leverages them to share files with victims. In one case, victim’s] files and services.” Dwell time, or the amount of
the Conti operator directed the victim to download a deletion time an adversary has access to a victim’s network, is often
log from a PrivatLab site as proof that Conti destroyed all difficult to discern during incident response engagements.
exfiltrated data after the victim paid the ransom. In another An organization may have insufficient logging and/or the
case, the same site was used to demonstrate that Conti initial infection vector is usually difficult to identify in most
could — and planned to — decrypt the victim’s files upon cases, adding to the challenge of pinpointing the exact
payment, with the victim uploading sample encrypted files timeframe an adversary may have gained access. In an
and the threat actor returning their decrypted versions via April 2022 report, security researchers noted Conti activity
the same file share site. Conti also mentioned using Disk spanned 19 days, which is highly consistent with the
Wipe, a free Windows application for permanent volume data operator’s claim.
destruction, to delete the victim’s files they exfiltrated after
the victim paid the ransom.
HIVE
Conti also uses a variety of other publicly available tools
in their operations, based on our observations in CTIR
COMMUNICATION STRATEGIES
engagements and open-source reporting. These tools and
utilities enable every phase of their attack, including initial Hive’s communication style differed significantly from
access, discovery, persistence, lateral movement, defense Conti based on our observations. Compared to Conti’s
evasion and more. In addition to these publicly available somewhat scripted, more professional tone that mostly
tools, such as Cobalt Strike and ADFind, Conti also leverages followed the same format across many conversations, Hive
utilities that are natively found on Windows operating operators seem far more informal and less disciplined, with
systems, such as Windows Management Instrumentation the conversations’ structure varying greatly and actors
(WMI), the Windows command-line utility Nltest, and remote sometimes exhibiting poor operational security.
desktop protocol (RDP).
Hive’s greeting — “Hello and welcome to Hive. How may I
In one instance, we observed the Conti operator help you?” — is much shorter and more direct than Conti’s
making vague references to additional TTPs, including the introduction. The Hive operators do not lead with a full
infection vector. The actor informed the victim that they had explanation of what happened to the victim, but instead jump
infiltrated the victim’s network, “researched them, and found right into ransom negotiations, informing the victim of how
critical vulnerabilities, which enabled [Conti] to access and much money it will take to decrypt their files with little to no
exfiltrate [the victim’s] documentation and encrypt [their] context. We saw Hive provide some generic, bulleted points
file servers, SQL servers, subdomains, and local networks.” on these topics, but they were much less detailed than
Based on our observations in CTIR engagements, Conti those from Conti. Figure 2 shows an example, which was
actors leverage many different vulnerabilities for initial mentioned immediately after Hive greeted the victim and
access and lateral movement. Specifically, we have seen informed them of the ransom amount.
them exploit the widely reported vulnerabilities affecting the
As seen from this excerpt, which is largely representative
Apache Log4j logging utility. We have also observed Conti
of the general tone of all the Hive chats we reviewed, the
targeting vulnerable Microsoft Exchange servers as the point
exchange is short, direct, and not customized for the specific
of initial infection via PowerShell execution of webshells,
victim. Separately, we observed a few instances of Hive
according to CTIR findings. This serves as a reminder of the
mentioning that they would provide the victim with a security
importance of organizations applying a patch management
report upon payment, but we did not see such a report
system and keeping all software up-to-date with proper
provided in the communications we analyzed.
security updates.

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 7
Conti and Hive ransomware operations:
Leveraging victim chats for insights

indicating their initial figure is rarely their bottom offer.

The deduction percentage varied widely across victims
and did not appear to follow any particular rule or structure.
Observed deductions included 10, 15 and 25 percent and
even upwards of 30 and 66 percent in other cases. These
changes to the ransom demand were usually made rather
easily, with little to no hesitation. However, Hive was quick
to drastically increase ransom demands as punishment
for lagging victim responses, as previously highlighted. In
terms of victims, Hive confirmed that they target all industry
verticals rather than focusing on certain sectors
like healthcare.

Just like most other ransomware groups, Hive communicates

with its victims via a chat portal hosted on The Onion Router
(TOR). In their ransom notes, Hive provides the same TOR
URL but delivers custom login credentials for each victim,
which they use to log in to the chat portal to communicate
Figure 2. Example of communications between Hive ransomware
actors and a victim.
with the ransomware operators.

Hive almost never employs any of the persuasion Upon logging in, the victim’s custom page is displayed
strategies we observed with Conti, such as marketing (Figure 3), with the chat dialogue displayed in the center.
ploys, fear, or coercion. In the few times we did observe a The company’s profile is featured on the left, which includes
Hive operator attempt to use persuasive language, it was the organization’s name, a brief summary of the entity, the
short, matter-of-fact, and usually prompted by a question company’s website, and figures representing its revenue and
from the victim rather than Hive leading with a forceful number of employees. The right side of the page features
appeal. We also observed Hive quickly become more a countdown to the payment deadline, a link to download
aggressive if the victim failed to respond to the ransomware the decryption software, and Hive’s ransom demand and
operator’s initial greeting. In one case, after a victim failed corresponding Bitcoin address to submit payment.
to respond 14 days after Hive’s initial communication, We observed one instance in which a Hive operator
the Hive operator declared that their patience was gone appeared to reward the victim communicant for helping
and threatened to send a copy of the victim’s data to the negotiate the deal with the victim. In that exchange, the
Securities and Futures Commission (SFC), a Hong Kong negotiator asked the Hive operator to keep 70 percent of the
regulatory agency. The operator even provided individual ransom amount upon payment and give the remaining 30
email addresses of SFC members he planned to send percent to themselves. The Hive actor ultimately agreed to
the data to. Hive operators also quickly and dramatically give the negotiator 10 percent once the payment was made.
increased the ransom demand if the victim did not respond, In several cases, we observed negotiators operating on the
as seen in the excerpt above, where the ransom payment victim’s behalf, but this was the only instance where we saw
eventually jumped from $2 million to $10 million after seven Hive collaborate with them and share profits.
days without communication from the victim.
While this may have been an anomaly, it could represent
ransomware actors’ willingness to receive payment by
RANSOM NEGOTIATIONS any means. This payoff to the victim negotiator, combined
Hive’s ransom demands are typically valued at 1 with both Hive and Conti’s propensity to lower ransom
percent of the victim company’s annual revenue, according demands, reinforces the notion that these operators are
to Hive operators. Based on our analysis, we largely found highly opportunistic and will make compromises during
this to be the case, but in some instances, the ransom their operations to compel victims to pay. This theme is also
was slightly higher at around 1.5 percent. Much like Conti, reinforced by Hive’s admission that they do not focus on
Hive appears very willing to lower their ransom demand, targeting any particular industry, suggesting instead that they

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 8
Conti and Hive ransomware operations:
Leveraging victim chats for insights

Figure 3. Customized victim page.

indiscriminately target organizations they may perceive are OPERATIONAL INSIGHTS AND TTPS
the easiest to compromise or extort.
The Hive operators revealed a surprising amount of
This exchange between Hive and the negotiator may also information about various components of their operation,
represent the lack of standard operating procedures within including details pertaining to the ransomware payload, the
the Hive group. Relatedly, it possibly represents the potential encryption process, and various tools and communication
for individual affiliates to be either less disciplined — or platforms they use. They mentioned that the ransomware
more innovative, depending on one’s interpretation — during payload is unique or custom for each individual victim,
their operations to do anything necessary to convince noting that for this reason, the file hash will not be useful for
their victims to pay. The notion of being undisciplined is security personnel and network defenders. The operators
strengthened by another observation we made, mentioned were also forthcoming about sharing the ransomware hash
in the next section, where we saw when a Hive affiliate with the victim when asked, even going so far as to
displayed poor operational security. provide the VirusTotal URL linking directly to the file
sample in one case.

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 9
Conti and Hive ransomware operations:
Leveraging victim chats for insights

In one of the communications we reviewed, the Hive symmetric key used, not the victims’ files. In other words,
operator stated that it is impossible to recover the Hive only uses asymmetric RSA public key encryption for
decryption keys from memory and decrypt files. The securing the symmetric key used to encrypt all the files, an
ransomware overwrites the decryption key in memory to important distinction.
prevent its recovery.
The Hive operator confirms the generated key is re-used to
In terms of the encryption process, the threat actor revealed encrypt all the files. They then state it is “exported,” possibly
that the ransomware only encrypts about 100KB of each meaning “written,” to "disk using a few RSA public keys
file, including the first 4KB, the last 4KB, and several blocks applied." This possibly means RSA public key encryption
in the middle of the file. The Hive operator noted that the is used to encrypt the key on disk. After the file content
ransomware acts fast, which is probably enabled by this encryption routine is done, the key is re-written to prevent
partial encryption. The Hive ransomware is not aware recovery from memory. This suggests the key used for file
ahead of time how big or small the files are that it will need content encryption is a symmetric key, which is obscured
to encrypt, so it has to make a tradeoff decision between by a public key routine. The affiliate further states the
speed and accuracy. That tradeoff is seen in the ransomware decryption software has RSA private keys used to decrypt
encrypting files quickly, but not thoroughly. Mistakes the the exported (presumably symmetric) key, which is then
Hive developers made in their encryption schema make key used to decrypt file contents. It appears that the actors mean
recovery trivial. The malware only partially encrypts files, the symmetric key is stored in memory, but the key itself is
and reuses a small key for every file it encrypts. The Hive encrypted using RSA public key encryption. If this is the
malware authors likely thought they were being clever by case, it would be difficult to recover the key even if it was
overwriting the key in memory after the encryption process not over-written later in the execution. However, it does not
was complete to prevent investigators from recovering the matter what the actors do to try and hide the key during the
key directly from device memory, but they were not clever encryption process; the problem resides with symmetric
enough to realize that they made the classic cryptography key reuse in the first place, which allows a person who only
blunder of one-time-pad reuse, which allows the user to has access to the encrypted file contents to then shake out
recover the key simply by comparing the encrypted contents the symmetric key by comparing the encrypted files to each
together bitwise. This type of error suggests the malware other bitwise. Separately, the Hive operator also noted that
developers are not well-versed in crucial cryptography the key file usually has the extension “*.key.*” — such as
mechanisms. We assess that many other ransomware “.key.frg.15” —and is typically located at the root directory of
groups likely have similarly glaring problems, especially the shared folders, according to the Hive actor.
ones that advertise speed as a performance metric.
In this same conversation, the Hive actor said that they
The encryption process is started by a random field value, use “some kind of Vernam’s cipher,” not an AES cipher,
according to the Hive operator, and after the encryption for encryption. This speaks to the key length constraints
is completed, the program overwrites the area of memory mentioned above: Notably, Vernam’s cipher — a simple
where the key was stored to prevent key recovery. They note substitution cipher — requires the key length to be the same
that private and public RSA keys are only used to encrypt/ as the message text length, which is possibly why only
decrypt the random field value, and it is only possible to 100KB of each file is encrypted.
decrypt the files if you know that random field value. While
This detailed account of Hive’s ransomware and encryption
the actor specified the “random field” is not generated by
process underscores the actor’s poor operational security.
a pseudo-random number generator (PRNG), this detail
appeared to be a sarcastic comment made in jest, based During these conversations, the Hive operator noted that
on the context of the chat. A PRNG is an algorithm used to they had never disclosed this encryption information to
create a value which appears random, and is often used as a anyone before, raising questions about why they elected to
seed to generate entropy in cryptography systems for tasks share such details in that particular instance. It is possible
related to key security and modes of operation. that they were boasting about that component of their
They also noted that encryption is done using public operation and they simply did not understand, or care
RSA keys, decryption is done using private RSA keys. It's about, the significance of sharing this type of information.
important to note this is only the case for encrypting the Regardless, these disclosures again suggest a lack of

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 10
Conti and Hive ransomware operations:
Leveraging victim chats for insights

and modifying and/or disabling security tools, such as

antivirus software, to avoid detection of their malware,
"Almost all antiviruses are tools and activities.

Similar to Conti, Hive uses a combination of tools and utilities

useless against real hackers." found natively on the victim’s operating system, such as
RDP, PsExec, and msiexec, PowerShell, along with publicly
- Hive operator to victim available tools like Cobalt Strike, AnyDesk and others,
according to CTIR findings. They also use various file sharing
sites, such as PrivatLab and ProtonMail to communicate with
discipline or standard operating procedure, as well as a
victims, based on the communications we reviewed.
strong disregard for safeguarding sensitive information.

We note that these chats predate the recent research

published by researchers from South Korea's Kookmin GENERAL GUIDANCE AND MITIGATION
University detailing a method for decrypting files infected STRATEGIES
with Hive ransomware. The Korean Internet and Security
Agency (KISA) released a recovery tool about a month These conversations revealed that, like many
later. Based on more recent Hive-victim conversations from cybercriminals, Conti and Hive are opportunistic actors
March that we obtained, the ransomware operators appear who likely seek to compromise victims through the easiest
to be using their updated encryptor and imply that any other and fastest means possible, which often include exploiting
decryption tool would be useless. For example, in their initial known vulnerabilities. This is a reminder to all organizations
greetings with victims, they now state, "Please note that it to implement a strong patch management system and
is updated encryptor, there is no way to decrypt files other keep all systems up-to-date. Another way to mitigate the
than to pay." Hive updated their ransomware in early March threat of adversaries exploiting vulnerabilities is to monitor
to address the encryption flaws revealed by the researchers, for suspicious network traffic, such as large quantities or
according to open-source reports. In late March, the anomalous activity that could be indicative of scanning.
actors made additional updates, converting their VMware Threat actors may conduct vulnerability scanning to
ESXi Linux encryptor to the Rust programming language collect host information that can be used to identify
and adding new features to make it harder for security exploitable or unpatched software and applications.
researchers to monitor their negotiations with victims. Vulnerability scans typically harvest running software
This indicates that the Hive developers are still very active and version numbers, listening ports or other network
and intent on continuing their operations despite repeated artifacts to identify any weaknesses.
setbacks by security researchers and government efforts to Organizations should also perform general system
thwart their activities. hardening that includes removing services or protocols
In addition to these specific revelations about encryption running on endpoints where they are unnecessary. Ensure
methods, Hive also provided some more general insight that unnecessary ports and services are closed to prevent
into their operations, mentioning in one exchange that the risk of discovery and potential exploitation. Additionally,
they did not put much effort into trying to evade detection. organizations should consider hardening devices, including
This confidence in their operations was echoed in other systems, networks, and security devices, to minimize and
communications, where they flaunted their reputation, limit the success of any attacks. This includes actively adding
the ransomware’s encryption speed, and skills at evading applications to the allowlist and blocklist in order to control
detection, noting in one exchange that, “Almost all which programs are operating on your system.
antiviruses are useless against real hackers.” Despite the It is also essential for organizations to implement policies to
actor’s claim, we have observed Hive using some defense prevent adversaries from using credentials that are either
evasion tactics based on CTIR data, including abusing sold on dark web cybercriminal forums or that have been
msiexec.exe to proxy execution of malicious payloads, leaked in other data breaches. Organizations should require
deleting shadow copies, clearing Windows event logs, employees to use multi-factor authentication (MFA) to

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com page 12
Conti and Hive ransomware operations:
Leveraging victim chats for insights

provide a higher level of security and ensure that leaked or

stolen credentials cannot be used to access systems and
resources. Creating long, complex passwords and enabling
MFA will help prevent threat actors from using stolen or
default and valid credentials. If feasible, require MFA for all
users with administrative privileges, as well as external login
and remote access methods for applications used within
the environment. MFA is the most effective method for
preventing remote-based compromises and can stop access
to compromised accounts by requiring all users to provide a
second form of authentication.

If valid accounts are compromised or leveraged,

conduct a full password reset, especially for all privileged
accounts in the domain. The lack of MFA remains one
of the biggest impediments to enterprise security. Many
ransomware and phishing incidents could have been
prevented if MFA had been properly enabled on critical
services, such as a virtual private network (VPN) or endpoint
detection response (EDR) solutions.

© 2022 Cisco and/or its affiliates. All rights reserved. | talosintelligence.com