In a series of ransomware payment negotiations last December, operatives from a gang known as “Egregor” alternated from treating their victims with surprising civility, and behaving like cartoonish movie villains.
“The Egregor Team wishes you a Merry Christmas and a Happy New Year,” they’d say at intervals of their chat room communications, sometimes in the middle of an extortion back-and-forth. “We wish you wisdom in your decision making and financial stability in this difficult time for us all. Happy Holidays!”
In another exchange, they weren’t as kind, threatening to leak victims’ data and publish it on a website as a warning to other organizations that might fall in the group’s crosshairs.
“We simply need to determine what category you should be placed in. In the category of those who are ready to negotiate and pay or in the category of scarecrows on our news site,” one exchange read. “It’s not so important for us in what role you will serve us.”
Egregor has since disappeared, following an international sting in February. Now, though, more than 100 pages of Egregor negotiation transcripts — obtained and analyzed by IBM Security X-Force and its partner company Cylera, and reviewed by CyberScoop — shed light on the oft-opaque structure of a ransomware operation. The discussion records also demonstrate how victims proved most effective at convincing their extortionists to reduce the amount demanded to decrypt their systems, with one medical organization turning a $15 million ransom into a $2 million payment.
Egregor was responsible for $80 million in losses worldwide, according to a Ukrainian law enforcement estimate, after first surfacing in September of last year.
The information on the approximately 45 negotiations in the chat logs, first reported by CyberScoop and set for fuller release Wednesday, comes after a similar disclosure of ransomware negotiations the blockchain analysis company Elliptic released on Monday. Elliptic’s cache of negotiations, though smaller, featured chats with a different gang, REvil. The REvil negotiations, though, underscored some of the trends in the Egregor chats, as well as illustrate differences between big-name ransomware operators.
Despite Egregor’s apparent disappearance in February, “our observations of Eregor and the chat negotiations are still really applicable because it’s really not unique to Egregor,” said Allison Wikoff, senior strategic cyber threat analyst for IBM Security X-Force. “We’ve got similar observations with other ransomware families that are still operating.” And ransomware operatives who escape capture sometimes re-emerge with other gangs, reusing methods they employed elsewhere.
IBM said that Cylera, a medical device security company, discovered the chat logs. IBM then checked the timestamps against bitcoin wallets used to pay Egregor to verify their legitimacy, according to Wikoff.
That doesn’t mean everything the Egregor negotiators say in the chat logs is true, however, given ransomware operators’ tendency to exaggerate or make false claims to advance their ends.
Egregor is one of several prominent ransomware gangs to adopt an affiliate model, where malicious software developers lease access to their hacking tool in exchange for a share of profits.
Egregor, believed to be a successor to the Maze gang, was one of the earliest adopters of another innovation, said Andrew Brandt, principal researcher at SophosLabs, which has tracked Egregor’s evolution. The tactic involves not only locking up systems in exchange for ransom, but threatening to release the hijacked data unless victims paid.
“We know very little to nothing about their internal structure,” Brandt said of ransomware gangs in general. “But there are some hints about the structure of their organization based on the way that they operate.”
Chris Caridi, strategic cyber threat analyst at IBM Security X-Force, said the company believed the chat transcripts feature the core Egregor team, which tended to handle negotiations on behalf of affiliates.
Victims reach out through a website chat portal after receiving a ransom note. A ransomware team member working in chat support asks who they’re speaking to, then makes an initial demand. (IBM redacted the victim names from the chat logs.) In conversations with victims, chat support members made reference to team members who hold other roles within Egregor.
“I’m just a support,” they say in broken English. “And we have finance department, PR manager, the data manager, attackers, decryption tools master-maker and so on.” Other roles mentioned include publications manager and IT specialist.
In one case, an Egregor staffer gave a victim a sense of how they arrived at their initial ransom demand, saying the gang uses analysts to ask for 5% to 10% of estimated potential losses if victims don’t pay.
Claims of having many team members with different roles are at least partially true, Wikoff suggested, pointing to the criminals operating to some degree like a business.
That aligns with the experience of GroupSense, a company that operates a ransomware negotiation service.
“We do tend to at least believe, to some extent, that there are multiple people who have defined roles on the other end of the negotiation,” said Bryce Webster-Jacobsen, GroupSense’s director of intelligence operations.
Occasionally GroupSense will see the speaking style and tone of someone in chat support evolve, suggesting shift changes based on the hour of day.
At one point in an Egregor negotiation, a victim asked how many people work in chat support.
”Many of us,” chat support answered.
“That makes sense, you are always here!” the victim replied. “Is it a good job? Just talking/negotiating with people all day must be fun. Are you hiring? LOL.”
Egregor chat support answered: “The work of communicating with so many customers is terrible. Thank you for your feedback.”
The Egregor chat transcripts provide a picture of both how ransomware gangs operate and negotiate, but also how victims were able to drive prices down.
At times, that gang’s chat support team members sought to demonstrate empathy. Learning that one of its victims was a charity, chat support personnel offered to decrypt its systems for free. But that offer came with a condition that involved bolstering the group’s reputation. “You will cover in the media the fact that we gave you the decryptors for free due to our social responsibility,” chat support said.
Ultimately, though, they proved willing to publish the data of anyone else who didn’t meet their price. It’s a takeaway to remember, said Wikoff. “These are not compassionate operators,” she said. “These are criminals.”
A concern for reputation maintenance often emerges in ransomware negotiations regardless of the gang involved, said Webster-Jacobson.
On the victim side, both Elliptic and IBM came to similar conclusions about the ransomware conversations they examined. “It definitely pays to negotiate,” said Tom Robinson, co-founder and chief scientist at Elliptic. Elliptic obtained ransom notes to gain access to the REvil negotiations, Robinson added.
REvil — infamous for high profile attacks on Colonial Pipeline, Kaseya and JBS before recently disappearing under mysterious circumstances — initially made a $50,000 ransomware demand in one case, only to settle on $25,000 after the victim counter-offered $10,000.
REvil also sought payment in Monero, a kind of cryptocurrency that’s harder to track than bitcoin, and harder to obtain, especially given fears of running afoul U.S. Treasury sanctions. When victims said they were unable to obtain Monero, REvil swiftly settled on bitcoin.
Victims in the Egregor chats also frequently used tactics like buying time to gather funds, downplaying the importance of the encrypted data or pleading poverty.
When victims claimed they couldn’t afford Egregor’s demand, the gang’s negotiators would respond by requesting tax reports. When one victim said they didn’t want to turn over such sensitive information, chat support replied, “So you can’t prove your poorness.”
With the exception of the one charity, however, and another firm one other organization that chat support said was locked up erroneously, Egregor chat support said the gang’s minimum price was $100,000.
The average initial demand of the Egregor chat transcripts was a little more than $5 million, IBM said. The average payment was $387,700.
The human cost
The chat transcripts reveal more than just the financial damage, though. Wikoff said it’s one thing to read about ransomware attacks in the news. It’s another thing to see people begging for their jobs during the Egregor negotiations, or worse.
Egregor’s feints at compassion stood in contrast with them demanding ransom from companies that said Covid-19 had severely damaged the victim’s business, and Egregor didn’t bend simply because of the holiday season.
“My advisor said there’s nothing I can do, that unless my salary was tripled, I could never reach $200,000 in my current state,” wrote one victim. “I had to beg my wife to ask her father for some money. He loaned me $15,000 but I feel so pathetic and I’m supposed to see him on Christmas, I don’t know how I’ll look him in the eye.”
Whether the victim was telling the truth or exaggerating their circumstances to maximize their negotiating power wasn’t clear. The Egregor negotiator probably couldn’t have known either, though, and showed no sign of compassion.
“A bank won’t give me any loans since we’re bankrupt and I’m already giving you my savings,” the victim wrote. “there’s nothing left for me to do. I have a total of $47,533.63. Please let me know.”
Chat support wouldn’t consider anything as low as a $100,000 payment for that victim, saying that was reserved for “the poorest companies,” and the victim didn’t meet that standard.
“We can’t do anything for you in this case. Sorry,” chat support wrote. “The amount is insufficient in our business model.”
The conversation ended with the victim saying they would scrounge up another few hundred dollars.
“Pity,” came the answer.