Costa Rican President Carlos Alvarado Quesada arrives at United Nations headquarters during the 76th Session of the U.N. General Assembly on Sept. 21, 2021, in New York City. The Conti ransomware group recently disrupted Costa Rica's government computers. (Photo by John Minchillo/Pool via Getty Images)

An analysis of 40 negotiations from Hive and Conti showed stark differences between the two ransomware group's negotiating tactics. Hive was more freewheeling and less businesslike. Conti offered limited-time offers and holiday discounts.

"It is advantageous for defenders or anyone that's going to have to deal with these negotiators to kind of get an idea of what type of tactics do they use, what type of [business] language they use, how hardened are they around deadlines and things like that," said Nick Biasini, threat researcher and head of outreach for Cisco Talos, which conducted the research.

Both Hive and Conti negotiate prices based on apparent research into victims. Hive generally set its opening bid at 1% of annual revenue, though sometimes ranged as high as 1.5% of annual revenue. From there, the group would could be negotiated down. The group would offer reductions between 5% and 25%, though occasionally between 30% and 66%. Conti, too, did advance research, offered a price, and was quick to lower it in negotiations.

What set Hive apart was its hardball style of negotiation. Messages were short and no-nonsense, and the group was quick to make escalators threats, including increasing ransom demands or threatening to leak data to a securities regulatory commission for what they saw as delayed communication. In one case, they increased a $2 million ransom to $10 million after a victim did not communicate for a week. In more successful negotiations, Hive offered third-party negotiators kickbacks for paid ransom.

Conti, on the other hand, negotiated with scripted empathy — what Biasini likened to used-car salesman tactics. They offered holiday discounts and limited-time offers, security reports to help victims prevent further intrusion, and told victims to search for prior victim's online accounts of their good customer service and follow-through with promises even after the ransom was paid.

"Even though that report probably isn't going to contain anything that's hugely valuable, they want to think, they'll at least help you try to understand what we did," Biasini said.

The security report obtained by Cisco Talos was generic, and appeared to be written to be reusable for multiple victims.

The freewheeling, unscripted communication style of Hive created operational security problems for the group. Negotiators revealed information about the encryption process and the pricing scheme that the group would likely rather keep secret. Hive encryption, its negotiator said, was not AES but a Vernam’s cypher.

In all, Biasini said he hoped there would be more systemic research into negotiating styles rather to complement the computer science that tends to take center stage.

"There's a lot of attention paid to the technical side of things with ransomware operators, like how they compromised systems, what the affiliates do when they're in infrastructures, how the actual ransomware operates on the systems themselves and in environments. We wanted to pay some attention to who are the actual people that you're negotiating with on the back end," he said.