Several ransomware threat actors have taken to cold calling victims who are attempting to restore their files from backups to pressure them into paying the ransom demand. Several ransomware gangs including Sekhmet, Maze, Conti, and Ryuk are known to be using this tactic, which started around August/September this year.
The calls are scripted and are very similar across all of the different ransomware variants, which led Bill Siegel, co-founder and CEO of cyber security company Coveware, to believe the different ransomware gangs are outsourcing the cold calling to the same call center.
The callers have strong accents and do not appear to be native English speakers. Victims are told that the ransomware gang has been observing their attempts to recover files from backups by working with a third-party security company and that they are aware that new security solutions have been installed on their networks. Victims are told that they must pay the ransom in order to recover their files and paying the ransom will allow them to recover all encrypted data within the week, and that their current efforts to recover files will not work.
Ransomware gangs used to just encrypt files and issue a ransom demand, but more organizations are now adhering to cybersecurity best practices and are backing up their data and storing a copy securely off site. With a viable backup, files can be restored without paying the ransom demand. To make payment more likely, ransomware gangs started exfiltrating data prior to file encryption and issuing threats to publish or sell the stolen data if the ransom is not paid. This tactic helps to ensure payment is made even if the victim can recover files from backups.
There have also been cases where ransom demands have been issued to individuals whose personal data has been stolen, in addition to the ransom demand issued to the attacked company. Breach victims are told that the only way to prevent their data from being exposed is by personally paying a ransom payment. One ransomware gang even used a hijacked Facebook account to place Facebook Ads confirming a company had suffered a ransomware attack and a large amount of data had been stolen in the attack.