Ransomware gangs have been cold-calling victims if they suspect their targets are attempting to restore their systems from backups without paying the ransom. The cold-calling tactics are meant to put pressure on the victims to pay instead of seeking other alternatives.

Evgueni Erchov, the director of IR and Cyber Threat Intelligence at Arete Incident Response, says that the trend has been going on from August to September this year.

Some of the groups that have called their victims in the past include Sekhmet and Maze (both defunct), Conti, and Ryuk. The tactic may seem desperate but cybercriminals are not above doing this to get a payday.

The cybercrime call-center

Bill Siegel, the CEO, and co-founder of Coveware (a cybersecurity firm) says that the gangs may be all using the same call center group in an outsourcing model. This seems likely because the templates and scripts used are similar across all the variations received.

Arete IR and Emsisoft (another cybersecurity firm) say that they have seen scripted templates in phone calls aimed at their customers.

In a recorded call made on Maze’s behalf, the caller had a heavy accent, which indicates that they are probably not native English speakers.

Threats

The calls typically start the same way:

“We are aware of a third-party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers.”

They then continue to assert that their victims should know it will not help and that if the companies want to stop wasting time and solve the problem, they should discuss the situation with the attackers in the chat, or the issues in the network may never end.

It’s a threat intended to evoke actions favorable to the attackers.