Ransomware Gangs Stoop To Cold-Calling Victims When They Restore From Backups Without Paying

Ransomware Gangs Stoop To Cold-Calling Victims When They Restore From Backups Without Paying

Stooping to further moral degradation, some ransomware gangs are now cold-calling victims in a bid to direct pressure on them. They do it when cyber actors realize that victims might restore from backups and keep away from paying the ransom.

Evgueni Erchov says that it has been the trend since at least from August to September during this year. He is the director of IR and cyber threat intelligence at Arete Incident Response.

Why are they doing this? The Cold-calling tactic aims to force the hacked company to pay the ransom in place of seeking other options. Some of the cyber gangs that have called their victims are Sekhmet, Maze, Conti, and Ryuk.


Are you dealing with a cyber extortion incident? Lifars offer an elite response on behalf of your organization since cyber extortion containment is our expertise.


The call-center to make cold-calling

It is possible that all ransomware gangs use the same call center. It is likely since the templates and scripts used are alike across all the variations received.

The callers have a heavy accent, hinting they were non-native English speakers. It came to light according to a recorded call made in the name of the Maze ransomware gang.

Evolution in ransomware extortion tactics

With time, ransomware extortion tactics have evolved.

Initially, the demands were usually to increase the ransom amount when victims did not pay in an allotted time. Likewise, threats used to come from cyber gangs to notify journalists regarding the breach of the victim’s company.

Sometimes, victims end up getting intimidated by ransomware gangs to leak sensitive information on the dark web. These cyber threat actors usually possess sites on the dark web for this purpose.

However, the use of cold-calling is a new addition to the arsenal used by ransomware gangs. They are trying to increase pressure on victims to pay ransom demands following successful malicious encryption.

Remember, it is true cyber threat actors are now making calls for ransom paying, but the calling action is not new. For example:

In April 2017, the Action Fraud group in the UK informed educational institutes that ransomware gangs were calling their headquarters. They pretended to be government employees and persuaded the institutes’ representatives to open malicious files.


For any company, the security of internal sensitive data is the most critical element. Breaching of such data can cause irreversible damage to the reputation of the company. Consequently, data breach response should come immediately within 24 hours after the discovery of it.



A new addition to the arsenal of ransomware gangs: cold-calling victims

Big names from the cyber mafia are using cold-calling tactics