Scared they’ll not get their money, ransomware gangs have now started cold-calling their victims in an attempt to apply some pressure to pay up. To clarify, if hackers suspect that the hacked company are trying to restore from backups rather than paying their ransom demands, they start dialling.

Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, says this has been happening since “August – September 2020.”  In the past ransomware groups that have called victims included

  • Sekhmet (now defunct)
  • Maze (now defunct)
  • Conti
  • Ryuk

This information was shared by a spokesperson for cyber-security firm Emsisoft.

Because the templates and scripts are basically the same across the variants, Bill Siegel, CEO and co-founder of cyber-security firm Coveware, believes all the ransomware gangs use the same outsourced call centre.

Likewise, both Arete IR and Emsisoft say their customers have experienced scripted templates in phone calls received from ransomware gangs.

In addition, from a recorded conversation, made on behalf of Maze, callers were not thought of as English speaking as they had heavy foreign accent.

Below is an example of a transcript call with the victims names removed and redacted.

“We are aware of a 3rd party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers. But you should know that it will not help. If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end.”


Ransomware gangs want to put pressure on victims to pay ransom demands once they’ve encrypted corporate networks. So, the use of phone calls is another tactic to get their money.

In the same vein, other past tactics included the use of

  • ransom demands that double in value if victims don’t pay during an allotted time.
  • threats to notify journalists about the victim company’s breach.
  • or threats to leak sensitive documents on so-called “leak sites” if companies don’t pay.

In other words, this isn’t the first time that ransomware gangs have called victims. But it is the first- time ransomware gangs have used this escalation tactic to harass their victims into paying the ransom.

Back in April 2017, ransomware gangs were calling schools and universities, pretending to be government workers, and trying to trick employees into opening malicious files that led to ransomware infections. The UK’s Action Fraud group had to step- in and warn schools and universities across the country.

Perhaps we’ll see more cold-calling in the future if businesses and the like are putting in place their security measures. Let’s hope so!