The attacks that transpired last year alone arguably made ransomware the hot topic of the year and most likely a leading contender for 2020, as well, but a new element that cropped up late last year – attackers adding a layer of blackmail to the threat of locking a target’s computer system – solidified its standing.
The evolution, if one could apply such a lofty term, to blackmail stems from companies’ recent strides in better deflecting ransomware attacks.
Although the well-known threat actor The Dark Overlord was a pioneer, several groups have been implementing this tactic, including Maze, Sodinokibi and Nemty, since late last year, an indicator to many security pros that the bad guys are responding to improved security practices on the part of their intended victims.
“The attacker threatening, or going ahead with, disclosure of the stolen data is their way of forcing even those companies that have backup in place to reconsider paying the ransomware,” says Ilia Kolochenko, founder and CEO of ImmuniWeb.
Over the last several weeks Maze has wielded Sodinokibi ransomware as a lever to try and pry millions of dollars in ransom payments from a series of targets, most recently Medical Diagnostic Laboratories and the Gedia Automotive Group. Maze demanded 200 bitcoins from the former and when it refused to pay up allegedly posted stolen data to several dark web forums. Gedia also ignored the threat and had data revealed. Previously, Pensacola, Fla., and Travelex have also been involved in this type of attack.
Maze’s is so brazen that it has created a public website where it’s data stolen from companies that refuse to pay up.
The possibility that sensitive data could be released certainly preys upon the mind of most ransomware victims. In almost every case where a company, municipality or school district was hit, one of the first things those in charge mention is that they do not believe any data has been removed. This was generally a safe comment to make as attackers had not previously made a habit of stealing data prior to encrypting a system.
The addition of blackmail now removes their ability to throw out that particular safety net nor can they hide what happened if the stolen data is made public.
“By threatening public exposure, attackers can add layers of pressure to their ransom demands, in addition to the potential fines from data protection acts like GDPR,” says Alex Guirakhoo, strategy and research analyst at Digital Shadows. “Even empty threats of exposure can be enough to elicit payment.”
If an organization pays the ransom that does not mean the bad guys will comply and not make further use of the stolen information. The people behind ransomware attacks are criminals and not to be trusted always has been one of the primary reasons law enforcement has been against paying a ransom. It guarantees nothing.
“Stealing data simply gives them additional leverage to extort payment and, perhaps, other options for monetization - selling the data to other criminal groups or competitors, for example,” says Brett Callow, a threat analyst with Emsisoft.
Moshe Elias, director of marketing at Cymulate, notes criminals were forced to go in this direction in order to maintain their cash flow as fewer companies were opting to pay. In one sense these malicious actors were hoisted upon their own petard as the huge number of ransomware attacks gained a great deal of public exposure thus raising awareness.
“Awareness has grown and companies are employing better protection against ransomware and better recovery methods from a successful ransomware attack,” he says, which has led to victims not paying despite not being able to recover their data – in some cases because they had cyber insurance to cover any loss.
Deciding to not pay has led to another plot twist. Over the last four months the size of the average ransom payout has dramatically increased for those who choose to give in to the demand.
The security firm Coveware recently reported that in the fourth quarter of 2019, the average ransom payment increased by 104 percent to $84,116, up from $41,198 in the third quarter of 2019.
The report specifically cited the ransomware groups now known for threatening to release data as one of the drivers of this higher cost.
“Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout,” Coveware says.
Attackers still target smaller businesses, primarily using Dharma, Snatch and Netwalker ransomware but with demands as low as $1,500 – compared to the six- and seven-figure fees demanded from large organizations.
As with any adversarial relationship one side generally comes up with a new weapon or methodology and it is then countered by the opposing side. Since the criminal element has now brought in to play a further level of blackmail defenders must adapt. Moshe Elias, Cymulate’s director of product marketing, points out that there are already tools available that can inform a targeted firm that data is being exfiltrated.
“What’s most surprising about this attack (Medical Diagnostic Laboratories) is that any fully functioning Data Loss Prevention solution should assist in detecting unwanted data that’s been accessed and sent out of the organization. Such a large amount of data, such as a 100GB, should at least raise a flag if not completely kill the communication channel for exfiltration,” he says, adding, “As ransomware has shifted to exfiltrating data and then encrypting it on the customer side, it’s imperative that all network security controls are optimized at all times to avoid these type of gaps.”
Whether or not Medical Diagnostic Laboratories had the internal staff in place to handle this attack is something only the company knows, but Bret Padres, CEO, Crypsis Group, says companies that find themselves in this position can turn to what is another hot topic: Cyber insurance. Such coverage will not only help defray any financial loss, but insurance firms can also help smaller or less tech savvy firms possibly recover from an attack.