Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime

More Ransomware Gangs Join Data-Leaking Cult

Report: Nefilim, CLOP, Sekhmet Follow in Maze Gang's Footsteps
More Ransomware Gangs Join Data-Leaking Cult
Nefilim ransomware gang's "Corporate Leaks" data-leaking site (Source: Bleeping Computer)

More bad ransomware news: Now even more cybercrime gangs are threatening to not only crypto-lock systems but also leak stolen data.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In recent days, Nefilim, CLOP and Sekhmet have become the latest ransomware operations to launch data-leaking sites, as Bleeping Computer first reported on Tuesday.

CLOP has been tied to an attack against Maastricht University in the Netherlands that resulted in the institution paying attackers a ransom of 30 bitcoins (now worth about $200,000). Nefilim appears to be a new version of Nemty and lists on its data-leak site two energy firms. And little is known about the new outfit called Sekhmet, which lists one victim on its site, Bleeping Computer reports.

The CLOP gang's "CL0P^_- LEAKS" site (Source: Bleeping Computer)

The gangs' moves follow the Maze ransomware operators blazing the data-leaking trail last October (see: Maze Ransomware Gang Dumps Purported Victim List). Shortly thereafter, others followed suit, including the Sodinokibi - aka REvil - ransomware-as-a-service operation, among others. Their impetus is to see whether threatening to leak data will result in more victims acceding to their ransom demand.

As an added wrinkle, leaking data could mean that more organizations have to issue data breach notifications or notify regulatory authorities under such laws as the EU's General Data Protection Regulation, if the leaks involved personal information.

In addition to leaking data, there are also signs that some gangs have been selling lucrative data via darknet markets.

"This development is not at all surprising," Brett Callow, a threat analyst at security firm Emsisoft, tells Information Security Media Group. "Data theft provides ransomware groups with additional leverage as well as additional monetization options."

Unproven Strategy

Even so, security experts say it's not yet clear whether ransomware gangs threatening to leak stolen corporate data will compel more victims to pay a ransom.

"How this will work? Personally I think it's a very harsh tool, but it will go blunt very fast, in all respects, because when a company files that they've been breached and they go through proper authorities, it [the hacking group] kind of loses its leverage," John Fokker, head of cyber investigations and red teaming for McAfee Advanced Threat Research, told ISMG at last month's RSA Conference 2020 in San Francisco (see: Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays). "So I'm curious to see how this will evolve."

Sodinokibi's operators have been publicly discussing how to leak data in a manner best designed to force victims to pay.

"[We] have some interesting thoughts about auto-notification email addresses of stock exchanges (for example, NASDAQ), which will allow you to influence the financial condition of the company quickly and efficiently," reads a translation from a Russian-language cybercrime forum post shared with Bleeping Computer by malware analyst Damian.

Stealing data is not without its perils for ransomware gangs looking to amplify their profits. "While exfiltration is risky from the criminals’ perspective - the victim may notice the unusual activity and lock down their network before it can be encrypted - it’s a risk that many groups obviously consider worth taking," Emsisoft's Callow says. "Unfortunately, this trend is likely to continue to be common with more groups adopting the double-whammy style of attack."

Ransomware Attacks Rise

The push by more gangs to threaten to leak data - and apparently also shop it on cybercrime forums - comes as security experts have been tracking an ongoing, massive surge in crypto-locking malware attacks.

The underlying cybercrime economics are easy to understand: Attackers are doubling down on what's proven to be an unbelievably lucrative earner (see: Ryuk and Sodinokibi Surge as Ransom Payments Double).

"Ransomware attacks skyrocketed in 2019," Beazley Breach Response Services, a unit of global insurance company Beazley, says in a new report that charts a 131 percent increase in its clients falling victim to ransomware attacks, compared to 2018 (see: Cyber Insurance: The Myths and Realities).

Source: Beazley

"While the frequency of these attacks is on the rise, so is the severity and disruption caused by these events," Beazley says, noting that ransom demands have also increased dramatically, "with seven or even eight figure demands not being unusual."

Secuity experts expect the the quantity and severity of ransomware attacks to increase this year, aided, in part, by a burgeoning cybercrime services economy (see: Report: Half of Breaches Trace to Hacking, Malware Attacks).

"Ransomware attacks in their current form are far too successful and profitable for cybercriminals to shift course," Beazley says.

Average ransom payments daily, in blue, versus median payments, in red, for the Q4 of 2019 (Source: Coveware)

As ransomware operators successfully extort higher and higher ransoms from victims, it drives more criminals to try their hand at ransomware, according to ransomware incident response firm Coveware.

Nasty Combination: Locking and Leaking

Even as many organizations have put better defenses in place against malware attacks, criminals have been upskilling and shifting tactics in an attempt to maintain their illicit revenue streams, for example, by leaking stolen data (see: Alarming Trend: More Ransomware Gangs Exfiltrating Data).

"We have already started to see attackers pairing ransomware encryption with data theft," Beazley notes. "Instead of encrypting data and asking for an immediate ransom, cyber criminals such as the Maze attack group are now starting to name and shame organizations."

Alarming Trend: More Ransomware Gangs Exfiltrating Data
Snippet from a conversation on the Maze gang's TOR site in which the gang says exfiltrated data has been publicly released (Source: Coveware)

Maze blazed that trail, quickly followed by other groups, including DoppelPaymer, Nemty, Snatch and the operators of Sodinokibi (see: Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays).

Attack Vectors: Phishing, RDP

While more cybercriminals are trying their hand at infecting victims with ransomware, their tactics remain largely unchanged. "The two most common forms of attack to deploy ransomware are phishing emails and breaching poorly secured remote desktop protocol," or RDP, which allows for remote access to desktops and servers (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).

The ongoing COVID-19 pandemic means that more employees are working remotely, and they may be relying on remote connectivity services such as RDP. But unless such services are correctly locked down, they provide easy, remote access for hackers too.

“With the convenience of enabling employees to work from home, using RDP can make IT systems more susceptible to attack without the right security measures in place," says Katherine Keefe, Beazley’s global head of BBR Services.

"The coronavirus has forced many more employees to work from home and in this pressured environment it is very important that companies take the right steps to reduce the vulnerability of their IT infrastructure," she says. "Always ensure employees can access their computer using a virtual private network with multifactor authentication. It is important to whitelist IP addresses that are allowed to connect via RDP, and make sure that unique credentials for remote access are in place -particularly for third parties."

Under Fire: Healthcare

As the COVID-19 outbreak continues, security experts have warned that attacks against the healthcare sector and its suppliers could not only disrupt systems but lead to an increased death count (see: 9 Cybersecurity Takeaways as COVID-19 Outbreak Grows).

As CERT EU, the EU's computer emergency readiness team, said in a Monday report focusing on healthcare sector threats: "The most prominent cases of attacks against healthcare institutions are ransomware incidents. The organizations in the sector have to operate in a time-sensitive manner and any disruption in the availability and correct flow of information may not only have dire consequences in their ability to function but may also directly threaten lives of patients. Under these restraints, healthcare institutions experiencing a ransomware attack are under immediate pressure to give in to ransom demands."

One concern is that nation-state actors might attempt to target critical infrastructure, including launching crypto-locking malware attacks. Already, COVID-19 disinformation campaigns have been tied to pro-Kremlin actors, who appear to be attempting to amplify the chaos surrounding the public health response to the disease (see: Russia Blamed for COVID-19 Disinformation Campaigns).

"If nation-states are found to be targeting health infrastructure in this crisis, they’re going to find that affected countries have long memories," says Alan Woodward, a professor of computer science at the University of Surrey.

Broken Promises

Some ransomware gangs have pledged to offer free decryptors to healthcare organizations, but some also already appear to have already broken those promises.

Criminals' supposed ransomware decryption guarantees also overlook the fact that any infection of systems requires time and effort to remediate. As the number of COVID-19 cases grows worldwide, and many employees with suspected infections are forced to self-isolate, IT teams have even less time to troubleshoot problems than usual.

The security firms Coveware and Emsisoft are offering free help for any healthcare organization hit by crypto-locking ransomware (see: Fighting Coronavirus-Themed Ransomware and Malware).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.