More Ransomware Gangs Threaten Victims With Data Leaking22% of Ransomware Incidents Now Involve Data Exfiltration, Investigators Find
Ransomware gangs are increasingly not just claiming that they'll leak stolen data from victims that don't meet their ransom demand, but actually following through.
Criminals remotely gaining access to a victim's network, identifying and stealing sensitive data, and only then crypto-locking systems is becoming increasingly common. Security experts say it's all part of gangs' ongoing drive to experiment with new ways to pressure victims into paying - and that, unfortunately, these innovations are leading to higher profits.
Speaking at Information Security Media Group's Virtual Cybersecurity Summit: New York last week, attorney Craig Hoffman, who's co-leader for the digital risk advisory and cybersecurity team at BakerHostetler, said that in at least 25% of the ransomware cases his firm has helped investigate, attackers claimed to have not just crypto-locked systems, but also to have exfiltrated data (see: Ransomware Gangs' Ruthlessness Leads to Bigger Profits).
While it's easy for any ransomware attacker to claim that they first stole data, obviously at least some are indeed doing so (see: Avaddon Ransomware Joins Data-Leaking Club).
Indeed, ransomware incident response firm Coveware says that of the thousands of cases it investigated in the second quarter of this year, 30% involved attackers threatening to release stolen data. And in 22% of all cases, they had actually exfiltrated data, up from 8.7% in the first quarter.
Ransomware-Wielding Gangs' Profits Surge
Gangs' data-leaking threats have driven a boom in illicit profits. Comparing the first to the second quarter of this year, the average ransom payment jumped by 60%, from $112,000 to nearly $180,000, Coveware says of the cases it investigated.
The firm found that the rise didn't just come from big players, but from smaller players demanding much larger ransoms. That includes Dharma, a ransomware-as-a-service operation targeted at less skilled attackers, which in recent months began demanding the types of six-figure payoffs that used to be the hallmark of gangs such as Maze and Sodinokibi - aka REvil - before they too escalated their prices (see: Ransomware Payday: Average Payments Jump to $178,000).
Whereas 60% of first-quarter attacks traced to Sodinokibi, Maze and Phobos, by the second quarter, these top three families only accounted for 30% of attacks, Coveware says. "The rest were distributed among smaller and/or newer variants, such as Mamba, Snatch and DeathHiddenTear," it adds.
In short, attackers wielding a greater number of ransomware variants are demanding larger ransoms. "We don't get surprised too often in this industry as it's so humbling and fast moving to begin with, but we did not anticipate the flood of cheap RaaS services to move the needle like they did on market share," Coveware CEO Bill Siegel tells ISMG.
Clearly, ransomware is surging, despite the ongoing economic chaos caused by the COVID-19 pandemic.
"During lockdown, cybercrime didn't shut down - it's probably one of the few sectors that actually thrived, as opposed to say, for example, traditional crime," says Raj Samani, chief scientist at McAfee. He says increased ransomware profits are tied directly to criminals continuing to innovate - for example, by exfiltrating data to better pressure victims into paying.
Who's Who of Data Leaking
Security experts say more than a dozen gangs have not just threatened to leak data, but followed through by leaking files on their blogs. Those include:
- Ako (aka MedusaReborn)
- Clop (aka Cl0p)
- Dopplepaymer (aka Doppelpaymer)
- Mespinoza (aka Pysa)
- Nefilim (aka Nephilim)
- Ragnar Locker
- Sodinokibi (aka REvil, Sodin)
Threatening to leak data remains a tactic for increasing the psychological pressure on victims to quickly pay.
"From the threat actors' perspective, data exfiltration is a ‘conversion tactic' meant to force victims to quickly pay a ransom demand," Coveware says. "The intent is not to profit from the value of the data taken through resale, but to coerce more companies to pay that would have otherwise recovered from their backups."
Cartel, or Marketing Consortium?
Under the banner of the "Maze Cartel," the Maze gang in June began cross-posting data leaks from rival operations, including LockBit and Ragnar Locker (see: Maze Promotes Other Gang's Stolen Data On Its Darknet Site).
The same month, the RagnarLocker group posted to its site files from ST Engineering's VT San Antonio Aerospace subsidiary, which it said had been "provided by Maze."
What could prompt rivals to work together? The impetus behind this move was most likely marketing, says Victoria Kivilevich, a threat intelligence analyst at Israeli cybersecurity intelligence firm Kela.
"Based on the fact that these cooperation efforts were spotted over a month ago and we did not see any new postings, we can assume that this 'cartel' was just another marketing effort for ransomware gangs," she says in a blog post. "It means that threat actors behind the ransomware decided to jointly promote the leaks in order to intimidate victims, but it is hardly possible that they collaborated in terms of further monetizing the stolen data."
The moves by Maze shouldn't be surprising because it trail-blazed the trend of combining crypto-locking malware infections with data exfiltration, then attempting to "name and shame" victims into quickly paying via a dedicated site.
Such tactics, however, are hardly new. "A pioneer of the naming-and-shaming tactic is the Snatch team, which manages the ransomware of the same name," Kivilevich says. "In May 2019, the group went public with customer data belonging to German IT company Citycomp, which further exposed data related to BT, Ericsson, Hugo Boss and SAP. The gang created a website and released the data when Citycomp did not succumb to blackmail; later, the group published additional breaches."
While Snatch remains active on the ransomware-attack scene, she says it no longer appears to be attempting to name and shame victims or dump data via its blog.
Double Ransoms - Now With a Discount
One innovation being tested by some gangs is attempting to charge double ransoms. Sometimes, this gets marketed in a manner that resembles how retailers pitch goods - set a high price, then claim to offer a discount.
In a March 18 press release posted to Maze's blog, for example, the ransomware operators say that throughout the ongoing COVID-19 pandemic, "Discounts are offered for both decrypting files and deleting of the leaked data."
Subsequently, the Ako gang also began experimenting with the tactic of demanding multiple payoffs - one to delete stolen data and another to furnish a decryption tool.
This tactic appears to have been successful, in that some organizations say they've paid a ransom principally for the promise that their attacker will delete stolen data. That's what software vendor Blackbaud claimed earlier this month, when it revealed that it had paid ransomware attackers in July to cease their attack.
Similarly, the University of Utah this week said it paid attackers a $457,000 ransom in return for a promise to delete stolen employee and student information, while noting that it also received a decryption tool.
Auctions Also Highlight Victims
Another innovative new tactic on the ransomware scene has been the move by Sodinokibi -also known as REVil - to auction some stolen data to the highest bidder via its "Happy Blog" leaks site, payable in monero cryptocurrency (see: Ransomware Gangs Go ((Lady)) Gaga for Data Breaches).
"To participate in such an auction, a minimum deposit of 10% from the start price is required," Kela's Kivilevich says. "Also, auctioned data can be bought immediately at a 'blitz price' ranging from $50,000 to $42 million."
As of Tuesday, there were 15 live auctions on Sodinokibi's blog, making for a total of 22 that have been held to date, Kivilevich says. But she notes that for the completed auctions, none ever garnered bids, after which Sodinokibi simply released all of the data for free.
Once again, making a buzz and increasing the pressure on victims to pay appear to be the main drivers. "Since the Sodinokibi gang still publishes the data if the auction was unsuccessful, it seems that they do not consider these auctions as an effective way of increasing their income," Kivilevich says. "Possibly, they see it as another means of pressuring their victims and prompting them to pay the ransom. Thus, we do not expect other ransomware gangs to hold such auctions; however, it can be regarded as another trick in the growing list of new ways to intimidate the victims."