The attacks that transpired last year alone
arguably made ransomware the hot topic of the year and most likely a leading contender
for 2020, as well, but a new element that cropped up late last year – attackers
adding a layer of blackmail to the threat of locking a target’s computer system
– solidified its standing.
The evolution, if one could apply such a lofty term, to blackmail stems from companies’ recent strides in better deflecting ransomware attacks.
Although the well-known threat actor The Dark
Overlord was a pioneer, several groups have been implementing this tactic,
including Maze, Sodinokibi and Nemty, since late last year, an indicator to
many security pros that the bad guys are responding to improved security
practices on the part of their intended victims.
“The attacker threatening, or going ahead with,
disclosure of the stolen data is their way of forcing even those companies that
have backup in place to reconsider paying the ransomware,” says Ilia
Kolochenko, founder and CEO of ImmuniWeb.
Over the last several weeks Maze has wielded
Sodinokibi ransomware as a lever to try and pry millions of dollars in ransom payments
from a series of targets, most recently Medical Diagnostic Laboratories and the
Gedia Automotive Group. Maze demanded 200 bitcoins from the former and when it
refused to pay up allegedly posted stolen data to several dark web forums.
Gedia also ignored the threat and had data revealed. Previously, Pensacola,
Fla., and Travelex have also been involved in this type of attack.
Maze’s is so brazen that it has created a public
website where it’s data stolen from companies that refuse to pay up.
The possibility that sensitive data could be
released certainly preys upon the mind of most ransomware victims. In almost
every case where a company, municipality or school district was hit, one of the
first things those in charge mention is that they do not believe any data has
been removed. This was generally a safe comment to make as attackers had not
previously made a habit of stealing data prior to encrypting a system.
The addition of blackmail now removes their ability
to throw out that particular safety net nor can they hide what happened if the
stolen data is made public.
“By threatening public exposure, attackers can add
layers of pressure to their ransom demands, in addition to the potential fines
from data protection acts like GDPR,” says Alex Guirakhoo, strategy and
research analyst at Digital Shadows. “Even empty threats of exposure can be
enough to elicit payment.”
If an organization pays the ransom that does not
mean the bad guys will comply and not make further use of the stolen
information. The people behind ransomware attacks are criminals and not to be
trusted always has been one of the primary reasons law enforcement has been
against paying a ransom. It guarantees nothing.
“Stealing data simply gives them additional
leverage to extort payment and, perhaps, other options for monetization –
selling the data to other criminal groups or competitors, for example,” says
Brett Callow, a threat analyst with Emsisoft.
director of marketing at Cymulate, notes criminals were forced to go in this direction
in order to maintain their cash flow as fewer companies were opting to pay. In
one sense these malicious actors were hoisted upon their own petard as the huge
number of ransomware attacks gained a great deal of public exposure thus
“Awareness has grown and companies are employing
better protection against ransomware and better recovery methods from a
successful ransomware attack,” he says, which has led to victims not paying
despite not being able to recover their data – in some cases because they had
cyber insurance to cover any loss.
Deciding to not pay has led to another plot twist.
Over the last four months the size of the average ransom payout has
dramatically increased for those who choose to give in to the demand.
The security firm Coveware recently reported that
in the fourth quarter of 2019, the average ransom payment increased by 104
percent to $84,116, up from $41,198 in the third quarter of 2019.
The report specifically cited the ransomware groups
now known for threatening to release data as one of the drivers of this higher
“Some variants such as Ryuk and Sodinokibi have
moved into the large enterprise space and are focusing their attacks on large
companies where they can attempt to extort the organization for a seven-figure
payout,” Coveware says.
Attackers still target smaller businesses,
primarily using Dharma, Snatch and Netwalker ransomware but with demands as low
as $1,500 – compared to the six- and seven-figure fees demanded from large
As with any adversarial relationship one side
generally comes up with a new weapon or methodology and it is then countered by
the opposing side. Since the criminal element has now brought in to play a
further level of blackmail defenders must adapt. Moshe Elias, Cymulate’s
director of product marketing, points out that there are already tools
available that can inform a targeted firm that data is being exfiltrated.
“What’s most surprising about this attack (Medical Diagnostic Laboratories) is that any fully functioning Data Loss Prevention solution should assist in detecting unwanted data that’s been accessed and sent out of the organization. Such a large amount of data, such as a 100GB, should at least raise a flag if not completely kill the communication channel for exfiltration,” he says, adding, “As ransomware has shifted to exfiltrating data and then encrypting it on the customer side, it’s imperative that all network security controls are optimized at all times to avoid these type of gaps.”
Whether or not Medical Diagnostic Laboratories had the internal staff in place to handle this attack is something only the company knows, but Bret Padres, CEO, Crypsis Group, says companies that find themselves in this position can turn to what is another hot topic: Cyber insurance. Such coverage will not only help defray any financial loss, but insurance firms can also help smaller or less tech savvy firms possibly recover from an attack.