Safety researchers noticed that a number of ransomware gangs aren’t honoring the ransom funds acquired from victims for his or her stolen information.
In its Quarterly Ransomware Report for Q3 2020, Coveware revealed that just about 50% of crypto-malware instances concerned the menace to publish unencrypted information stolen from victims along with the usage of encryption to render victims’ info inaccessible.
Including information theft into the combo allows digital attackers to demand two ransoms from its victims: one for the deletion of all stolen info and the opposite for the receipt of a working decryption key.
Nevertheless, Coveware revealed in its report that at the least 5 totally different ransomware gangs weren’t honoring funds acquired for the previous by both doxxing victims after they’d paid or asking for a further ransom cost to stop the publication of victims’ information.
As an example, the safety agency discovered that REvil, a gaggle which now controls the KPOT infostealer, re-extorted victims for a similar information simply weeks after they’d submitted a ransom cost.
In the meantime, the attackers answerable for the Netwalker and Mespionza households went forward and posted the stolen info of their victims regardless of having acquired cost to delete that information.
The gang answerable for Conti, crypto-malware which is the probably successor of Ryuk, did one thing related in that it confirmed faux recordsdata to victims as proof of deletion. This trick enabled the attackers to publish their victims’ information and/or re-extort them at a later level, in the event that they so selected.
Lastly, Maze’s operators revealed victims’ information both by chance or willfully on their information leaks web site earlier than they even advised victims that they’d stolen their information.
Maze’s information leaks web site. (Supply: Bleeping Laptop)
These betrayals spotlight the inherent problem of negotiating with ransomware actors, particularly over stolen information. As Coveware defined in its report:
In contrast to negotiating for a decryption key, negotiating for the suppression of stolen information has no finite finish. As soon as a sufferer receives a decryption key, it could actually’t be taken away and doesn’t degrade with time. With stolen information, a menace actor can return for a second cost at any level sooner or later. The observe information are too quick and proof that defaults are selectively occurring is already gathering.
Acknowledging this pattern, organizations and customers alike ought to contemplate directing their focus in direction of stopping a ransomware an infection within the first place. This useful resource serves as start line.