Ransomware groups know that their shady tactics are very effective in targeting larger enterprises. This has resulted in a 31% increase of the average ransom payment in Q3 2020, reaching a whopping $233,81, according to research from Coveware. They also warn of occurrences of attackers exfiltrating data and then asking for an additional ransom to delete it. Several different cases have surfaced where ransomware groups have posted stolen data online despite having been paid not to release it or have demanded additional monies later.
Ransomware Gangs Fail to Keep Their Promise to Delete Stolen Data & Demand a Second Extortion Payment
Maze, Sekhmet & Egregor (related ransomware groups):
Posted stolen data on a leak site (which hosts and/or advertises stolen data) even before the victims were notified that their data was stolen.
Re-extorted victims for the same stolen data just weeks after the victims had submitted a ransom payment.
Mespinoza (Pysa) & Netwalker (Mailto):
Posted stolen data on their leak sites of companies that had already paid the ransom demand.
Victims that paid were re-extorted weeks later with threats to publish the same data set.
Sent victims fabricated evidence as proof of having deleted the data.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future,” according to Covewear. “The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.”
Coveware also found that improperly secured Remote Desktop Protocol connections and compromised RDP credentials were the most common way in for ransomware gangs, followed by phishing and software vulnerabilities.
“The foothold created by the phishing email or CVE exploit is used to escalate privileges until the attacker can command a domain controller with senior administrative privileges. Once that occurs, the company is fully compromised and data exfiltration + ransomware are likely to transpire within hours or days,” Covewear explains.
Companies in every industry can potentially be a target, but hackers seem to prefer those in the professional services industry, healthcare and the public sector. Companies that have been compromised need to automatically assume that their data has been shared among multiple threat actors. It may be leaked in some manner in the future, regardless of whether they paid the hacker’s ransom demand.