New Ransomware Tactic: Data Publication in Case Victims Don’t Pay Ransom

Ransomware attackers typically encrypt victims’ data and demand from victims ransom in exchange for the decryption keys. To pressure victims into paying ransom, attackers have added a new tactic: publication of stolen data in the event victims fail to pay ransom.

While ransomware attackers in the past threatened victims to leak stolen data online for failing to pay ransom, many don’t follow through. Ransomware victims, as shown in their official statements, often view ransomware attacks not as data breaches – a type of cyber-attack that steals data. Ransomware victims, rather, believe that ransomware attackers can’t access the content itself.

This perception that ransomware attackers can’t access the content itself is thrown out of the window as recent ransomware trend shows that attackers are leaking online stolen data in the event victims refuse to pay ransom.

Maze Ransomware

The group behind the ransomware called “Maze” recently followed through their threat of leaking online stolen data when their victim didn’t pay ransom. In November of this year, when Allied Universal refused to pay 300 bitcoins then valued at nearly $2.3 million USD, the group behind Maze ransomware leaked online nearly 700 MB of files belonging to Allied Universal. “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process,” Maze attackers told BleepingComputer.

The Maze attackers also told BleepingComputer that before encrypting any computer files, they always exfiltrate or steal the computer files for these files to be used as further leverage for the victims to pay the ransom. Allied Universal, meanwhile, told BleepingComputer: “Allied Universal is aware of a situation that may involve unauthorized access to our systems. This incident is being thoroughly investigated by Allied Universal IT experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate any potential impact.”

The group behind Maze ransomware also claimed responsibility for the recent ransomware attack on wire and cable manufacturer Southwire. The group is demanding 850 bitcoins, valued at nearly 6 million USD, in exchange for the decryption key or keys that would unlock the encrypted files belonging to Southwire. In a ransom note shared by one of the employees of Southwire, the group behind Maze ransomware said they have in their possession some of the company’s data and this data will be released in the event ransom isn’t paid. “We have also downloaded a lot of data from your network, so in case of not paying this data will be released,” the group behind Maze ransomware said in the ransom note.

Southwire, for its part, acknowledged that a “significant cyber security incident” impacted some of the company’s business operations. “Following the self-quarantine of our systems earlier this week, a move that was taken to both protect our network and assess damage from the incident, we continue to safely and successfully bring systems back online,” Southwire said in a statement.

Malwarebytes security researcher Jérôme Segura, the first person to observe Maze ransomware in the wild, reported that the ransomware was being distributed by the Fallout exploit kit via a fake cryptocurrency exchange site. From this fake site, Segura said, victims were redirected towards the actual exploit kit landing page.

Fallout exploit kit, which was first discovered in August 2018, exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. This exploit kit allows an attacker to download additional malware into the victim’s computer. Other than Maze ransomware, the Fallout exploit kit has also been used by the groups behind the following ransomware: Stop ransomware, GandCrab ransomware, Kraken Cryptor ransomware, Minotaur ransomware, Fake Globe ransomware and Matrix ransomware.

Maze ransomware also infects computers via email. In October of this year, security researcher JAMESWT reported that he observed an email campaign that targeted Italians. The email campaign tricks victims into opening the email as it pretends to be from the Italian Revenue Agency. Opening the attached document to this fake email leads to the downloading of the Maze ransomware into the victim’s computer.

REvil Ransomware

The group behind REvil ransomware, also known as Sodinokibi, announced in a hacking forum that it will also publish stolen data in case of the refusal of the victim to pay the ransom. Alternatively, the group also said that stolen data could also be sold to competitors.

The group behind REvil ransomware claimed responsibility behind CyrusOne, one of the biggest data center providers in the US. CyrusOne told ZDNet that six of its managed service customers, located primarily in its New York data center, have experienced availability issues as a result of a “ransomware program” that encrypted certain devices.

REvil ransomware was first observed in the wild in April 2019. When it first came out, this ransomware infected computers by propagating itself by exploiting a security vulnerability in Oracle’s WebLogic server.

REvil ransomware is offered as a Ransomware-as-a-Service (RaaS) – referring to a group that maintains the ransomware code and another group, known as affiliates. According to McAfee, affiliates spread the REvil ransomware through mass-spread attacks using phishing campaigns and exploit kits, and targeted attacks by brute-forcing Remote Desktop Protocol (RDP) access and uploading tools and scripts to run the ransomware in the internal network of the victims.

Preventive and Mitigating Measures Against Ransomware Attacks

This latest tactic of ransomware attackers in publishing stolen data in case of failure to pay the ransom brings to light new dangers of ransomware attacks. While keeping an up-to-date backup is important in protecting your organization from ransomware attacks, this new threat of stolen data exposure highlights the importance of preventing ransomware attacks from happening in the first place.

You don’t have to constantly worry about ransomware instead of growing your business.

Out team of IT and cybersecurity professionals helped hundreds of customers across Canada and we confident we can help you. Call today (416) 920-3000 or email us at sales@genx.ca and frustrate cybercriminals.