Criminals Keep Finding New Ways to Make Ransomware Victims Pay
More ransomware-wielding gangs are exfiltrating more data because it’s helping force more victims to pay. (Source: Coveware, based on thousands of incidents investigated)
With apologies to Jay-Z, getting hit with ransomware might make victims feel like they have 99 problems, even if a decryptor ain’t one. That’s because ransomware-wielding gangs continue to find innovative new ways to extort cryptocurrency from crypto-locking malware victims.
Security experts say that more organizations have been putting in place viable defenses against ransomware, including frequently backing up all systems, and storing those backups offline. As a result, if they suffer a ransomware infection, they can simply wipe systems and restore from backups, without having to even consider paying a ransom.
“If you were running a business that had, you know, 80% to 90% profit margins and kept growing every month, would you change?”
In response, beginning in November 2019, the Maze gang began exfiltrating data before crypto-locking systems, then using the threat of data leaking to try and force more victims to pay. Unfortunately, this strategy not only worked, but has been emulated by numerous other gangs (see: More Ransomware Gangs Threaten Victims With Data Leaking).
Now, 22% of all ransomware cases involve data exfiltration, based on thousands of cases investigated by ransomware incident response firm Coveware in the second quarter of this year.
Similarly, attorney Craig Hoffman, who’s co-leader for the digital risk advisory and cybersecurity team at BakerHostetler, tells me that in at least 25% of the ransomware cases his firm has helped investigate, attackers claimed to have not just crypto-locked systems, but also to have exfiltrated data (see: Ransomware Gangs’ Ruthlessness Leads to Bigger Profits).
Desperately Seeking Decryptors
In the old days of crypto-locking ransomware – meaning most attacks before 2020 – when organizations paid a ransom, it was typically because they wanted to get a decryption tool in return, to enable them to restore data they would otherwise lose.
This didn’t guarantee that they’d get their data back. Notably, gangs might fail to provide the tool. Even when they did so, not all crypto-locking malware is well-written, meaning it can sometimes incorrectly encrypt files before deleting them, leaving them unrecoverable. The coding quality of decryption tools also varies, with some having poor success at restoring files (see: Ransomware Reminder: Paying Ransoms Doesn’t Pay).
More Reasons to Pay
Today, however, organizations may also pay a ransom for one or more of the following reasons:
- Hush money: Paying a ransomware attacker to not mention the case can prevent the security incident from becoming public knowledge.
- Naming and shaming: If gangs post a victim’s name to their “data leaks” site, some victims will pay to have their name get removed.
- Leak prevention: Victims may pay gangs to not leak data, or after they have started to leak data, to make them stop.
- Auction prevention: Sodinokibi, at least, has started to auction data from more high-profile victims to the highest bidder. While it’s not clear if this is anything more than a marketing stunt – none of the auctions ever appear to have received viable bids – the threat could lead some victims to pay.
- Deletion promises: Some organizations pay attackers in return for a promise that stolen data will never get leaked, and that all copies will be permanently deleted.
If these tactics sound familiar, it’s because they’re ancient, even if they’ve been recently adapted to holding data hostage. And as the digital forensics expert and incident responder known as @LitMoose has noted, while a shakedown might be a shakedown, a victim’s experience of it – including the amount being demanded, any readiness to negotiate, and the overall air of menace – can vary based on the level of sophistication of their attacker.
The more ransomware cases I work, the more I liken it to having a run in with the mob.
The bottom line is all very similar, but how bad it gets is really luck of the draw.
Sometimes you get the Don.
Sometimes you get slow cousin Eddie.
— Moose (@LitMoose) September 3, 2020
Data Exfiltration Drives Profits
Unfortunately, the move to exfiltrate data, name-and-shame victims and so on has been leading to higher profits for criminals.
In numerous recent cases, despite being able to fully restore data from backups, victims have then felt “compelled to have to engage in an extortion negotiation and potentially a payment to a threat actor because of the potential for what they deemed to be irreparable harm to their business if the information is leaked, and so they end up paying to prevent that,” says Coveware CEO Bill Siegel.
“It really is just the brand damage that customers are trying to avoid, but so far, unfortunately, it has been a successful strategy, I think, for the criminals in coercing more victims to pay than they previously did,” he tells me.
That said, once the data goes missing, an organization still needs to comply with all relevant data breach laws, he notes, regardless of whether the stolen information ends up on a data-leaks site (see: Ransomware + Exfiltration + Leaks = Data Breach).
He’s hopeful that the name-and-shame strategy might soon fizzle out. “Luckily it’s been happening so much that these name and shame sites are getting so cluttered that I think the efficacy of it has worn off,” he adds. “It happens so often that companies don’t feel like it’s that big of a deal,” or at least he hopes this phenomenon is trending in that direction.
More Victims Pay for Deletion
In the meantime, a growing number of companies have admitted to paying ransomware attackers, and not because they needed a decryption tool.
Cloud-based marketing, fundraising and customer relationship management software vendor Blackbaud, for example, said in July that it paid ransomware attackers not because it needed a decryptor, but because customer information had been stolen. “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said (see: Class Action Lawsuit Questions Blackbaud’s Hacker Payoff).
Similarly, the University of Utah recently paid attackers a $457,000 ransom in return for a promise to delete stolen employee and student information.
In return for this payment, the university also received a decryption tool, “however, it was not a primary consideration in paying the ransom,” Corey Roach, the university’s CISO, told Information Security Media Group. “We were able to recover almost everything from backups, but it is useful to have the ability to decrypt and recover files created after the last backup.”
Criminal Question: Why Change?
To be clear, security experts and law enforcement officials continue to urge organizations to never pay a ransom, since doing so directly funds further crime and leads criminals to target new victims with similar schemes.
As demonstrated by the average ransom paid by victims – when they pay – continuing to rise, ransomware continues to be wildly successful for the criminally inclined. Accordingly, Coveware’s Siegel predicts it’s unlikely we’ll see any major, near-term changes in criminals’ strategies.
“It is just too profitable to do anything else,” he says. “If you were running a business that had, you know, 80% to 90% profit margins and kept growing every month, would you change? No, you’d be crazy to change anything. Why would you do anything differently?”