Ransomware Groups Posting Stolen Data Even After Payment

Ransomware gangs are increasingly likely to break their promise not to leak stolen data once a victim has paid them, Coveware has warned.

The security vendor claimed in its analysis of Q3 2020 that data exfiltration is now a part of almost half of all ransomware attacks — used to drive monetization among victim organizations that have backed up.

However, the tactic has now reached a tipping point, with groups such as Sodinokibi, Maze, Netwalker, Mespinoza and Conti starting to publish data even after payment, and/or demand a second ransom be paid to prevent publication, Coveware claimed.

“Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cyber-criminals to delete the data,” it explained.

The vendor urged victim organizations to think carefully about their strategy and long-term liabilities when formulating a response.

“This includes getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel,” it said.

“Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim.”

Coveware revealed that downtime, RDP-based attacks, average payments and the percentage of attacks involving exfiltration all increased in the third quarter of 2020.

Business interruption now stands at 19 days, up 19% from the second quarter, while the average payment is up 31% to $233,817, as attackers increasingly target larger enterprises. They’ve realized over recent months that doing so will significantly enhance margins without increasing operating costs or risk, the report noted.

However, despite the headline attacks on big-name brands, SMBs are disproportionately affected by ransomware: organizations with up to 100 employees accounted for 32% of attacks in Q3, while those with up to 1000 workers accounted for 73%.

RDP continues to be the primary attack vector for ransomware groups, and with supply of compromised credentials exceeding demand, barriers to entry will continue to fall, allowing less technically sophisticated cyber-criminals to get involved in ransomware, Coveware warned.

“Until companies properly heed the risk of an improperly secured RDP connection, this attack vector will continue to be the most cost-effective target for ransomware threat actors to exploit,” it said.

What’s Hot on Infosecurity Magazine?