Ransomware Adopts a Game-Changing Blackmail Model for Information Theft

Initially, most ransomware schemes have relied primarily on malicious encryption to render a victims' data inaccessible, but ever since the Maze ransomware took the spotlight in 2019, the dynamics have changed. Numerous ransomware strains are now adopting a double-edged, blackmail model for information theft.

In addition to demanding bitcoins for decrypting the files, cyber-criminals are threatening to upload the victims’ files publicly, in circumstances of not receiving payments within a specific time frame.

Taking Extortion to a New Level: Maze Ransomware

The trend of these “double trouble” ransomware schemes started with a predatory program known as “Maze”, which made a huge comeback in the ransomware ecosystem in November 2019. Maze operators had planned an attack on Allied Universal, a security and staffing services’ organization.

After the organization's network was breached and prior to executing the encryption process, Maze operators stole approximately 7GB worth of data. The malicious actors then reached out to the victim’s management, demanding 300 bitcoins (approximately $2.6 million) in ransom and threatened to leak the stolen files, unless Allied Universal paid up within a specific time limit.

When the organization rejected these demands, authors of the Maze ransomware did actually upload 700 MB of data to a Russian hacking forum. Afterward, they threatened that if Allied Universal continues to reject their demands, they will also release the remaining data into the wild.

Setting a New Bar in the Ransomware World

Following their attack on Allied Universal, Maze ransomware authors continued the same tactic again in early December 2019. This time the victims were the less fortunate city of Pensacola, Florida. An attack caused the entire city’s administration to shut down their systems for a while, which included phone and email services. Maze blackmailers stole approximately 32GB worth of data during the attack.

They demanded to be paid $1 million in cryptocurrency, and similar to the Allied Universal scenario, threatened to release data if payment was not made on time. When Pensacola officials refused, 2GB worth of data was released on a public website. Further threats were made, but ever since then, there have been no updates on this incident, which is quite the discouraging phenomenon.

Sadinokibi Ransomware Takes a Leaf Out of Maze’s Book

Noticing the many double trouble blackmail schemes by Maze, the distributors of Sodinokibi (REvil) took inspiration and in December 2019, stole information from data center provider CyrusOne. They even posted an announcement of the new tactic on a Russian hacking forum. CyrusOne admitted to be dealing with the file-encryption ransomware.

However, the attackers didn’t confirm whether or not the data was stolen, although they insisted though that they did steal data, and they would leak it if the payment was not completed on time.

In another incident in January 2020, the attackers released over 300MB of data from IT staffing firm, Artech Information Systems, and made it publicly accessible in the aftermath of failed negotiations.

The future of cybersecurity appears to be quite scary as we see more hacker groups encrypting information and collecting victims’ data with threats of releasing it publicly. As for the silence from some huge companies, after being attacked it does not offer much positivity to the situation. Did they finally succumb to the demands; what action did they take?

The targets of these cleverly designed extortion campaigns can not only lose important files, but also face a treasure trove of reputational issues. Not to mention, they could also fall victim to lawsuits, due to the failure of protecting the personal information of their clients.

Such ransomware attacks that are turning into an explosive fusion of data breaches and encryption need to be deal with properly.


Muhammad Hamza Shahid is an Online Privacy/Security Advocate at BestVPN.co. He is contributing author at sites like Hackernoon, SAP, Medium, ValueWalk, NewsWire, and Buzzfeed who loves sharing his expert knowledge regarding the latest trends in user privacy, cyber laws, and digital affairs.


What’s Hot on Infosecurity Magazine?