Backing up is no panacea when blackmailers publish stolen data
[Image: ransomware-data-disclosure-featured.jpg]

Ransomware makers seem to be following a new trend, publishing data from companies that refuse to pay them.

Backing up data has been one of the most effective, though labor-intensive, safeguards against encrypting ransomware so far. Now, malefactors seem to have caught up with those who rely on backups. The creators of several ransomware programs, confronted with victims refusing to pay the ransom, shared their data online.

Data publication makes threats into reality

Threats to make confidential information public are nothing new. For example, in 2016, the group behind the cryptoware that infected the San Francisco Municipal Railway‘s systems tried that trick. They never followed through on their threat, though.

Maze was the first

Unlike its predecessors, the group behind Maze ransomware delivered on its promises in late 2019 — more than once. In November, when Allied Universal refused to pay up, the criminals leaked 700MB of internal data online including contracts, termination agreements, digital certificates, and more. The blackmailers said they had published just 10% of what they had stolen and threatened to make the rest available publicly if the target did not cooperate.

In December, Maze actors created a website and used it to post the names of victimized companies, infection dates, amount of data stolen, and IP addresses and names of infected servers. They uploaded some documents as well. At the end of that month, 2GB of files, apparently stolen from the city of Pensacola, Florida, appeared online. The blackmailers said they published the information to prove they weren’t bluffing.

In January, the creators of Maze uploaded 9.5GB of Medical Diagnostic Laboratories data and 14.1GB of documents from cable maker Southwire, which had earlier sued the blackmailers for leaking confidential information. The lawsuit made the Maze website shut down, but that will not last.

Next came Sodinokibi, Nemty, BitPyLock

Other cybercriminals followed. The group behind the ransomware Sodinokibi, which was used to attack international financial company Travelex on New Year’s Eve, stated its intention in early January to publish data belonging to the company’s customers. The cybercriminals say they have more than 5GB of information including birth dates, social security numbers, and bank card details.

For Travelex’s part, the company says it’s seen no evidence of a leak, and that it refuses to pay. Meanwhile, the offenders say the company has agreed to enter negotiations.

On January 11th, the same group uploaded links to about 337MB of data to a hacker message board, saying the data belonged to recruiting company Artech Information Systems, which refused to pay the ransom. The offenders said the uploaded data represented only a fraction of what they had stolen. They said they intended to sell, not publish, the rest unless the victims complied.

The authors of Nemty malware were next to announce plans to publish nonpayers’ confidential data. They said they intended to create a blog for posting piece by piece the internal documents of victims who won’t fulfill their demands.

The operators of BitPyLock ransomware joined the trend by adding to their ransom note a promise that they would make their victim’s confidential data available publicly. Although they have yet to do so, BitPyLock may well prove to be stealing data as well.

No mere ransomware

Advanced features added to ransomware programs are nothing new. For example, back in 2016, a version of the Shade Trojan installed remote administration tools instead of encrypting files if it found that it had hit an accounting machine. CryptXXX both encrypted files and stole Bitcoin and victims’ logins. The group behind RAA equipped some specimens of the malware with the Pony Trojan, which targeted logins as well. Ransomware’s ability to steal data should surprise no one — especially now that companies are increasingly recognizing the need to back up their information.

It is worrisome that there is no safeguarding oneself against these attacks with backups. If you are infected, there is no way for you to avoid losses, which will not necessarily be limited to ransom; blackmailers provide no guarantees. The only way to protect yourself is not to let malware into your systems.
Continue Reading

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
Global outage due to Friday’s release of...
The story of how C...harlan4096 — 15:46
Worldwide News
Kool — 14:48
K-Lite Codec Pack 18.4.8 / 18.4.8 Update
Changes in 18.4.8 ...harlan4096 — 10:00
Brave 1.67.134
Release Channel 1....harlan4096 — 09:59
Vivaldi Stable 6.8 (3381.48)
This update incl...harlan4096 — 09:56

Today's Birthdays
avatar (39)papedDow
avatar (48)ArnoldFum
avatar (36)yfaza
Upcoming Birthdays
avatar (41)lapedDow
avatar (47)rituabew
avatar (35)omyjul
avatar (37)boineDon
avatar (39)vkseogaF
avatar (35)usogy
avatar (38)ywixazok

Online Staff
There are no staff members currently online.