Crime Blotter: Hackers Fail to Honor Promises to Delete DataPolice Say Gang Extorted Millions From Victims Not Just by Stealing, But Lying Too
Cybercrime experts have long urged victims to never pay a ransom in return for any promises attackers make to delete stolen data.
Paying attackers for guarantees to delete data directly funds cybercrime and perpetrates cyber extortion as a business model. Just as importantly, it typically doesn't stop criminals from selling stolen data, as a recently unveiled criminal probe demonstrates.
On Thursday, cybercrime police in the Netherlands announced that they had busted a three-man gang accused not just of hacking into companies, stealing their data and threatening to dump it online - unless they received a ransom payment - but also of failing to honor its guarantees.
Dutch police arrested the suspects - two 21-year-olds and one 18-year-old - on Jan. 23, and two of them have since been jailed and only allowed to speak to their attorney while the investigation continued. "Because of this measure and in order not to disrupt the investigation, the arrests have not been announced before," police said. The suspects have been charged with computer hacking, data theft, extortion and money laundering.
The investigation began in March 2021 after a large Dutch company reported an attack to police involving the theft of data and threats to release it.
Authorities say the gang earned millions by targeting businesses of all sizes in the Netherlands and abroad. The gang would regularly hack into firms and send a threatening message demanding a ransom worth at least $100,000 in cryptocurrency, and sometimes up to $700,000. Victims who paid were promised the safe return of stolen data, while anyone who dared not pay risked seeing their IT infrastructure get destroyed.
"Many companies have felt compelled to pay in hopes of protecting their data," police said. But even when victims paid, police said the gang oftentimes still sold the stolen data.
Information allegedly stolen by the group included a wealth of personal identifiable information, including tens of millions of individuals' name, addresses, birthdates, bank account numbers, credit card numbers, passwords, passport data and more.
Criminals don't simply dump or sell stolen data online out of spite. Dutch police say there's a roaring trade in using stolen corporate data to undertake social engineering attacks.
"Data theft and data trading is a huge revenue model for criminals," the police say. "The captured data is processed so that it can be traded to other criminals." In the course of this investigation, they report recovering software tools used by the suspects "to refine stolen data," allowing them to use it themselves - or sell the ability to others - to identify promising-looking targets for "phishing, chat tricks, bank help desk fraud or identity fraud."
Don't Fall for Attackers' Guarantees
While the Dutch gang isn't accused of using ransomware as part of its schemes, ransomware groups also often claim to have stolen data from a victim. Beyond demanding a ransom in exchange for a decryptor, attackers often demand a separate ransom in return for a promise to delete stolen data. Unfortunately, many victims do pay for such promises.
But experts say it's foolish to do so. "You can't put the toothpaste back in the tube," says Bill Siegel, CEO of ransomware response firm Coveware (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
It's important to highlight that not all organizations hit by extortionists give in to such blackmail, as recently seen in the aftermath of the attack on Britain's national postal service, Royal Mail (see: Royal Mail Refused 'Absurd' LockBit Extortion Demand).
The systems of Royal Mail International, which handles letters and parcels for export, were crypto-locked by the LockBit ransomware group on Jan. 11. Afterward, Royal Mail received an $80 million ransom demand, based on chat logs LockBit had dumped on Feb. 14, apparently out of frustration with how its shakedown was progressing.
Royal Mail declined to comment on the veracity of the leaked negotiations - which appear to have begun on Jan. 12 - because a law enforcement investigation into the attack remains active.
The Art of Negotiations
Throughout the discussions, Royal Mail maintained a polite tone, not hesitating to sound contrite.
"We are not pretending anything and apologize if it appears that way," the Royal Mail negotiator said. "It is just that my management have heard that your decryptor might not work on large files. That is why they asked and wanted to see if it did. I am trying to convince them to work with you here. They are just asking for more proof of what we will get from you."
Ransomware negotiator Kurtis Minder tells Malwarebytes that maintaining a cordial tone and buying time for the incident response team as it attempts to restore files is the first priority in these situations.
Royal Mail continued to string LockBit along for weeks. On Feb. 6, Royal Mail's negotiator stated that senior management "might not want to pay you for this. In our perspective, the files got leaked when you took them from our system, and paying you won't undo that in any way."
In response, LockBit reduced its ransom demand: "Last chance to prevent leaks of royal information. We are ready to make a discount, remove the stolen information and provide a decryptor for $40 million. There will be no more delays, after the timer expires all the data will be released."
Finally, on Wednesday - 42 days after systems were forcibly encrypted and 41 days after negotiations began - LockBit dumped the stolen data online.
Perhaps not coincidentally, that was the same day the postal service announced that "Royal Mail International Export services have now been reinstated to all destinations for purchase online, through shipping solutions and over the counter at Post Office branches," aside from a "small number" of services for business customers, for which it said it had put "alternative services" in place.
Royal Mail appears to have finally restored from backups or rebuilt all necessary systems. More to the point, it did so without paying any ransom, not least for attackers' empty promises.