Euro Security Watch with Mathew J. Schwartz

Cybercrime as-a-service , Endpoint Security , Fraud Management & Cybercrime

Data-Exfiltrating Ransomware Gangs Pedal False Promises

Thieves Not Honoring 'Pay Us to Delete Stolen Data' Guarantees, Investigators Warn
Data-Exfiltrating Ransomware Gangs Pedal False Promises
The average ransom payment, when a victim pays, continues to increase (Source: Coveware)

Victims of crypto-locking malware who pay a ransom to their attackers are paying, on average, more than ever before. But ransomware incident response firm Coveware reports that when victims pay for a guarantee that data stolen during an attack - before systems got encrypted - will get deleted, they're often paying for false promises.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

Ransomware continues to be wildly profitable. Coveware reports that from July through September, the average ransom payment - when a victim paid - was $233,817, which was an increase of 31% from the previous quarter (see: Ransomware Payday: Average Payments Jump to $178,000). The firm says those statistics are based on thousands of cases that it worked on during Q3.

"The dramatic increase in ransom amounts may imply a higher degree of sophistication as attackers go upmarket." 

Obviously, seeing ransom payment amounts continue to rise is bad news, since paying ransomware-wielding criminals validates their illicit business model, and helps draw new players.

Nevertheless, for six quarters straight, the average ransom paid by victims has steadily increased. What's behind this continuing surge? Partially, it's because extortionists have been taking down bigger targets and commanding larger ransoms, while at the same time seemingly facing scant risk from law enforcement.

"Attackers discovered that the same tactics, techniques, and procedures - TTPs - that work on a 500-person company can work on a 50,000-person company and the potential payoff is substantially higher," Coveware reports. "The dramatic increase in ransom amounts may imply a higher degree of sophistication as attackers go upmarket, but Coveware does not believe that the attacks are more sophisticated."

Attacks via RDP Most Common

Tactically, criminals most often continue to use stolen or brute-forced remote desktop protocol credentials to gain remote access to a victim's network, Coveware says (see: Top Ransomware Attack Vectors: RDP, Drive-By, Phishing).

Using RDP makes economic sense for attackers, as working credentials can be purchased for $50 or less via cybercrime markets, which means that even relatively low-skilled attackers can still hit potentially lucrative targets.

Some attacks trace to software vulnerabilities being exploited, and others to phishing campaigns, which may install TrickBot, BazaarLoader or other remote-access Trojans, to then drop ransomware on systems, Coveware reports. But these two tactics tend to be the provenance of specialists - sometimes referred to as "initial access brokers" - who use these tactics to gain remote access to organizations' networks, then sell this access to others, including ransomware-wielding gangs (see: Eyeing Bigger Targets, Ransomware Gangs Recruit Specialists).

Sodinokibi Leads

Security firm McAfee reports that for the first half of this year, the overall volume of ransomware being seen in the wild continued to be extremely high.

Samples of crypto-locking malware detected in the wild (Source: McAfee)

But which strains of crypto-locking malware are most successful? For Q3, Coveware says Sodinokibi, aka REvil, led the charts, accounting for 16% of all incidents.

Following it was Maze at 14%, Netwalker at 10%, Phobos at 5% and DopplePaymer - aka DoppelPaymer - at 4%.

Other common strains were Snatch, Conti, Lockbit, Dharma, Nephilim - aka Nefilim - and Avaddon.

Promises Often Fail to Pan Out

Following a trend pioneered by Maze 12 months ago, many ransomware gangs now steal data from organizations before crypto-locking their systems. Even if a victim can simply wipe and restore its systems from backups - and thus not need to consider paying for a decryption tool - attackers can bring more pressure to bear, by naming and shaming the victim on a dedicated leak site, leaking samples of stolen data, dumping all of the data, or threatening to auction it to the highest bidder.

Security experts tell me the growth in data exfiltration and leaking by ransomware-wielding gangs has helped fuel a massive increase in the number of organizations that pay a ransom, oftentimes in return for a promise that the gang will delete stolen data.

But reinforcing the mantra that there's no honor among thieves, Coveware now says that such promises are too often not being honored.

Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals - if that is a thing - to delete the data," it says.

Examples cited by Coveware include Sodinokibi extorting victims that paid a second time, with a repeat threat to release stolen data; Maze dumping stolen data before a victim even realized it had been stolen; Netwalker and Mespinoza both dumping data for victims that paid it to not do so; and Conti supplying fake files as proof of deletion.

Coveware says it now notifies organizations that if they pay, they should expect that the stolen data will never deleted, that it will be shared between multiple crime gangs, and that it may get leaked anyway, in perpetuity.

"Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end," Coveware says.

"We strongly advise all victims of data exfiltration to take the hard, but responsible steps," it adds. "Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel."

Maze Promises to Disappear

One bright note in the cybercrime ecosystem, at least, is that Maze appears to have exited the arena, with the operators claiming in a Sunday statement to have retired.

Maze's retirement note, posted on Sunday to a cybercrime forum (Source: Kela)

Has Maze really gone away? Experts say it could well return under its own banner. In the meantime, the Egregor operation appears to have seized its mantle.

"Based on our tracking of Maze activity, their last enterprise attacks occurred in late September, and they have since announced they are sunsetting," Coveware says. "Since then, less senior affiliates, the 'young and daring,' have likely forked the Maze ransomware code into the Sekhmet and Egregor ransomware variants. Judging by their prolific rise and similar tactics, Egregor seems to be the heir apparent."

Suncrypt Promises to Shutter

In terms of unusual timing, another ransomware operation has also promised to turn out the lights. "We've seen Suncrypt affiliates stating on Exploit" - a cybercrime forum - "that the operators told them that the program is closing," according to Israeli cyberthreat intelligence monitoring firm Kela. "It's a bit interesting - and even suspicious - to see two major ransomware groups shutting down their operations around the same time."

Unfortunately, ransomware continues to be a big draw for many other criminals, meaning the loss of two groups seems set to have a negligible impact on the problem. "The profit margins are extremely high and the risk is low," Coveware says. "This problem will continue to get worse until pressure is applied to the unit economics of this illicit industry."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.