Get The Latest Insights

By Jessica Ellis | November 25, 2020

While paying ransoms to cybercriminals remains very controversial, the trend of ransomware groups threatening to leak sensitive data has added another layer of complexity to an already difficult decision. Should organizations pay up? Or should they refuse?  According to a recent report, it may not matter. Data stolen in ransomware attacks is frequently becoming public even after the victim has paid. 

Ransomware has rapidly evolved into a hybrid tactic known as double extortion. In 2020, half of all ransomware cases included the threat to release data to the public. Bad actors use the threat of brand and economic damage due to leaked sensitive data to pressure organizations to pay a ransom. Once demands are met, they assure the victim they will receive a decryption key, and all stolen data in their possession will be deleted.  
As attacks have unfolded over the past year however, reports indicate organizations should not believe their data will be deleted once they have paid a ransom. Coveware found several well-known ransomware groups guilty of reneging on their promise to delete data after receiving payment. This can be attributed to seasoned ransomware groups linking and sharing data with emerging groups, actor error, or simply because they never intended to delete their copies of the information in the first place.  
Some of the major ransomware groups that have publicly disclosed information despite assurances otherwise include:
  • Sodinokibi
  • Maze
  • Netwalker
  • Mespinoza
  • Conti
In one example, the threat actors responsible for Netwalker ransomware posted stolen data after the victim paid the ransom. In another, Maze (accidentally or not) published data before the victim was aware it had even been compromised. It should be noted that both ransomware operators use email phishing as their attack vector almost fifty percent of the time.
Ransomware gangs have also been observed coming back to victims that have paid and demanding a second ransom payment. Victims of the Sodinokibi ransomware paid operators only to be extorted again with the same stolen data weeks later. Sodinokibi ransomware currently holds the greatest market share of ransomware attacks in Q3.
Multiple factors can be attributed to data being leaked despite payment: 
Sharing Between Families
Ransomware groups are increasingly linking with other malware families and cybercrime operations to conduct campaigns. Attack collaboration and intelligence-sharing are becoming the norm as seasoned attackers profit with Ransomware-as-a-Service (RaaS) and partnerships with emerging groups. 
There is no reason to believe that the data stolen during a ransomware attack will not be accessible to all parties involved. Lack of visibility into where data goes after it is stolen or who may have acquired copies of it means that despite paying the operators what was negotiated, the victim is still prone to future attacks. 
Premature Posting
Although operator intent is to extort their victim, data may get published online too quickly or even accidentally before a victim has the opportunity to respond to demands. 
Criminals Lie
It should be no surprise to anyone that a trait commonly associated with a professional criminal is a deceptive nature. Maze ransomware operators, for example, publicly displayed their inability to keep their word during the COVID-19 crisis by pledging to spare healthcare from attacks that might interfere with operations during the pandemic. This proved to be false. 
The many channels and platforms available to threat actors allow them a broad environment to sell or publicly disclose stolen data with or without the knowledge of the organization. Despite assurances that stolen data will be returned unpublished to an organization once demands have been met, threat actors can copy, share, and sell information without recourse. Maze operators are again an example of this, conducting attacks in the following manner: 
  1. Requiring payment for a decryption key
  2. Requiring the victim to pay a second ransom to prevent the publishing of stolen data
  3. Selling the stolen data on the dark web anyway
Ultimately, there is no guarantee that the bad guys will not publish data once an organization provides payment or, decide to keep the data and engage in repeated extortion in the future. 
In order to protect against ransomware, security teams should put into place proactive measures that detect advanced email attacks like Business Email Compromise (BEC) and malicious messages containing malware. Email threat indicators and SOAR capabilities should also be used to automate mitigation processes.  
In addition, organizations should adopt measures that allow for continuous monitoring of external sources for data leak intelligence. Visibility into a broad range of online channels and platforms helps organizations rapidly identify when compromised data is present online and enables them to respond quickly. PhishLabs’ Digital Risk Protection and Email Intelligence & Response provide organizations with proactive prevention and rapid collection of sensitive information, minimizing impact and allowing for rapid mitigation.
Additional Resources: