Ransomware actors reneging on promises despite extracting huge ransom

Security firm Coveware's Quarterly Ransomware Report has revealed that paying a ransom is not bringing any benefit to organisations anymore as hackers are not honouring promises of deleting stolen data, are reselling them to other hackers or are coming back to demand ransom again.

A week ago, security firm SonicWall revealed that in the first three quarters of this year, it recorded nearly 200 million ransomware detections worldwide. The Ryuk ransomware was by far the favourite ransomware variant for cyber criminals as Ryuk detections increased from a mere 5,123 in Q3 2019 to 67.3 million in Q3 2020, indicating that Ryuk attacks formed a third of all ransomware attacks in the quarter.

Earlier this year, the GCHQ's National Cyber Security Centre also warned organisations about Ryuk ransomware campaigns, some of which also involved the use of Emotet and TrickBot malware and their variants. To prevent ransomware operators from disclosing breaches or publishing stolen data, many organisations are now paying off hackers to recover decryption keys or to get hackers to delete stolen files.

For instance, Canadian diagnostics giant LifeLabs, which is among the top companies in the global clinical laboratory test industry, said it had to pay a ransom to hackers to retrieve vast amounts of personal and healthcare information of up to 15 million Canadians that were stolen by the hackers after breaching the company's systems in November last year.

Foreign currency exchange service Travelex also paid $2.3 million in ransom to the REvil ransomware gang in January after the hacker group encrypted the company’s files. Hackers reportedly used the Sodinokibi ransomware to successfully encrypt Travelex's entire network, delete backup files, and exfiltrate more than 5GB of personal data.

According to Coveware, paying a ransom to cyber criminals may no longer bring any benefit to organisations as many hacker groups are no longer honouring the promises they make to companies in exchange for accepting large amounts of money as ransom.

The firm observed that hackers have now realised that the same tactics, techniques, and procedures that work on a 500 person company can work on a 50,000 person company and the potential payoff is substantially higher. As a result, hackers are now targeting large organisations using tried-and-tested techniques to earn vast amounts in ransom at low risk.

Because of this, the average ransom payment increased by 31% in a single quarter, touching $233,817 in Q3 2020. The making of large, big game payments by victim companies have also driven up the median ransom payment amount from $108,597 to $110,532.

No point in paying a ransom to hackers who threaten to release stolen data

Hackers are also increasingly using the threat to release exfiltrated data along with encrypted data to blackmail organisations into paying a ransom. This forces organisations, that even have perfectly restorable backups, to engage with hackers to determine what data was taken.

Unlike the case of hackers returning the decryption key after receiving a ransom, hackers who use the threat of releasing sensitive data can return at a later date to demand a ransom again or may sell the data to third parties who may again contact the victim company to demand a ransom.

Therefore, even if an organisation chooses to pay a ransom, there is no guarantee that hackers will honour the agreement and any company that chooses to pay a ransom should expect the following:

  • The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt
  • Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future
  • The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt

According to Coveware, hackers behind the Netwalker and Mespinoza ransomware posted corporate data online even after victim companies had paid for it not to be leaked, hackers behind the Conti ransomware showed fake files to victim companies as proof of deletion, and hackers behind the Sodinokibi ransomware re-extorted victims that paid with threats to post the same data set again.

"We strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.

"Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or long term liability, and all considerations should be made before a strategy is set," the firm said.

MORE ABOUT: