Ransomware Gangs Continue to Shame Victims
Everyone has something to hide. The beauty of that truth for hackers is that even if they don’t know their target’s dirty little secrets, they know that no one wants their secrets exposed. The mere threat of being publicly shamed may be enough to make some victims pay. Businesses, though, don’t have personal secrets. They have customer data and intellectual property, which they are responsible for protecting.
So when the malicious actors operating the Maze Ransomware launched “Maze News” in November, they may have seen a spike in the number of victims willing to pay. Why? Because those businesses that had already suffered the loss of a ransomware attack were being publicly shamed into paying.
Maybe they were able to rely on backups so that they suffered little down time. Maybe they decided that they would slowly piece themselves back into full operation so that they didn’t have to give in to the bad guy. They thought they were doing the right thing by not negotiating with criminals, until it became painfully clear that those who refused to give in could be publicly shamed anyway.
For years now, law enforcement has advised organizations hit with ransomware to not pay the ransom, but the REvil and Maze operators are changing the game. By threatening to publicly expose the secrets of compromised organizations, they are making it harder for businesses to avoid negotiating with the criminals. Companies that have sensitive data on the line now must wrangle with the question of what to do post-compromise, when the issue is no longer about data recovery, but about reputational management and the risk of losing valuable IP.
“REvil”-ing in Ransomware
It was only last year when Krebs on Security reported that the ransomware-as-a-service group known as GandCrab had, “quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.” Since then, the group has continued to make headlines. Most recently, Krebs learned that the group announced a stolen data auction featuring files from a Canadian agricultural production company.
The Maze Ransomware operators (previously known as ChaCha ransomware) demonstrated through Maze News that exploitation was perhaps more lucrative than the ransom itself. Their success has served as inspiration for other ransomware operations. Now, with at least 13 known operations reportedly leaking stolen data, “The Maze gang is once again stirring up the threat landscape by creating a cartel of ransomware operations to share resources and extort their victims,” according to Bleeping Computer.
A scan of recent headlines reveals that the cartel has been active. Threatpost reported, “A U.S. military contractor involved in the maintenance of the country’s Minuteman III nuclear arsenal has been hit by the Maze ransomware.” According to CRN, the European operations systems of the well-known IT services company, Conduent, was struck by ransomware, which resulted in some of the company’s internal documents being leaked.
To Pay or Not to Pay Might Be the Wrong Question
As more of these groups use ransomware to exfiltrate data and create auction or news sites like those of REvil and Maze News, it’s likely that these cartel rings will become more emboldened and perhaps even empowered. The ransomware question may no longer be whether to pay or not pay the ransom–because paying was always in large part about the ability to decrypt and gain access to files. These cartel-like organizations have shifted from ransom to publicized extortion, threatening to ruin the reputations of those victims who opt not to pay.
It is possible to avoid being a victim of ransomware. For that to happen, what matters now–more than ever–is that companies have real-time monitoring of their networks and their partners.