Ransomware Gangs Continue to Shame Victims

Image of definition of the word Cartel in a dictionary
11 June 2020

Everyone has something to hide. The beauty of that truth for hackers is that even if they don’t know their target’s dirty little secrets, they know that no one wants their secrets exposed. The mere threat of being publicly shamed may be enough to make some victims pay. Businesses, though, don’t have personal secrets. They have customer data and intellectual property, which they are responsible for protecting. 

So when the malicious actors operating the Maze Ransomware launched “Maze News” in November, they may have seen a spike in the number of victims willing to pay. Why? Because those businesses that had already suffered the loss of a ransomware attack were being publicly shamed into paying.

Maybe they were able to rely on backups so that they suffered little down time. Maybe they decided that they would slowly piece themselves back into full operation so that they didn’t have to give in to the bad guy. They thought they were doing the right thing by not negotiating with criminals, until it became painfully clear that those who refused to give in could be publicly shamed anyway. 

For years now, law enforcement has advised organizations hit with ransomware to not pay the ransom, but the REvil and Maze operators are changing the game. By threatening to publicly expose the secrets of compromised organizations, they are making it harder for businesses to avoid negotiating with the criminals. Companies that have sensitive data on the line now must wrangle with the question of what to do post-compromise, when the issue is no longer about data recovery, but about reputational management and the risk of losing valuable IP.

“REvil”-ing in Ransomware

It was only last year when Krebs on Security reported that the ransomware-as-a-service group known as GandCrab had, “quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.” Since then, the group has continued to make headlines. Most recently, Krebs learned that the group announced a stolen data auction featuring files from a Canadian agricultural production company.

The Maze Ransomware operators (previously known as ChaCha ransomware) demonstrated through Maze News that exploitation was perhaps more lucrative than the ransom itself. Their success has served as inspiration for other ransomware operations. Now, with at least 13 known operations reportedly leaking stolen data, “The Maze gang is once again stirring up the threat landscape by creating a cartel of ransomware operations to share resources and extort their victims,” according to Bleeping Computer.

A scan of recent headlines reveals that the cartel has been active. Threatpost reported, “A U.S. military contractor involved in the maintenance of the country’s Minuteman III nuclear arsenal has been hit by the Maze ransomware.” According to CRN, the European operations systems of the well-known IT services company, Conduent, was struck by ransomware, which resulted in some of the company’s internal documents being leaked.

To Pay or Not to Pay Might Be the Wrong Question

As more of these groups use ransomware to exfiltrate data and create auction or news sites like those of REvil and Maze News, it’s likely that these cartel rings will become more emboldened and perhaps even empowered. The ransomware question may no longer be whether to pay or not pay the ransom–because paying was always in large part about the ability to decrypt and gain access to files. These cartel-like organizations have shifted from ransom to publicized extortion, threatening to ruin the reputations of those victims who opt not to pay. 

It is possible to avoid being a victim of ransomware. For that to happen, what matters now–more than ever–is that companies have real-time monitoring of their networks and their partners.

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.