Ransomware Gangs Continue to Shame Victims

Image of definition of the word Cartel in a dictionary
11 June 2020

Everyone has something to hide. The beauty of that truth for hackers is that even if they don’t know their target’s dirty little secrets, they know that no one wants their secrets exposed. The mere threat of being publicly shamed may be enough to make some victims pay. Businesses, though, don’t have personal secrets. They have customer data and intellectual property, which they are responsible for protecting. 

So when the malicious actors operating the Maze Ransomware launched “Maze News” in November, they may have seen a spike in the number of victims willing to pay. Why? Because those businesses that had already suffered the loss of a ransomware attack were being publicly shamed into paying.

Maybe they were able to rely on backups so that they suffered little down time. Maybe they decided that they would slowly piece themselves back into full operation so that they didn’t have to give in to the bad guy. They thought they were doing the right thing by not negotiating with criminals, until it became painfully clear that those who refused to give in could be publicly shamed anyway. 

For years now, law enforcement has advised organizations hit with ransomware to not pay the ransom, but the REvil and Maze operators are changing the game. By threatening to publicly expose the secrets of compromised organizations, they are making it harder for businesses to avoid negotiating with the criminals. Companies that have sensitive data on the line now must wrangle with the question of what to do post-compromise, when the issue is no longer about data recovery, but about reputational management and the risk of losing valuable IP.

“REvil”-ing in Ransomware

It was only last year when Krebs on Security reported that the ransomware-as-a-service group known as GandCrab had, “quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.” Since then, the group has continued to make headlines. Most recently, Krebs learned that the group announced a stolen data auction featuring files from a Canadian agricultural production company.

The Maze Ransomware operators (previously known as ChaCha ransomware) demonstrated through Maze News that exploitation was perhaps more lucrative than the ransom itself. Their success has served as inspiration for other ransomware operations. Now, with at least 13 known operations reportedly leaking stolen data, “The Maze gang is once again stirring up the threat landscape by creating a cartel of ransomware operations to share resources and extort their victims,” according to Bleeping Computer.

A scan of recent headlines reveals that the cartel has been active. Threatpost reported, “A U.S. military contractor involved in the maintenance of the country’s Minuteman III nuclear arsenal has been hit by the Maze ransomware.” According to CRN, the European operations systems of the well-known IT services company, Conduent, was struck by ransomware, which resulted in some of the company’s internal documents being leaked.

To Pay or Not to Pay Might Be the Wrong Question

As more of these groups use ransomware to exfiltrate data and create auction or news sites like those of REvil and Maze News, it’s likely that these cartel rings will become more emboldened and perhaps even empowered. The ransomware question may no longer be whether to pay or not pay the ransom–because paying was always in large part about the ability to decrypt and gain access to files. These cartel-like organizations have shifted from ransom to publicized extortion, threatening to ruin the reputations of those victims who opt not to pay. 

It is possible to avoid being a victim of ransomware. For that to happen, what matters now–more than ever–is that companies have real-time monitoring of their networks and their partners.

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.