- Get link
- Other Apps
Everything indicates that ransomware developers are creating a new trend: publishing data from companies that refuse to pay it; see how to protect your company
The backup data has been one of the most effective security methods, though laborious, against encryption ransomware today. Now, criminals seem to have reached out to those who trust backups as well. The developers of several such viruses, when faced with victims who refused to pay the ransom, share the stolen data online.
Data Publishing Makes Threats a Reality
Threats involving the publication of confidential information are nothing new. For example, in 2016, the group behind the cryptoware that infected the San Francisco Municipal Railway systems tried this trick. They never carried out their threat, however.
The Maze Was the First
Unlike its predecessors, the group behind the Maze ransomware delivered what it promised at the end of 2019 - more than once. In November, when Allied Universal refused to pay them, the criminals leaked 700MB of internal data, including contracts, termination agreements, digital certificates, and more. The blackmailers said they had published only 10% of what they had stolen and threatened to publish the rest of the company did not cooperate.
In December, those responsible for Maze created a website and used it to post the names of companies that were victims, dates of infection, amount of stolen data and IP addresses, and names of infected servers. They posted some documents as well. At the end of that month, 2GB of files, apparently stolen from the city of Pensacola , Florida, appeared online. The blackmailers said they published the information to prove they were not bluffing.
In January, the creators of Maze posted 9.5GB of data from the Medical Diagnostic Laboratories and 14.1GB of documents from cable manufacturer Southwire, which had previously prosecuted blackmailers for leaking confidential information. The lawsuit caused the Maze site to close, but it will not last long.
Then came Sodinokibi, Nemty, BitPyLock
Other cybercriminals did the same. The group behind the Sodinokibi ransomware used to attack international financial company Travelex at the New Year's party declared in early January its intention to publish data belonging to the company's customers. Cybercriminals say they have more than 5GB of information, including birth dates, social security numbers, and bank card details.
On the part of Travelex, the company says it saw no evidence of a leak and refuses to pay. Meanwhile, the offenders say the company has agreed to enter into negotiations.
On January 11, the same group uploaded about 337MB of data to a hacker message board, saying the data belonged to recruiting firm Artech Information Systems, which refused to pay the ransom. The offenders said the data sent represented only a fraction of what they had stolen. They said they intended to sell, not to publish, the rest unless the victims obeyed.
The authors of the Nemty malware were the next to announce plans to publish confidential data from non-payers. They said they intended to create a blog to publicize the victims' internal documents that would not comply with their requests.
BitPyLock ransomware operators have joined the trend, adding to the ransom note a promise that they would make their victims' confidential data publicly available. Although they have not yet complied, BitPyLock can also prove that it is stealing data.
It's Not Just Ransomware
Advanced features added to ransomware programs are nothing new. For example, in 2016, a version of the Shade Trojan installed remote administration tools instead of encrypting files, in case it identified that a particular machine was used for accounting. CryptXXX both encrypted files, stole Bitcoin and logins from victims. The group responsible for the RAA cryptor equipped some samples of the malware with the Pony Trojan, which also targeted logins and passwords. The ransomware functionality of stealing data shouldn't surprise anyone - especially now that companies are increasingly recognizing the need to back up their information.
It is worrying that there is no protection against these attacks in which companies have backups. If you are infected, there is no way to avoid losses, which are not necessarily limited to rescue; cybercriminals do not provide guarantees. The only way to protect yourself is to not let the malware enter your systems.
How to Protect Yourself Against Ransomware
These attacks are just beginning to gain momentum, so you need to stay protected. This means more than just avoiding loss of reputation and disclosure of trade secrets - if you allow a customer's data to be stolen, you could face serious fines. So, here is some advice:
Improve information security awareness. The more knowledgeable employees, the less likely it that phishing and other social engineering techniques will work for your company.
Update your operating systems and software immediately - especially anything that contains vulnerabilities that could allow unauthorized access and system control.
Use a specialized protection solution to fight ransomware. For example, you can download our Total Security free of charge.
Comments
Post a Comment