Ransomware victims that pay threat actors to keep them from releasing data that might have been stolen during an attack often end up getting doxxed and hit with additional demands for money for the same dataset anyway.
An analysis by Coveware of ransomware attack data during the third quarter shows several organizations were victimized in this manner after paying attackers the demanded ransom.
Coveware observed victims of the Sodinokobi ransomware group, for instance, being re-extorted just weeks after they had paid, with more threats to post the same dataset. The operators of the Netwalker and Mespinoza ransomware families publicly posted data belonging to companies that had specifically paid the groups a ransom for the data not be leaked. Conti, another ransomware group, provided fake files to victims as proof they had deleted stolen data.
Often, a threat actor that has already extracted money from a victim will disguise the second extortion attempt as being the work of another group, Coveware CEO and co-founder Bill Siegel says. However, there's not enough data to determine how frequently such incidents are happening, he says.
"But it's happening enough for us to believe no one should pay," Siegel notes.
Some one in two of all ransomware Coverware analyzed last quarter involved data theft and the subsequent threat by attackers to publicly leak the stolen data if they were not paid.
The trend has completely altered the dynamics of ransomware attacks because in the past, if a victim had an adequate data backup, they could simply restore data and get away without paying a ransom. Now that option is gone. With data theft increasingly a part of ransomware attacks, victim organizations are being compelled to negotiate with attackers even if only to determine what exactly might have been stolen, Coveware states in a new report.
According to the security vendor, organizations that pay to prevent public sharing of stolen data can expect a variety of bad things to happen. Attackers, for instance, are unlikely to delete all or even any of the data they have stolen. They are more likely going to trade it with or sell it to another group. Coveware found that multiple parties could sometimes have custody of stolen data. In these instances, even if the attacker deleted their volume of data, others still have copies they can monetize indefinitely in different ways.
"Cyber extortion is highly profitable, has low risk, and low barriers to entry," Siegel says. "Like any other industry, it will continue to grow so long as the unit economics to the criminals are so favorable." Larger companies with big brands are more likely to care about doxxing than smaller businesses with lesser-known brand names, he says.
Big Game Hunting
One significant trend Coveware says it has observed over the past several quarters is an increase in attacks targeting big organizations. Cybercrooks appear to have figured out that the same tactics, techniques, and procedures that work on small companies can be used on larger companies with relatively little extra effort and cost.
The trend has driven a steady increase in average ransomware payouts over the past several quarters. In Q3 2020, ransomware victims on average paid $233,817, a 31% increase from the prior quarter. Half paid $110,532 or less, while the other half paid more.
At the higher end, victims of "big-game hunting" — as some vendors have begun describing attacks on large companies — can sometimes pay millions and even tens of millions of dollars in ransom. An IBM study earlier this year found some groups like Sodinokibi have even begun basing ransom demands on an organization's revenues, with average demands ranging between 0.08% and 9.1%. According to the study, some ransomware attacks the company helped customers remediate involved ransom amounts of $40 million. Thirty-six percent of Sodinokibi's victims ended up paying a ransom to get their data back or to stop it from being publicly shared.
As has been the case for a while now, Coveware found many companies are continuing to leave themselves open to attack by failing to address fundamental security issues.
One of the biggest is improperly secured Remote Desktop Protocol (RDP) services. Threat actors have repeatedly exploited weakly protected RDP to break into corporate networks and establish a beachhead for further attacks. Even so, many companies have failed to address the issue, resulting in underground markets being awash in RDP credentials. The huge supply of RDP credentials has made it easier for progressively less technical cybercriminals to begin distributing ransomware, Coveware says. Improperly secured RDP services are an especially common problem among small and midsize companies.
For larger organizations, Coveware discovered attackers tended to employ phishing and vulnerability exploits to gain an initial foot hold on a victim network.
The best approach to tackling the ransomware issue is to increase costs and make it harder for threat actors to carry out an attack, Siegel says. That means closing out cheap exploits like RDP and VPN vulnerabilities and then implementing a defense in-depth approach including the use of multifactor authentication he says.
"No one can fully keep them out, but you can keep them from seizing control of a domain controller with full administrative access," he says.