Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/4/2020
07:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransom Payment No Guarantee Against Doxxing

Several organizations that paid a ransom to keep attackers from releasing stolen data saw it leaked anyway, according to Coveware.

Ransomware victims that pay threat actors to keep them from releasing data that might have been stolen during an attack often end up getting doxxed and hit with additional demands for money for the same dataset anyway.

An analysis by Coveware of ransomware attack data during the third quarter shows several organizations were victimized in this manner after paying attackers the demanded ransom.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Coveware observed victims of the Sodinokobi ransomware group, for instance, being re-extorted just weeks after they had paid, with more threats to post the same dataset. The operators of the Netwalker and Mespinoza ransomware families publicly posted data belonging to companies that had specifically paid the groups a ransom for the data not be leaked. Conti, another ransomware group, provided fake files to victims as proof they had deleted stolen data.

Often, a threat actor that has already extracted money from a victim will disguise the second extortion attempt as being the work of another group, Coveware CEO and co-founder Bill Siegel says. However, there's not enough data to determine how frequently such incidents are happening, he says.

"But it's happening enough for us to believe no one should pay," Siegel notes.

Some one in two of all ransomware Coverware analyzed last quarter involved data theft and the subsequent threat by attackers to publicly leak the stolen data if they were not paid.

The trend has completely altered the dynamics of ransomware attacks because in the past, if a victim had an adequate data backup, they could simply restore data and get away without paying a ransom. Now that option is gone. With data theft increasingly a part of ransomware attacks, victim organizations are being compelled to negotiate with attackers even if only to determine what exactly might have been stolen, Coveware states in a new report.

According to the security vendor, organizations that pay to prevent public sharing of stolen data can expect a variety of bad things to happen. Attackers, for instance, are unlikely to delete all or even any of the data they have stolen. They are more likely going to trade it with or sell it to another group. Coveware found that multiple parties could sometimes have custody of stolen data. In these instances, even if the attacker deleted their volume of data, others still have copies they can monetize indefinitely in different ways.

"Cyber extortion is highly profitable, has low risk, and low barriers to entry," Siegel says. "Like any other industry, it will continue to grow so long as the unit economics to the criminals are so favorable." Larger companies with big brands are more likely to care about doxxing than smaller businesses with lesser-known brand names, he says.

Big Game Hunting
One significant trend Coveware says it has observed over the past several quarters is an increase in attacks targeting big organizations. Cybercrooks appear to have figured out that the same tactics, techniques, and procedures that work on small companies can be used on larger companies with relatively little extra effort and cost.

The trend has driven a steady increase in average ransomware payouts over the past several quarters. In Q3 2020, ransomware victims on average paid $233,817, a 31% increase from the prior quarter. Half paid $110,532 or less, while the other half paid more.

At the higher end, victims of "big-game hunting" — as some vendors have begun describing attacks on large companies — can sometimes pay millions and even tens of millions of dollars in ransom. An IBM study earlier this year found some groups like Sodinokibi have even begun basing ransom demands on an organization's revenues, with average demands ranging between 0.08% and 9.1%. According to the study, some ransomware attacks the company helped customers remediate involved ransom amounts of $40 million. Thirty-six percent of Sodinokibi's victims ended up paying a ransom to get their data back or to stop it from being publicly shared.

As has been the case for a while now, Coveware found many companies are continuing to leave themselves open to attack by failing to address fundamental security issues.

One of the biggest is improperly secured Remote Desktop Protocol (RDP) services. Threat actors have repeatedly exploited weakly protected RDP to break into corporate networks and establish a beachhead for further attacks.  Even so, many companies have failed to address the issue, resulting in underground markets being awash in RDP credentials. The huge supply of RDP credentials has made it easier for progressively less technical cybercriminals to begin distributing ransomware, Coveware says. Improperly secured RDP services are an especially common problem among small and midsize companies.

For larger organizations, Coveware discovered attackers tended to employ phishing and vulnerability exploits to gain an initial foot hold on a victim network.

The best approach to tackling the ransomware issue is to increase costs and make it harder for threat actors to carry out an attack, Siegel says. That means closing out cheap exploits like RDP and VPN vulnerabilities and then implementing a defense in-depth approach including the use of multifactor authentication he says.

"No one can fully keep them out, but you can keep them from seizing control of a domain controller with full administrative access," he says. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14318
PUBLISHED: 2020-12-03
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
CVE-2020-2320
PUBLISHED: 2020-12-03
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
CVE-2020-2321
PUBLISHED: 2020-12-03
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
CVE-2020-2322
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVE-2020-2323
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.