Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

Ransom Payment No Guarantee Against Doxxing

Several organizations that paid a ransom to keep attackers from releasing stolen data saw it leaked anyway, according to Coveware.

Ransomware victims that pay threat actors to keep them from releasing data that might have been stolen during an attack often end up getting doxxed and hit with additional demands for money for the same dataset anyway.

An analysis by Coveware of ransomware attack data during the third quarter shows several organizations were victimized in this manner after paying attackers the demanded ransom.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Coveware observed victims of the Sodinokobi ransomware group, for instance, being re-extorted just weeks after they had paid, with more threats to post the same dataset. The operators of the Netwalker and Mespinoza ransomware families publicly posted data belonging to companies that had specifically paid the groups a ransom for the data not be leaked. Conti, another ransomware group, provided fake files to victims as proof they had deleted stolen data.

Often, a threat actor that has already extracted money from a victim will disguise the second extortion attempt as being the work of another group, Coveware CEO and co-founder Bill Siegel says. However, there's not enough data to determine how frequently such incidents are happening, he says.

"But it's happening enough for us to believe no one should pay," Siegel notes.

Some one in two of all ransomware Coverware analyzed last quarter involved data theft and the subsequent threat by attackers to publicly leak the stolen data if they were not paid.

The trend has completely altered the dynamics of ransomware attacks because in the past, if a victim had an adequate data backup, they could simply restore data and get away without paying a ransom. Now that option is gone. With data theft increasingly a part of ransomware attacks, victim organizations are being compelled to negotiate with attackers even if only to determine what exactly might have been stolen, Coveware states in a new report.

According to the security vendor, organizations that pay to prevent public sharing of stolen data can expect a variety of bad things to happen. Attackers, for instance, are unlikely to delete all or even any of the data they have stolen. They are more likely going to trade it with or sell it to another group. Coveware found that multiple parties could sometimes have custody of stolen data. In these instances, even if the attacker deleted their volume of data, others still have copies they can monetize indefinitely in different ways.

"Cyber extortion is highly profitable, has low risk, and low barriers to entry," Siegel says. "Like any other industry, it will continue to grow so long as the unit economics to the criminals are so favorable." Larger companies with big brands are more likely to care about doxxing than smaller businesses with lesser-known brand names, he says.

Big Game Hunting
One significant trend Coveware says it has observed over the past several quarters is an increase in attacks targeting big organizations. Cybercrooks appear to have figured out that the same tactics, techniques, and procedures that work on small companies can be used on larger companies with relatively little extra effort and cost.

The trend has driven a steady increase in average ransomware payouts over the past several quarters. In Q3 2020, ransomware victims on average paid $233,817, a 31% increase from the prior quarter. Half paid $110,532 or less, while the other half paid more.

At the higher end, victims of "big-game hunting" — as some vendors have begun describing attacks on large companies — can sometimes pay millions and even tens of millions of dollars in ransom. An IBM study earlier this year found some groups like Sodinokibi have even begun basing ransom demands on an organization's revenues, with average demands ranging between 0.08% and 9.1%. According to the study, some ransomware attacks the company helped customers remediate involved ransom amounts of $40 million. Thirty-six percent of Sodinokibi's victims ended up paying a ransom to get their data back or to stop it from being publicly shared.

As has been the case for a while now, Coveware found many companies are continuing to leave themselves open to attack by failing to address fundamental security issues.

One of the biggest is improperly secured Remote Desktop Protocol (RDP) services. Threat actors have repeatedly exploited weakly protected RDP to break into corporate networks and establish a beachhead for further attacks.  Even so, many companies have failed to address the issue, resulting in underground markets being awash in RDP credentials. The huge supply of RDP credentials has made it easier for progressively less technical cybercriminals to begin distributing ransomware, Coveware says. Improperly secured RDP services are an especially common problem among small and midsize companies.

For larger organizations, Coveware discovered attackers tended to employ phishing and vulnerability exploits to gain an initial foot hold on a victim network.

The best approach to tackling the ransomware issue is to increase costs and make it harder for threat actors to carry out an attack, Siegel says. That means closing out cheap exploits like RDP and VPN vulnerabilities and then implementing a defense in-depth approach including the use of multifactor authentication he says.

"No one can fully keep them out, but you can keep them from seizing control of a domain controller with full administrative access," he says. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...
PUBLISHED: 2021-03-02
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing...
PUBLISHED: 2021-03-02
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messag...
PUBLISHED: 2021-03-02
Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later.
PUBLISHED: 2021-03-02
A buffer overflow vulnerability in the AT command interface of Gigaset DX600A v41.00-175 devices allows remote attackers to force a device reboot by sending relatively long AT commands.