Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

Ransom Payment No Guarantee Against Doxxing

Several organizations that paid a ransom to keep attackers from releasing stolen data saw it leaked anyway, according to Coveware.

Ransomware victims that pay threat actors to keep them from releasing data that might have been stolen during an attack often end up getting doxxed and hit with additional demands for money for the same dataset anyway.

An analysis by Coveware of ransomware attack data during the third quarter shows several organizations were victimized in this manner after paying attackers the demanded ransom.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Coveware observed victims of the Sodinokobi ransomware group, for instance, being re-extorted just weeks after they had paid, with more threats to post the same dataset. The operators of the Netwalker and Mespinoza ransomware families publicly posted data belonging to companies that had specifically paid the groups a ransom for the data not be leaked. Conti, another ransomware group, provided fake files to victims as proof they had deleted stolen data.

Often, a threat actor that has already extracted money from a victim will disguise the second extortion attempt as being the work of another group, Coveware CEO and co-founder Bill Siegel says. However, there's not enough data to determine how frequently such incidents are happening, he says.

"But it's happening enough for us to believe no one should pay," Siegel notes.

Some one in two of all ransomware Coverware analyzed last quarter involved data theft and the subsequent threat by attackers to publicly leak the stolen data if they were not paid.

The trend has completely altered the dynamics of ransomware attacks because in the past, if a victim had an adequate data backup, they could simply restore data and get away without paying a ransom. Now that option is gone. With data theft increasingly a part of ransomware attacks, victim organizations are being compelled to negotiate with attackers even if only to determine what exactly might have been stolen, Coveware states in a new report.

According to the security vendor, organizations that pay to prevent public sharing of stolen data can expect a variety of bad things to happen. Attackers, for instance, are unlikely to delete all or even any of the data they have stolen. They are more likely going to trade it with or sell it to another group. Coveware found that multiple parties could sometimes have custody of stolen data. In these instances, even if the attacker deleted their volume of data, others still have copies they can monetize indefinitely in different ways.

"Cyber extortion is highly profitable, has low risk, and low barriers to entry," Siegel says. "Like any other industry, it will continue to grow so long as the unit economics to the criminals are so favorable." Larger companies with big brands are more likely to care about doxxing than smaller businesses with lesser-known brand names, he says.

Big Game Hunting
One significant trend Coveware says it has observed over the past several quarters is an increase in attacks targeting big organizations. Cybercrooks appear to have figured out that the same tactics, techniques, and procedures that work on small companies can be used on larger companies with relatively little extra effort and cost.

The trend has driven a steady increase in average ransomware payouts over the past several quarters. In Q3 2020, ransomware victims on average paid $233,817, a 31% increase from the prior quarter. Half paid $110,532 or less, while the other half paid more.

At the higher end, victims of "big-game hunting" — as some vendors have begun describing attacks on large companies — can sometimes pay millions and even tens of millions of dollars in ransom. An IBM study earlier this year found some groups like Sodinokibi have even begun basing ransom demands on an organization's revenues, with average demands ranging between 0.08% and 9.1%. According to the study, some ransomware attacks the company helped customers remediate involved ransom amounts of $40 million. Thirty-six percent of Sodinokibi's victims ended up paying a ransom to get their data back or to stop it from being publicly shared.

As has been the case for a while now, Coveware found many companies are continuing to leave themselves open to attack by failing to address fundamental security issues.

One of the biggest is improperly secured Remote Desktop Protocol (RDP) services. Threat actors have repeatedly exploited weakly protected RDP to break into corporate networks and establish a beachhead for further attacks.  Even so, many companies have failed to address the issue, resulting in underground markets being awash in RDP credentials. The huge supply of RDP credentials has made it easier for progressively less technical cybercriminals to begin distributing ransomware, Coveware says. Improperly secured RDP services are an especially common problem among small and midsize companies.

For larger organizations, Coveware discovered attackers tended to employ phishing and vulnerability exploits to gain an initial foot hold on a victim network.

The best approach to tackling the ransomware issue is to increase costs and make it harder for threat actors to carry out an attack, Siegel says. That means closing out cheap exploits like RDP and VPN vulnerabilities and then implementing a defense in-depth approach including the use of multifactor authentication he says.

"No one can fully keep them out, but you can keep them from seizing control of a domain controller with full administrative access," he says. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.