Ransomware attackers have added data theft to their destructive data encryption arsenal.
Not only are they bricking systems that they infect with ransomware, they are also stealing the data and blackmailing victims with the threat of data exposure.
Cybercriminals groups are now stealing data before they encrypt systems and threatening to publish the data unless the victim pays often higher ransom demands.
“Cybercriminals are trying to get a better return on investment in malware development,” observed Marcus Chung, CEO of cybersecurity advisory firm BoldCloud.
“They are stealing the data and then holding it hostage. So, they have a copy and they are encrypting the data on victim’s side. They are shaming this companies by saying, ‘OK, if you don’t want us to release the information and make your brand look really bad,” Chung told IT Security Writer.
Data breach costs could be high
Not only do victims face higher ransom demands, they also could face data breach costs, such as remediation expenses, regulatory fines, and reputation damage.
One type of ransomware that includes data theft is Maze. Attackers recently carried out an attack against Medical Diagnostics Laboratories, infecting 231 workstations at the company. They demanded a ransom of 100 Bitcoin ($964,600) for decrypting the data and 100 Bitcoin for destruction of the data, according to Bleeping Computer. Maze attackers released almost 10 GBs of data in effort to convince the company that they were serious about the ransom demand, with another 100 GBs of data held in reserve.
“These attackers know that these companies, particularly in Europe, have GDPR [General Data Protection Regulation] requirements. If there is a breach, there is no way to hide it. They will be exposed publicly and face fines and other punishments for violating GDPR,” Chung observed.
Maze attackers also went after Southwire, a U.S. wire cable manufacturer, demanding 200 Bitcoin ($1.7 million). The company refused to pay the ransom, and the attackers released some of the data.
Another ransomware strain that carries out similar attacks is REvil (Sodinokibi).
The Russian cybercrime group UNKN used the REvil ransomware to infect the CyrusOne data center in December. In a post, UNKN threatened to release the data if the company refused to pay.
“In case of refusal of payment, the data will either be sold to competitors or laid out in open sources. GDPR. Do not want to pay us, pay x10 times more to the government. No problems,” the group wrote.
There were no follow-up press reports about whether CyrusOne end up paying the ransom, although the company’s CEO, chairman, and director Gay Wojtaszek stepped down last week.
REvil infects more than 150,000 victims
In a recent study, Dutch telecom provider KPN found that REvil ransomware infections number more than 150,000 around the world, with some attacks encrypting more than 3,000 unique systems in one attack. The average ransomware demand by REvil attacks is $260,000, with total ransomware demands topping $38 million during the last few months.
“These attackers are both charging for data destruction and data recovery. They are not just saying, ‘You need to pay us for access to your files,’ but they are also saying, ‘You have to trust us that we will eliminate all copies of the data.’ They are putting these companies over a barrel,” Chung said.
“This new threat of ransomware is different from the past. Before, attackers didn’t care about having access to the data. Now they do. Now they have two aspects they can leverage against the victims … This is a fundamental change in how ransomware attackers are developing their code and attacking their victims,” he concluded.