Almost Half Of Ransomware Attacks Now Involve Data Exfiltration And Extortion

In the article, “Almost Half Of Ransomware Attacks Now Involve Data Exfiltration And Extortion,” KnowBe4 and CyberWire reported that for the third quarter of 2020 nearly half of ransomware attacks now involve data exfiltration and extortion. Worse, the security firm Coveware says it’s identified instances of ransomware gangs leaking data after victims paid the ransom, or returning to demand additional payment:

“Coveware feels that we have reached a tipping point with the data exfiltration tactic. Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data.

The below list includes ransomware groups whom we have observed publicly DOX victims after payment, or have demanded a second extortion payment from a company that had previously paid to have the data deleted / not leaked:

  • “Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
  • “Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.
  • “Netwalker: Data posted of companies that had paid for it not to be leaked.
  • “Mespinoza: Data posted of companies that had paid for it not to be leaked.
  • “Conti: Fake files are shown as proof of deletion.”

Coveware advises against paying the ransom, but concludes that victims should treat these incidents as data breaches from the start, regardless of whether or not they decide to pay:

“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting.

Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.

Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or long term liability, and all considerations should be made before a strategy is set.”

Emsisoft’s Fabian Wosar agrees with this view, telling KrebsOnSecurity, “Technically speaking, whether they delete the data or not doesn’t matter from a legal point of view. The data was lost at the point when it was exfiltrated.”