Ransomware criminals are adding salt to the wound to those infected with ransomware by creating sites to leak data stolen from non-paying victims. Maze ransomware was the first variant to create a place to publish such data; however, over the last week, Sodinokibi/REvil (REvil), Nemty, and DoppelPaymer have started following suit. Ransomware attacks are no longer about simply encrypting files; ransomware attacks can now be considered data breaches.
Ransomware Attacks are Data Breaches
When ransomware first emerged on the scene, a hacker would infiltrate a user’s machine through a phishing scheme or similar attack. The user would click on a link or attachment armed with ransomware. The ransomware would deploy and encrypt various types of files. The ransomware author or gang would put a ransom note in each folder with the encrypted files that contained instructions on how to pay the ransom and gain access to a decryption key. While most of the process is the same today, cybersecurity experts and governmental agencies have been urging businesses and individuals alike not to pay the ransom. Instead, they should have proper backups and cybersecurity measures in place (such as CryptoStopper) to protect against a ransomware attack or recover from an attack should they become infected. However, as we evolve with our cybersecurity tactics, cybercriminals have become more sophisticated with their attacks as well. Throughout the last year or so, ransomware gangs have started exfiltrating a user’s or business’s data as part of the attack.
Until recently, it was assumed this data was used to encourage those infected with ransomware to pay the ransom. Now, with the likes of Maze, REvil, Nemty, and DoppelPaymer ransomware families, cybercriminals are either posting the stolen data online for the world to see or, to make matters worse, they are selling it on hacker forums so it can be utilized in other attacks.
Ransomware attacks must now be treated as data breaches as the personal and private data of employees is being published online.
Nefilim ransomware, believed to be a new version of Nemty ransomware, has launched a site called “Corporate Leaks.” This site is being used to dump the data of victims who do not pay the ransom. As you can see in the screenshot below, Corporate Leaks contains data from corporate networks that failed to negotiate with the cybercriminals. Nefilim doesn’t publish the entire data set at once. Instead, they post the data in parts to further encourage infected corporations to pay the ransom.
With the addition of websites such as Corporate Leaks, we are talking about more than lost data from the encryption process of ransomware. Now we are talking about personal and private information of customers and employers. With some ransom demands currently in the six-figure range, it’s hard to tell anyone to pay the ransom. However, will the financial fallout from your broken reputation be higher than the cost to pay the ransom?
CryptoStopper can help protect your business from becoming the next victim of a data breach via ransomware attack. CryptoStopper provides ransomware protection by automatically detecting and stopping actively running ransomware attacks. CryptoStopper uses deception technology to detect ransomware. During the installation process, decoy files are strategically deployed. We call these Watcher Files. When ransomware begins the encryption process, CryptoStopper detects it in real-time and takes actions in less than a second. Check out our free ransomware simulator to see how CryptoStopper works!
Photo courtesy of securitymagazine.com