Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

Ransom Payment No Guarantee Against Doxxing

Several organizations that paid a ransom to keep attackers from releasing stolen data saw it leaked anyway, according to Coveware.

Ransomware victims that pay threat actors to keep them from releasing data that might have been stolen during an attack often end up getting doxxed and hit with additional demands for money for the same dataset anyway.

An analysis by Coveware of ransomware attack data during the third quarter shows several organizations were victimized in this manner after paying attackers the demanded ransom.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Coveware observed victims of the Sodinokobi ransomware group, for instance, being re-extorted just weeks after they had paid, with more threats to post the same dataset. The operators of the Netwalker and Mespinoza ransomware families publicly posted data belonging to companies that had specifically paid the groups a ransom for the data not be leaked. Conti, another ransomware group, provided fake files to victims as proof they had deleted stolen data.

Often, a threat actor that has already extracted money from a victim will disguise the second extortion attempt as being the work of another group, Coveware CEO and co-founder Bill Siegel says. However, there's not enough data to determine how frequently such incidents are happening, he says.

"But it's happening enough for us to believe no one should pay," Siegel notes.

Some one in two of all ransomware Coverware analyzed last quarter involved data theft and the subsequent threat by attackers to publicly leak the stolen data if they were not paid.

The trend has completely altered the dynamics of ransomware attacks because in the past, if a victim had an adequate data backup, they could simply restore data and get away without paying a ransom. Now that option is gone. With data theft increasingly a part of ransomware attacks, victim organizations are being compelled to negotiate with attackers even if only to determine what exactly might have been stolen, Coveware states in a new report.

According to the security vendor, organizations that pay to prevent public sharing of stolen data can expect a variety of bad things to happen. Attackers, for instance, are unlikely to delete all or even any of the data they have stolen. They are more likely going to trade it with or sell it to another group. Coveware found that multiple parties could sometimes have custody of stolen data. In these instances, even if the attacker deleted their volume of data, others still have copies they can monetize indefinitely in different ways.

"Cyber extortion is highly profitable, has low risk, and low barriers to entry," Siegel says. "Like any other industry, it will continue to grow so long as the unit economics to the criminals are so favorable." Larger companies with big brands are more likely to care about doxxing than smaller businesses with lesser-known brand names, he says.

Big Game Hunting
One significant trend Coveware says it has observed over the past several quarters is an increase in attacks targeting big organizations. Cybercrooks appear to have figured out that the same tactics, techniques, and procedures that work on small companies can be used on larger companies with relatively little extra effort and cost.

The trend has driven a steady increase in average ransomware payouts over the past several quarters. In Q3 2020, ransomware victims on average paid $233,817, a 31% increase from the prior quarter. Half paid $110,532 or less, while the other half paid more.

At the higher end, victims of "big-game hunting" — as some vendors have begun describing attacks on large companies — can sometimes pay millions and even tens of millions of dollars in ransom. An IBM study earlier this year found some groups like Sodinokibi have even begun basing ransom demands on an organization's revenues, with average demands ranging between 0.08% and 9.1%. According to the study, some ransomware attacks the company helped customers remediate involved ransom amounts of $40 million. Thirty-six percent of Sodinokibi's victims ended up paying a ransom to get their data back or to stop it from being publicly shared.

As has been the case for a while now, Coveware found many companies are continuing to leave themselves open to attack by failing to address fundamental security issues.

One of the biggest is improperly secured Remote Desktop Protocol (RDP) services. Threat actors have repeatedly exploited weakly protected RDP to break into corporate networks and establish a beachhead for further attacks.  Even so, many companies have failed to address the issue, resulting in underground markets being awash in RDP credentials. The huge supply of RDP credentials has made it easier for progressively less technical cybercriminals to begin distributing ransomware, Coveware says. Improperly secured RDP services are an especially common problem among small and midsize companies.

For larger organizations, Coveware discovered attackers tended to employ phishing and vulnerability exploits to gain an initial foot hold on a victim network.

The best approach to tackling the ransomware issue is to increase costs and make it harder for threat actors to carry out an attack, Siegel says. That means closing out cheap exploits like RDP and VPN vulnerabilities and then implementing a defense in-depth approach including the use of multifactor authentication he says.

"No one can fully keep them out, but you can keep them from seizing control of a domain controller with full administrative access," he says. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.