Ransomware Authors Go Beyond Malicious Encryption

By on

Click to learn more about author David Balaban.

The scourge of ransomware is mutating into a phenomenon with a two-pronged extortion plan at its core. Schemes used to rely solely on encryption making a victim’s data inaccessible, but a game-changing tweak in the “classic” attack chain took place in late 2019. A number of ransomware strains have since adopted a blackmail model that additionally involves info-stealing foul play. In addition to demanding bitcoins for decryption, the criminals now threaten to upload the victims’ files to publicly accessible resources in case of nonpayment. This article describes the ransomware families employing these “double trouble” schemes.

Maze Ransomware Takes Extortion to a New Level

This unnerving trend started with a predatory program called Maze. It had been largely on the sidelines of the ransomware ecosystem until November 2019, when Maze operators set their sights on Allied Universal, a staffing and security services giant headquartered in the U.S. The company was a ripe target for the cybercriminals because it employs hundreds of thousands of people, and its annual revenue reaches billions of dollars.

After gaining a foothold in the breached organization’s network, the malicious actors were able to steal roughly 7 GB of data prior to executing the encryption process. Then, they reached out to the victim’s management with an ultimatum demanding 300 bitcoins (about $2.6 million) for unencrypting the data. To apply extra pressure, the attackers claimed they would leak some of the stolen files unless Allied Universal paid up within a specific time frame.

When the company rejected all of these demands, Maze ransomware authors carried through with their “plan B” by uploading 700 MB of the stealthily withdrawn data to a Russian hacking forum. Their follow-up threat was to release the remaining information into the wild if Allied Universal refused to cough up the ransom, which had been increased in light of their victim’s “disobedience.”

Maze Crew Keeps Playing Dirty

In another move, Maze ransomware distributors orchestrated a successful attack against a Canadian insurance firm Andrew Agencies. This incident took place in October 2019 but was unearthed in December, when the perpetrators emailed prominent security analysts with irrefutable proof of the attack. Specifically, they claimed to have encoded files on more than 200 computers belonging to the victimized company. Before triggering the encryption, though, they stole 62 terabytes worth of data, 1 GB of which was customer-related.

The extortionists asked for 150 bitcoins (approximately $1.3 million) for decrypting the records. Andrew Agencies reportedly agreed to pay but requested some extra time to collect the huge amount. Then, they suddenly changed their tactic and stopped responding to the hackers altogether. In more recent correspondence with news outlets, the firm has denied the loss of sensitive information. Although the deadline has passed, the data doesn’t appear to have been leaked at this point.

Things were less fortunate for the city of Pensacola, Florida, which fell victim to Maze in early December 2019. The attack caused the city’s administration to shut down their systems for a while, including email and phone services. The blackmailers claimed to have pilfered about 32 GB of data during the incursion.

When Pensacola officials said no to the offenders who demanded $1 million in cryptocurrency, the Maze group began releasing the exfiltrated information. 2 GB worth of data ended up on a public website, and the perpetrators threatened to leak the rest of the data if the city continued to refuse their demands. There have been no updates on this incident since, but this is definitely a disconcerting phenomenon that has shown it can disrupt entire cities.

The computer network of Medical Diagnostic Laboratories (MDLab), a healthcare and research facility based in New Jersey, was infiltrated by the Maze ransomware on December 2, 2019. The cybercriminals infected 231 computers and amassed a total of 100 GB of data. In this case, the ransom was 200 bitcoins (almost $1.8 million). The extortion tactic was the same as with the other victims: The files would be made public unless their demands were met.

Tired of waiting on MDLab’s decision, the malefactors demonstrated that they weren’t bluffing. They spilled a cache of more than 9 GB worth of data, some of which was about the institution’s proprietary immunology research.

Furthermore, Maze operators reportedly recommended the facility get in touch with a well-known ransomware recovery firm Coveware so the latter could act as a mediator in the negotiations. The security experts did not agree to be a go-between, though, stating that they weren’t interested in getting “financial benefit from a criminal’s referral.” Over 90 GB of data still remains at risk.

As if this list of high-profile victims wasn’t enough, the black hats behind the Maze ransomware also hit Southwire, a manufacturer of wire, cable, and hand tools headquartered in Carrollton, Georgia. Nearly 900 computers on the company’s network were infected in mid-December 2019, and they allegedly stole a whopping 120 GB worth of data prior to unauthorized encryption. The demand was jaw-dropping: 850 bitcoins, or about $7.5 million.

When Southwire refused to pay, the threat actors started leaking the information. In late January 2020, they posted 14.1 GB of data on a dark web forum, and they are allegedly planning to unearth 10 percent of the stolen amount on a weekly basis further on. According to the hackers, they will continue to release stolen information weekly until the ransom is paid or until they have no files left.

Sodinokibi Ransomware Steps in

The distributors of Sodinokibi (REvil), a strain dominating the ransomware landscape last year and in early 2020, joined the wave of double blackmail schemes in December 2019. The malefactors stole information belonging to a data center provider called CyrusOne as part of their attack and posted an announcement of their new tactic on a Russian hacking forum.

While CyrusOne admitted to dealing with a file-encrypting ransomware incident, they didn’t confirm data theft. Sodinokibi operators insisted the data theft had occurred and claimed that they would sell the stolen data to a competitor or leak it in the event of nonpayment. No further updates on this story have been reported as of yet.

An instance of a real data dump occurred in January 2020, when the cybercriminals entrapped an IT staffing firm called Artech Information Systems. In the aftermath of failed negotiations with the victim, they made about 300 MB of the company’s data publicly accessible. The bad news is that this was only the first portion of the data, and there are allegedly more files at the hackers’ disposal.

Gedia Automotive Group, a German company that has premises in nine countries and employs more than 4,000 people, fell victim to Sodinokibi in late January 2020. The attack allowed the hackers to get hold of 50 GB worth of the organization’s data, which included blueprints as well as sensitive staff and customer records. After Gedia refused to get in touch, the ransomware makers decided to put the information up for sale on two underground forums. They also claimed that if no one purchased it, they would publish it for free.

Nemty Ransomware is All Set to Do the Same

A ransomware program called Nemty is another whose distributors are trying their hand at data theft alongside encryption. Originally discovered in August 2019, it is backed by a Ransomware-as-a-Service (RaaS) platform allowing would-be extortionists to join up. The infection hones in on computer networks rather than standalone machines.

In mid-January 2020, malware analysts found that the news feed on the Nemty affiliate page was updated with an announcement about setting up a separate website for data dumps. The criminals announced they were purportedly going to leak information amassed from businesses that rejected ransom demands. It appears that the cybercriminals have equipped their ransomware with an info-stealing feature they will try to monetize.

BitPyLock Makers Can’t Resist the Temptation Either

BitPyLock is one more strain claiming to steal data before encryption. It started out as an infection targeting individual computers but switched to network onslaughts in January 2020. Unlike its counterparts, BitPyLock demands a relatively low ransom for unencrypting all devices on a network — it doesn’t exceed five bitcoins (a little over $43,000) in most cases.

The newer edition of the ransom note dropped by this threat includes a warning about a data leaking tactic that will supposedly apply to nonpaying organizations. An extra phrase stating, “This is not a joke!” adds even more pressure to the whole attack. At the time of this writing, it’s unknown whether the hackers’ claims are real or empty threats. They haven’t posted any information illegally obtained from their victims yet. Hopefully, this won’t change anytime soon.

DoppelPaymer Takes a Page out of Maze’s Playbook

The latest ransomware to take a sharp turn in its activities is called DoppelPaymer. In early February 2020, its operators included a warning on their payment site hosted on the Tor anonymity network. According to the warning, all data harvested during their attack would be made publicly available or sold to an interested party unless they received the bitcoins they demanded for the decryptor.

The authors of DoppelPaymer have exchanged some emails on this subject with security researchers at the Bleeping Computer portal. They claim to have been collecting their victims’ data for a year or so. Moreover, some of this information has been purportedly sold on underground forums before to cover some expenses.

More recently, the hackers have taken this up a notch by launching a Tor site named “Doppel leaks.” This is a test run aimed at unleashing a future campaign of posting some of the pilfered files. At this point, the page includes a few records on four compromised organizations, including Mexico’s major petroleum company Pemex. The ransomware operators are known to have instructed the latter to pay 568 bitcoins (almost $4.9 million).

The Bottom Line

While data encryption remains the core of ransomware attacks, more and more hacker groups now collect victims’ data to run their extortion campaigns from a position of greater strength.

The targets of these campaigns don’t only lose important files, but they may also face reputational issues and deal with lawsuits for failing to protect the personal information of their clients.

Ransomware attacks are turning into an explosive fusion of encryption and data breaches. The incidents above show how devastating the consequences can be both for businesses and municipalities. Given the escalating menace, ransomware prevention is more important than ever before.

Some of these raids leverage software flaws and weak protection of remote desktop services. Even relatively secure systems running macOS or Linux can be infected. The human factor remains a common source of such attacks. Therefore organizations should focus on security awareness training with their staff in addition to patching any software and network loopholes.

One way or another, the ransomware plague is evolving into a new stage. Ransomware attacks are now considered data breaches, and companies should be prepared to take up the challenge.

Leave a Reply