Coveware has published its Quarterly Ransomware report for the third quarter of 2020 and featured the hottest ransomware attack developments. The report notes that data exfiltration before deploying the ransomware remains a well-liked tactic. About 50% of all ransomware attacks involved the theft of data. These kinds of attacks doubled in the third quarter of 2020.
In instances where the hacker stole data before file encryption, victims are instructed to pay the ransom demand or their information will be exposed on the internet or offered for sale to force victims to pay, however, ransomware victims must thoroughly think about whether to pay or not. There are no assurances that the attacker won’t publish the stolen data after paying the ransom.
Ransomware Groups Break Their Promises to Deleting Data
The Maze ransomware gang began the double-extortion craze in 2019 and a lot of ransomware operators shortly did the same. In certain instances, two ransomware demands are given; one to give back or erase stolen information and two to give the keys to decrypt the files, The ransomware operators using the AKO and Ranzy ransomware variants follow this double ransom demand strategy.
The Coveware report shows that, in several cases, the attackers never keep their word even if the victim gives the demanded ransom. There were a number of cases where the attacker leaked stolen information after the ransom was given, and there is one gang that is well-known to re-extort its victims.
The report identifies four ransomware operations that do not delete stolen data after getting the ransom payment.
- The gang behind the Sodinokibi ransomware re-extort some of their victims.
- The Netwalker and Mespinoza operators have afterward exposed stolen information after receiving the full ransom payment.
- The attackers using Conti ransomware have given victims proof of file deletion, but it was for deleting fake files.
- Attackers using Maze, Sekhmet, and Egregor have in the same way leaked information occasionally, though it is uncertain whether the data leaks after receiving payment were deliberate.
Coveware points out that certain ransomware operations see information kept by several parties, which suggests that although the threat actor deletes the stolen data, there is no assurance that all files are deleted. There were instances where the stolen information is published by mistake on leak sites well before the victim had the chance to pay.
Coveware is giving a warning that ransom payment does not ensure that the stolen information won’t be disclosed to other threat gangs or be utilized in other extortion initiatives. Coveware is saying that the theft of data must be assumed as a data breach and make sure all people affected by the breach are informed so that they could keep track of their accounts and do something to safeguard their identities, whether or not the ransom is paid.