Security: According to a cybersecurity report, more and more ransomware groups keep stolen data after an attack, even if the victim has paid a ransom for its deletion.

Ransomware groups that have stolen data and received a ransom to delete it don’t always deliver on their promises.

According to a report released by Cover this week, corroborated by several incidents shared by security researchers with Cyberwing in recent months, this situation is even more and more common.

Data theft and online publication

This situation mainly concerns certain categories of ransomware attacks, namely those known as “big-game hunting” and “human-operated” (operated by humans). Both of these terms refer to incidents where attackers specifically target networks of businesses or government organizations that cannot afford long downtime and are therefore more likely to pay huge ransoms.

But, since the fall of 2019, more and more ransomware groups have been stealing large amounts of files from hacked organizations, before encrypting their data. The idea is to threaten the victim to post sensitive information online, in order to prevent them from restoring their network from backups instead of paying for a decryption key.

Some ransomware groups have even created specialized portals, called ” leak sites “, where they post data from companies that refuse to pay the ransom demanded. If the victim agrees to pay for the decryption key, however, attackers usually promise to delete the stolen data.

Tipping point

In a report released this week, Cover, which provides incident response services to hacked businesses, explains that half of the ransomware incidents it investigated in Q3 2020 involved theft of corporate data prior to encryption. files. This number has doubled from the previous quarter.

But the company says these types of attacks have reached a “tipping point” and more and more reports indicate that hackers are breaking their promises.

The cover takes the example of a group using the ransomware R-Evil (Sodinokibi), which was seen approaching its victims again weeks after paying a ransom, in order to demand a second payment with new threats concerning the same data that the organization had paid for deletion.

Accidental but revealing data leaks in Ransomware

The cover also claims to have seen the Netwalker (Mailto) and Mespinoza (Pysa) gangs post stolen data on their “leak sites”, even though the victimized companies had paid the ransom. The company tells Cyberwing that these incidents are most likely due to technical errors in the ransomware gang platforms, but they still mean that the gangs did not delete the data as agreed.

Cover has also observed falsified evidence of the deletion of data stolen by the Conti ransomware group. Usually, the legal team of the victim organization does indeed request evidence of the erasure of the data. But this analysis showing the use of fake evidence underscores that the attackers never intended to erase the data, and they probably even intended to reuse it later.

To top it off, Cover says he saw the Maze group accidentally post stolen data on their “leak sites”, even before notifying the victims of the theft of the files. These incidents also took place with Sekhmet and Egregor, both of which are believed to have originated from Operation Maze.

Double extortion Ransomware

Cyberwing has also learned of other incidents from other companies providing ransomware attack response services.

Most of these incidents involve the Maze group, pioneer of “leak sites” and the system of double extortion. Specifically, they involve “affiliates” – a term for cybercriminals who purchased access to the RaaS (Ransomware as a service) platform and used Maze’s ransomware to encrypt files.

While some affiliates play by the rules, others don’t. In some cases, a former affiliate who had been kicked out of the Raas de Maze platform had returned to former victims in an attempt to extort a new ransom from them with the same stolen data, data he had promised to delete.

Maze in the viewfinder, things got complicated

There have also been instances where Maze affiliates have accidentally posted stolen data on their leak sites, even after paying a ransom. The data was eventually removed, but the information had still been read (and possibly downloaded) by hundreds or thousands of people.

Things got worse throughout the year for Maze’s subsidiaries as antivirus companies began to detect group payloads, block encryption, and stop attacks. In many of these cases, these subsidiaries had to be content to use only the data they had managed to steal before the encryption was blocked. Thus, they were often content with smaller ransoms.

Seeking new sources of profit, in at least two case groups close to Maze attempted to sell employee personal data to security researchers, masquerading as clandestine data brokers.

Never take the attackers’ word

These examples confirm what many security researchers already suspected – that hackers cannot be trusted or taken at their word.

“Unlike negotiating for a decryption key, negotiating for the deletion of stolen data is never-ending,” Cover wrote in its report. “Once a victim receives a decryption key, it cannot be taken away and it does not degrade over time. Regarding stolen data, the attacker can come back for a second payment at any time in the future. ”

The security company then recommends that companies always consider that the data has not been deleted and plan accordingly. This usually involves notifying all affected users and employees. This advice should be emphasized, as many organizations have used the pretext of paying a ransom and pledging the attackers to delete the data so as not to notify potentially affected users and employees.

Most of the data stolen in ransomware attacks are sensitive personal and financial information. This is why it is necessary that the users or employees whose data has been potentially exposed be warned, in order to prepare in the event of resale of their file and subsequent fraudulent use.