Backing up is no panacea when blackmailers publish stolen data

Ransomware makers seem to be following a new trend, publishing data from companies that refuse to pay them.

Ransomware makers seem to be following a new trend, publishing data from companies that refuse to pay them.

Backing up data has been one of the most effective, though labor-intensive, safeguards against encrypting ransomware so far. Now, malefactors seem to have caught up with those who rely on backups. The creators of several ransomware programs, confronted with victims refusing to pay the ransom, shared their data online.

Data publication makes threats into reality

Threats to make confidential information public are nothing new. For example, in 2016, the group behind the cryptoware that infected the San Francisco Municipal Railway‘s systems tried that trick. They never followed through on their threat, though.

Maze was the first

Unlike its predecessors, the group behind Maze ransomware delivered on its promises in late 2019 — more than once. In November, when Allied Universal refused to pay up, the criminals leaked 700MB of internal data online including contracts, termination agreements, digital certificates, and more. The blackmailers said they had published just 10% of what they had stolen and threatened to make the rest available publicly if the target did not cooperate.

In December, Maze actors created a website and used it to post the names of victimized companies, infection dates, amount of data stolen, and IP addresses and names of infected servers. They uploaded some documents as well. At the end of that month, 2GB of files, apparently stolen from the city of Pensacola, Florida, appeared online. The blackmailers said they published the information to prove they weren’t bluffing.

In January, the creators of Maze uploaded 9.5GB of Medical Diagnostic Laboratories data and 14.1GB of documents from cable maker Southwire, which had earlier sued the blackmailers for leaking confidential information. The lawsuit made the Maze website shut down, but that will not last.

Next came Sodinokibi, Nemty, BitPyLock

Other cybercriminals followed. The group behind the ransomware Sodinokibi, which was used to attack international financial company Travelex on New Year’s Eve, stated its intention in early January to publish data belonging to the company’s customers. The cybercriminals say they have more than 5GB of information including birth dates, social security numbers, and bank card details.

For Travelex’s part, the company says it’s seen no evidence of a leak, and that it refuses to pay. Meanwhile, the offenders say the company has agreed to enter negotiations.

On January 11th, the same group uploaded links to about 337MB of data to a hacker message board, saying the data belonged to recruiting company Artech Information Systems, which refused to pay the ransom. The offenders said the uploaded data represented only a fraction of what they had stolen. They said they intended to sell, not publish, the rest unless the victims complied.

The authors of Nemty malware were next to announce plans to publish nonpayers’ confidential data. They said they intended to create a blog for posting piece by piece the internal documents of victims who won’t fulfill their demands.

The operators of BitPyLock ransomware joined the trend by adding to their ransom note a promise that they would make their victim’s confidential data available publicly. Although they have yet to do so, BitPyLock may well prove to be stealing data as well.

No mere ransomware

Advanced features added to ransomware programs are nothing new. For example, back in 2016, a version of the Shade Trojan installed remote administration tools instead of encrypting files if it found that it had hit an accounting machine. CryptXXX both encrypted files and stole Bitcoin and victims’ logins. The group behind RAA equipped some specimens of the malware with the Pony Trojan, which targeted logins as well.  Ransomware’s ability to steal data should surprise no one — especially now that companies are increasingly recognizing the need to back up their information.

It is worrisome that there is no safeguarding oneself against these attacks with backups. If you are infected, there is no way for you to avoid losses, which will not necessarily be limited to ransom; blackmailers provide no guarantees. The only way to protect yourself is not to let malware into your systems.

How to protect yourself from ransomware

Whether this new ransomware trend will prove effective or be abandoned remains to be seen. These attacks are only starting to gain momentum, so you need to stay protected. That means more than just avoiding reputational losses and disclosure of trade secrets — if you let a client’s personal data get stolen, you may face serious fines. So, here is some advice:

  • Improve information security awareness. The more knowledgeable staffers are, the lower the probability that phishing and other social engineering techniques will work on them. We have a learning platform, Kaspersky Automated Security Awareness Platform, designed for employees with varying workload levels, interests, and level of access to confidential information.
  • Update your operating systems and software promptly — especially anything found to contain vulnerabilities that allow unauthorized access to and control of the system.
  • Use a specialized protective solution aimed at combating ransomware. For example, you can download our
    Kaspersky Anti-Ransomware Tool free of charge.