Ransomware Authors Go Beyond Malicious Encryption

1735 0

The scourge of ransomware is mutating into a phenomenon with two-pronged extortion at its core. It used to rely solely on encryption making a victim’s data inaccessible, but a game-changing tweak in the “classic” attack chain took place in late 2019. A number of ransomware strains have since adopted a blackmail model that additionally involves info-stealing foul play. In addition to demanding bitcoins for decryption, the criminals now threaten to upload the victims’ files to publicly accessible resources in case of nonpayment. This article describes the ransomware families going this route of double trouble.

Maze Ransomware Takes Extortion to a New Level

The unnerving trend started with a predatory program called Maze. It had been largely on the sidelines of the ransomware ecosystem until November 2019. Maze operators showed their ambitions by attacking Allied Universal, a staffing and security services giant headquartered in the U.S. The company is a juicy target for crooks because it employs hundreds of thousands of people, and its annual revenue reaches billions of dollars.

Having gained a foothold in the breached organization’s network, the malicious actors were able to steal roughly 7GB of data prior to executing the encryption process. Then, they reached out to the victim’s management with an ultimatum demanding 300 bitcoins (about $2.6 million) for unencrypting the data. For extra pressure, the attackers claimed they would leak some of the stolen files unless Allied Universal paid up within a specific deadline.

When the company rejected all of these demands, Maze ransomware authors carried through with their “Plan B” by uploading 700MB of the stealthily withdrawn data to a Russian hacking forum. Their follow-up threat was to release the remaining information into the wild if the victim refuses to cough up the ransom, which has been increased in light of the victim’s “disobedience.”

Maze Crew Keeps Playing Dirty

In another move, Maze ransomware distributors orchestrated a successful attack against a Canadian insurance firm Andrew Agencies. This incident took place in October 2019 but was unearthed in December, when the perpetrators emailed prominent security analysts with some irrefutable proof of the attack. Specifically, they claimed to have encoded files on more than 200 computers belonging to the victimized company. Before triggering the encryption, though, they stole 62 terabytes worth of data, 1GB of which was customer-related.

The extortionists asked for 150 bitcoins (approximately $1.3 million) for decrypting the records. Andrew Agencies reportedly agreed to pay but requested some extra time to collect the huge amount. Then, they suddenly changed their tactic and stopped responding to the crooks. In correspondence with news outlets, the firm has denied the loss of sensitive information. Although the deadline is overdue, the data doesn’t appear to have been spilled at this point.

Things were less fortunate for the city of Pensacola, Florida, which fell victim to Maze in early December 2019. The attack caused the city’s administration to shut down their systems for a while, including email and phone services. The felons claimed to have pilfered about 32GB of data during the incursion.

When Pensacola officials said “No” to the offenders who demanded $1 million in cryptocurrency, the Maze group began releasing the exfiltrated information. 2GB worth of data ended up on a public website, and the perpetrators threatened to leak the rest if the city sticks with the refusal strategy. There have been no updates on this incident ever since. One way or another, this is definitely a disconcerting phenomenon that may disrupt entire cities.

The computer network of Medical Diagnostic Laboratories (MDLab), a healthcare and research facility based in New Jersey, was infiltrated by the Maze ransomware on December 2, 2019. The cybercriminals infected 231 computers and amassed a total of 100GB of data. In this case, the ransom was 200 bitcoins (almost $1.8 million). The extortion tactic was the same as with the other victims: the files would be made public unless this demand was met.

Tired of waiting for MDLab’s decision, the malefactors demonstrated that they weren’t bluffing. They spilled a cache of more than 9GB worth of data, some of which is about the institution’s proprietary immunology research.

Furthermore, Maze operators reportedly recommended the facility to get in touch with a well-known ransomware recovery firm Coveware so that the latter plays the role of a mediator in the negotiations. The security experts haven’t agreed to be such a go-between though, stating that they weren’t interested in getting “financial benefit from a criminal’s referral.” In the meantime, over 90GB of data remains at stake.

As if this list of high-profile victims weren’t enough, the black hats behind the Maze ransomware also hit Southwire, a manufacturer of wire, cable, and hand tools headquartered in Carrollton, Georgia. Nearly 900 computers on the company’s network were infected in mid-December 2019, and the crooks allegedly stole a whopping 120GB worth of data prior to unauthorized encryption. The demand was jaw-dropping: 850 bitcoins, or about $7.5 million.

When Southwire refused to pay, the threat actors started leaking the information. In late January 2020, they posted 14.1GB of data on a Dark Web forum. To top it off, they are allegedly planning to unearth 10 percent of the stolen amount on a weekly basis further on. According to the villains, it will stay that way until the ransom is paid or until they have no files left.

Sodinokibi Ransomware Steps In

The distributors of Sodinokibi (REvil), a strain dominating the ransomware landscape last year and in early 2020, joined the wave of double blackmail hype in December 2019. The malefactors stole information belonging to a data center provider called CyrusOne as part of their attack and posted an announcement of their new tactic on a Russian hacking forum.

Whereas the company admitted dealing with a file-encrypting ransomware incident, they didn’t confirm data theft. Sodinokibi operators, in their turn, insisted on the opposite and claimed that they would sell the stolen data to a competitor or leak it in the event of nonpayment. No further updates on this story have followed through.

An instance of a real data dump occurred in January 2020, when the cybercriminals entrapped an IT staffing firm called Artech Information Systems. In the aftermath of failed negotiations with the victim, they made about 300MB of the company’s data publicly accessible. The bad news is that it was only the first portion and there are allegedly more files at the felons’ disposal.

Gedia Automotive Group, a German company that has premises in nine countries and employs more than 4,000 people, fell victim to Sodinokibi in late January 2020. The attack allowed the crooks to get hold of 50GB worth of the organization’s data, which included blueprints as well as sensitive records of the staff and customers. After Gedia refused to get in touch, the ransomware makers decided to put the information up for sale on two underground forums. They also claimed that if no one buys it, they will publish it for free.

Nemty Ransomware Is All Set to Do the Same

A ransomware program called Nemty is another species whose distributors are trying their hand at data theft alongside encryption. Originally discovered in August 2019, it is backed by a Ransomware-as-a-Service (RaaS) platform allowing wannabe extortionists to join up. The infection homes in on computer networks rather than standalone machines.

In mid-January 2020, malware analysts found that the news feed on the Nemty affiliate page was updated with an announcement about setting up a separate website for data dumps. The criminals are purportedly going to leak information amassed from businesses that reject ransom demands. It appears that the felons have equipped their ransomware with an info-stealing feature they will try to monetize.

BitPyLock Makers Can’t Resist the Temptation Either

This is one more strain claiming to steal data before encryption. It started out as an infection targeting individual computers but switched to network onslaughts in January 2020. Unlike its counterparts, BitPyLock demands a relatively low ransom for unencrypting all devices on a network – it doesn’t exceed five bitcoins (a little over $43,000) in most cases.

The newer edition of the ransom note dropped by this threat includes a warning about a data leaking tactic that will supposedly apply to nonpaying organizations. An extra phrase saying “This is not a joke!” certainly adds more pressure to the whole attack. At the time of this writing, it’s unknown whether the malefactors’ claims are real or empty threats. They haven’t posted any information illegally obtained from their victims yet. Hopefully, this won’t change anytime soon.

DoppelPaymer Takes a Leaf out of Maze’s Book

The latest ransomware that took a sharp turn in its activities is called DoppelPaymer. In early February 2020, its operators included the appropriate warning in their payment site hosted on the Tor anonymity network. According to the ultimatum, all data harvested during the attack will be made publicly available or sold to an interested party unless the criminals get their bitcoins for the decryptor.

The authors of DoppelPaymer have exchanged some emails on this subject with security researchers at the Bleeping Computer portal. They claimed to have been collecting their victims’ data for a year or so. Moreover, some of this information has been purportedly sold on underground forums before to cover some expenses.

Later on, the felons took it up a notch by launching a Tor site named “Dopple leaks.” This is a test run aimed at unleashing a future campaign of posting some of the pilfered files. At this point, the page includes a few records on four compromised organizations, including Mexico’s major petroleum company Pemex. The ransomware operators are known to have instructed the latter to pay 568 bitcoins (almost $4.9 million).

The Bottom Line

While data encryption remains to be at the core of ransomware attacks, more and more hacker groups now collect victims’ data to run their extortion campaigns from a position of greater strength.

The targets don’t only lose important files but they may also face reputational issues and deal with lawsuits for failing to protect the personal information of their clients. 

Ransomware attacks are turning into an explosive fusion of encryption and data breaches. The incidents above show how devastating the consequences can get both for businesses and municipalities. Given the escalating menace, ransomware prevention is more important than ever before. 

Some of these raids leverage software flaws and weak protection of remote desktop services. Even relatively secure systems running macOS or Linux can be infected. The human factor remains a common source of such attacks, therefore organizations should focus on security awareness training of their staff in addition to patching software\network loopholes. 

One way or another, the ransomware plague is evolving into a new stage. Ransomware attacks are now considered data breaches and companies should be prepared to take up the challenge.

David Balaban
david-balabanDavid Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

David Balaban Web Site

In this article