Backing up is no cure when blackmailers publish stolen data, explains Kaspersky

Ransomware makers seem to be following a new trend, publishing data from companies that refuse to pay them. Backing up data has been one of the most effective, though labor-intensive, safeguards against encrypting ransomware so far. Now, malefactors seem to have caught up with those who rely on backups. The creators of several ransomware programs, confronted with victims refusing to pay the ransom, shared their data online.

Data publication makes threats into reality: Maze was the first

Unlike its predecessors, the group behind Maze ransomware delivered on its promises in late 2019 — more than once. In November, when Allied Universal refused to pay up, the criminals leaked 700MB of internal data online including contracts, termination agreements, digital certificates, and more. The blackmailers said they had published just 10% of what they had stolen and threatened to make the rest available publicly if the target did not cooperate.
In December, Maze actors created a website and used it to post the names of victimized companies, infection dates, amount of data stolen, and IP addresses and names of infected servers. They uploaded some documents as well. At the end of that month, 2GB of files, apparently stolen from the city of Pensacola, Florida, appeared online. The blackmailers said they published the information to prove they weren’t bluffing.

In January, the creators of Maze uploaded 9.5GB of Medical Diagnostic Laboratories data and 14.1GB of documents from cable maker Southwire, which had earlier sued the blackmailers for leaking confidential information. The lawsuit made the Maze website shut down, but that will not last.

Next came Sodinokibi, Nemty, BitPyLock

Other cybercriminals followed. The group behind the ransomware Sodinokibi, which was used to attack international financial company Travelex on New Year’s Eve, stated its intention in early January to publish data belonging to the company’s customers. The cybercriminals say they have more than 5GB of information including birth dates, social security numbers, and bank card details.
For Travelex’s part, the company says it’s seen no evidence of a leak, and that it refuses to pay. Meanwhile, the offenders say the company has agreed to enter negotiations.

On January 11th, the same group uploaded links to about 337MB of data to a hacker message board, saying the data belonged to recruiting company Artech Information Systems, which refused to pay the ransom. The offenders said the uploaded data represented only a fraction of what they had stolen. They said they intended to sell, not publish, the rest unless the victims complied.

The authors of Nemty malware were next to announce plans to publish nonpayers’ confidential data. They said they intended to create a blog for posting piece by piece the internal documents of victims who won’t fulfill their demands.
The operators of BitPyLock ransomware joined the trend by adding to their ransom note a promise that they would make their victim’s confidential data available publicly. Although they have yet to do so, BitPyLock may well prove to be stealing data as well.

No mere ransomware
Advanced features added to ransomware programs are nothing new. For example, back in 2016, a version of the Shade Trojan installed remote administration tools instead of encrypting files if it found that it had hit an accounting machine. CryptXXX both encrypted files and stole Bitcoin and victims’ logins. The group behind RAA equipped some specimens of the malware with the Pony Trojan, which targeted logins as well. Ransomware’s ability to steal data should surprise no one — especially now that companies are increasingly recognizing the need to back up their information.

“Ransomware attacks gaining more popularity amongst the cybercriminal groups is a trend to be observed more carefully by the cybersecurity industry and businesses that need to collect and store huge data. Backing up data is just an hygiene step that needs to be taken by every data storing facility mandatorily, however it is not enough. Constantly updating your operating systems, and being alert enough to patch any vulnerability in your network before being exposed to the bad guys is a must. Just as we experienced in the case of Wannacry Ransomware that hit India not long enough ago, we must remember that working with old operating systems is an open invitation to cybercriminals.” said Mr. Saurabh, Senior Security Researcher for Global Research and Analysis Team (GReAT) APAC, Kaspersky.

How to protect yourself from ransomware
Whether this new ransomware trend will prove effective or be abandoned remains to be seen. These attacks are only starting to gain momentum, so you need to stay protected. That means more than just avoiding reputational losses and disclosure of trade secrets — if you let a client’s personal data get stolen, you may face serious fines. So, here is some advice:

Improve information security awareness. The more knowledgeable staffers are, the lower the probability that phishing and other social engineering techniques will work on them. We have a learning platform, Kaspersky Automated Security Awareness Platform, designed for employees with varying workload levels, interests, and level of access to confidential information.
Update your operating systems and software promptly — especially anything found to contain vulnerabilities that allow unauthorized access to and control of the system.
Use a specialized protective solution aimed at combating ransomware