Hackers came up with a new trick. They learned to improve their blackmailing with ransomware

Ransomware, in its modern form, has been with us ever since 2013. That’s a decent chunk. I was expecting that ransomware had fully evolved and it would not surprise us. I was so wrong! What has changed in the last months/year?

  • The number of successful attacks has increased in recent months. See the hacking of the Benešov Hospital or OKD, which was reported by the media. We can see the same trend in a growing number of businesses that ask us for help (investigate how hackers got into the business and what was hit, find out whether they are still in the network, help restore traffic and increase security).
  • Attacks are much more sophisticated and destructive. Attacks are no longer “mere” ransomware, but hackers hacking into the network, who can then quickly move around and shut down protection mechanisms, including backups. As companies pay their ransom money, they are becoming more and more professional, it is already reaching the extent of regular business. I have already published an article on what hackers can do in a hacked network.
  • They attack through the supply chain. As hackers improve, they start working with the information they didn´t work before. If they manage to hack a company that has access to other companies (such as an IT outsourcing company), they will attack their customers as well. This is the next logical step for them. Why hack each business separately if you can hack a provider with the same effort to get to tens/hundreds of businesses for free. These attacks are already happening worldwide and their impact is for the hacked providers mostly fatal. I want to address this topic in the next article.
  • Attackers began to blackmail victim companies by disclosing information about the attack and stolen data. That’s a clever move from the attackers, to squeeze more money out of ransomware. In today´s article, we will focus on this very change.

Pay up and we won’t tell anyone

So far, the hackers have blackmailed just like this: „Do you want your data? Pay up!“ Newly, however, the threat has been extended to „Do you want your data? Pay up! If you don´t, we will disclose the stolen data.“ Victims run the risk that the whole world will learn about them being hacked and put their internal (mostly sensitive/classified) data online, free to download.

It may not seem so different, but it changes the situation fundamentally. Up until now, a ransomware attack was not considered “data leak”. Companies recovered the encrypted data from backups (if possible), or paid to get their data decrypted, and no one heard of the attack or got reported.

But now that the attackers threaten to publish the stolen data (or do so – see below), the situation will not be resolved with a good backup. Once a business is hacked, it is up to the attackers to keep the data for themselves or publish it.

In the case of publication of stolen data, the victims’ risk:

  • Partner and customer reputation loss.
  • Fines from authorities for personal data leak (they most likely didn´t protect their data sufficiently).
  • Contractual penalties from partners for breach of confidentiality/non-protection of entrusted data.
  • Other non-financial damage such as leakage of know-how, disclosure of future strategy, customer database, disclosure of confidential internal communication.

It is a clever move as it doesn´t require any extra effort from their side (they have the stolen network data anyway). While this is a valid argument for many companies to pay the ransom (of course, the goal is to have a well-secured network so we don´t have to deal with this).

Maze ransomware

This upgrade was developed by the group behind the Maze ransomware. They have most likely been annoyed by the sheer amount of companies that did not cooperate (didn´t pay the ransom) and got their data recovered from backups. So they started addressing some of the attacked companies and asking ransom for not publishing their data and information.

Many companies didn´t believe in them, so they started publishing. They have contacted the author of bleepingcomputer.com and began to publicize the case, see „Allied Universal Breached by Maze Ransomware, Stolen Data Leaked“, which is definitely worth the read.

In general, the group behind the Maze ransomware is quite interesting. There were articles in May 2019 detailing how the variable ransom values have been implemented into the ransomware itself („Maze Ransomware Says Computer Type Determines Ransom Amount“) – up until then, the ransom was the same for all victims. The ransom amount depended on whether the infected device was a home computer, company computer, server, backup server, or domain controller.

At the same time, they do not mess around, as they have requested a ransom of $ 2.3M for not disclosing “Allied Universal” data. They wanted $ 1.1M for deciphering Andrew Agencies, $ 1M for Pensacola city and $ 6.1M for “Southwire Co.”. The hacking group can function with that kind of money.

Would they keep their word?

Is there some kind of victim’s assurance that hackers will not disclose the data, even if one pays? Good question! There is no warranty. However, the Maze group hackers react as follows:

„It is just logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing from it. We also delete data because it is not interesting. We are neither an espionage group nor any other type of APT, the data is not interesting for us.” (source: Bleepingcomputer.com)

In the ideal case, one should have everything well secured and not become a victim. If you become a victim, it is good to operate with the scenario that the stolen data will be published. Because they will publish the data!

How is the data published?

The Maze ransomware group has launched its naming and shaming website. The list of companies/institutions the group she has compromised (probably only those who have not paid😊). The site is very active and one or more attacked companies are being added every single day.

mazewebsite
Picture 1: Screenshot from Maze’s shaming website (taken on 27.12.).

Attackers publish the following:

  • name and web address,
  • date of compromisation,
  • names of the infected devices (including disk sizes and the amount of encrypted data),
  • few internal files to show that they have broken into the network,
  • the amount of stolen data that they publish if they do not receive their payment.

The published information reveals that the attackers are not yet able to encrypt was too much data from the infected networks. It is mostly singles to tens of GB, which is just a percentage of the total amount of network encrypted data (which is mostly singles to tens of TB).

Perhaps this is since companies often have “slow” internet (upload), so attackers cannot transfer enough data before the attack is detected. The second option is that the attackers have not focused so much on “stealing” as much data as possible so far. It will probably be a combination of both, and in the future, I expect much more data to be stolen.

What we need to prepare with the ransomware for

All the while I described the strategy of the Maze ransomware group, other hacker groups seem to be joining the war (see Sodinokibi/rEvil post from a forum). So we have something to “look forward to“.

Bleepingcomputer post by REvil operator
Picture 2: Source: https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/

However, most companies cannot tell how much data was stolen from the network as they lack the appropriate technology (such as Mendel from GreyCortex, or FortiAnalyzer from FortiNet).

The only defense is to do things the proper way. It takes time and money, but for the companies that can not operate without IT, it’s the only way. It is not enough to “save” and pay a few tens of thousands of crowns every two years for a ransom. On one hand, it supports all of this, and on the other, the next ransom may be in the millions (or not even payable).

May your networks be secure and all goes well. If you are looking for defense tips, check out my previous article „What can hackers do with ransomware in your network“. In case your network gets into trouble and you need a helping hand, my email is in the blog footer or at the cooperation page (we have way too much work to do, but we will try our best not to let you down).

Do you agree with the article? Do you have a similar or different experience with the behavior of hackers? Do you have any other ideas on how to defend oneself? Looking forward to your comments below the article. 👇

Martin Haller

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Discussion

Leave a Reply

Your email address will not be published. Required fields are marked *

Hack The Box OSCP MCSE CHFI ECSA CCNP CCNA