Site icon Martin Haller, A blog about corporate IT protection and management

Hackers came up with a new trick. They learned to improve their blackmailing with ransomware

Ransomware

Ransomware locking a computer and asking for money. artwork illustration depicts internet ransomware, virus, security breached and computer data locked by cyber syndicate criminal.

Ransomware, in its modern form, has been with us ever since 2013. That’s a decent chunk. I was expecting that ransomware had fully evolved and it would not surprise us. I was so wrong! What has changed in the last months/year?

Pay up and we won’t tell anyone

So far, the hackers have blackmailed just like this: „Do you want your data? Pay up!“ Newly, however, the threat has been extended to „Do you want your data? Pay up! If you don´t, we will disclose the stolen data.“ Victims run the risk that the whole world will learn about them being hacked and put their internal (mostly sensitive/classified) data online, free to download.

It may not seem so different, but it changes the situation fundamentally. Up until now, a ransomware attack was not considered “data leak”. Companies recovered the encrypted data from backups (if possible), or paid to get their data decrypted, and no one heard of the attack or got reported.

But now that the attackers threaten to publish the stolen data (or do so – see below), the situation will not be resolved with a good backup. Once a business is hacked, it is up to the attackers to keep the data for themselves or publish it.

In the case of publication of stolen data, the victims’ risk:

It is a clever move as it doesn´t require any extra effort from their side (they have the stolen network data anyway). While this is a valid argument for many companies to pay the ransom (of course, the goal is to have a well-secured network so we don´t have to deal with this).

Maze ransomware

This upgrade was developed by the group behind the Maze ransomware. They have most likely been annoyed by the sheer amount of companies that did not cooperate (didn´t pay the ransom) and got their data recovered from backups. So they started addressing some of the attacked companies and asking ransom for not publishing their data and information.

Many companies didn´t believe in them, so they started publishing. They have contacted the author of bleepingcomputer.com and began to publicize the case, see „Allied Universal Breached by Maze Ransomware, Stolen Data Leaked“, which is definitely worth the read.

In general, the group behind the Maze ransomware is quite interesting. There were articles in May 2019 detailing how the variable ransom values have been implemented into the ransomware itself („Maze Ransomware Says Computer Type Determines Ransom Amount“) – up until then, the ransom was the same for all victims. The ransom amount depended on whether the infected device was a home computer, company computer, server, backup server, or domain controller.

At the same time, they do not mess around, as they have requested a ransom of $ 2.3M for not disclosing “Allied Universal” data. They wanted $ 1.1M for deciphering Andrew Agencies, $ 1M for Pensacola city and $ 6.1M for “Southwire Co.”. The hacking group can function with that kind of money.

Would they keep their word?

Is there some kind of victim’s assurance that hackers will not disclose the data, even if one pays? Good question! There is no warranty. However, the Maze group hackers react as follows:

„It is just logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing from it. We also delete data because it is not interesting. We are neither an espionage group nor any other type of APT, the data is not interesting for us.” (source: Bleepingcomputer.com)

In the ideal case, one should have everything well secured and not become a victim. If you become a victim, it is good to operate with the scenario that the stolen data will be published. Because they will publish the data!

How is the data published?

The Maze ransomware group has launched its naming and shaming website. The list of companies/institutions the group she has compromised (probably only those who have not paid😊). The site is very active and one or more attacked companies are being added every single day.

Picture 1: Screenshot from Maze’s shaming website (taken on 27.12.).

Attackers publish the following:

The published information reveals that the attackers are not yet able to encrypt was too much data from the infected networks. It is mostly singles to tens of GB, which is just a percentage of the total amount of network encrypted data (which is mostly singles to tens of TB).

Perhaps this is since companies often have “slow” internet (upload), so attackers cannot transfer enough data before the attack is detected. The second option is that the attackers have not focused so much on “stealing” as much data as possible so far. It will probably be a combination of both, and in the future, I expect much more data to be stolen.

What we need to prepare with the ransomware for

All the while I described the strategy of the Maze ransomware group, other hacker groups seem to be joining the war (see Sodinokibi/rEvil post from a forum). So we have something to “look forward to“.

Picture 2: Source: https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/

However, most companies cannot tell how much data was stolen from the network as they lack the appropriate technology (such as Mendel from GreyCortex, or FortiAnalyzer from FortiNet).

The only defense is to do things the proper way. It takes time and money, but for the companies that can not operate without IT, it’s the only way. It is not enough to “save” and pay a few tens of thousands of crowns every two years for a ransom. On one hand, it supports all of this, and on the other, the next ransom may be in the millions (or not even payable).

May your networks be secure and all goes well. If you are looking for defense tips, check out my previous article „What can hackers do with ransomware in your network“. In case your network gets into trouble and you need a helping hand, my email is in the blog footer or at the cooperation page (we have way too much work to do, but we will try our best not to let you down).

Do you agree with the article? Do you have a similar or different experience with the behavior of hackers? Do you have any other ideas on how to defend oneself? Looking forward to your comments below the article. 👇

Martin Haller

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Exit mobile version