Ransomware Families That Publish Stolen Data

The ransomware ecosystem underwent two game-changing tweaks last year. The first one is about the focus on attacking enterprise networks rather than individual users. Secondly, ransomware operators have started to steal victims’ files before encrypting them – this way, they get extra blackmail leverage in the ransom negotiations with compromised companies. As a result, this kind of attack has turned into a combo of extortion and a data breach, where malefactors coerce businesses to pay by threatening to leak their proprietary records.

In 2020, cybercriminals took their nefarious tactics further. Whereas they used to publish nonpaying organizations’ valuable files on hacker forums, some ransomware lineages now use dedicated websites for this purpose. Below is a round-up of these families whose wicked creators are thinking outside the box to rake in more profits.

Maze ransomware, the progenitor of the trend

This strain pioneered in amassing companies’ data prior to encryption. Here’s how this new chapter in the ransomware evolution began: in November 2019, Maze operators hit a major U.S. staffing company Allied Universal, extracted 7GB worth of important files as part of the attack, and threatened to make them publicly accessible in case of nonpayment. Later on, it turned out that these weren’t empty threats as the felons dumped 700MB of the stolen data on a Russian hacker forum.

This was just a wakeup call followed by attacks against a Canadian insurance company Andrew Agencies; the IT network of the city of Pensacola, Florida; a New Jersey healthcare institution MDLab; and Southwire, a Georgia-based manufacturer of cable and hand tools. All these incidents were accompanied by data exfiltration and leaks.

As if this foul play weren’t enough, the criminals behind the Maze ransomware have launched a “public shaming site” at mazenews[dot]top, which contains a rapidly expanding list of victimized organizations that refuse to cough up the ransom. The extra details include the breach date and the total amount of collected data. Some entries contain proofs of the attack in the form of ZIP archives with a portion of illegally withdrawn information.

Obviously, the perpetrators are fine-tuning their new strategy to make it more centralized and effective. Additionally, this move has paved the way for other cybercriminal groups to jump on the hype train.

DoppelPaymer ransomware becomes double trouble

The operators of another ransomware known as DoppelPaymer chose to follow suit. For the record, this strain gained notoriety for encrypting large enterprise networks consisting of hundreds or even thousands of machines. For instance, having executed an attack against Mexico’s oil giant Pemex last November, the malefactors demanded 565 bitcoin (about $5 million at that time) for data decryption. To top it off, they claimed to have stolen some sensitive files belonging to the company.

To take their extortion maneuvers to the next level, the crooks set up a website called “Dopple leaks” in late February 2020. Its purpose is to “name and shame” the affected organizations that have rejected the attackers’ demands. The site provides, among other things, a few example files per victim to demonstrate that the threats about data exposure are real.

Sodinokibi authors can’t resist the temptation either

Also known as REvil, the Sodinokibi ransomware is one of today’s top strains zeroing in on organizations and local governments. Its malicious portfolio includes high-profile victims such as Gedia Automotive Group, CyrusOne, Travelex, and 22 Texas municipalities. This lineage took the data leak route in addition to the “classic” encryption model in early January 2020, when the threat actors attacked IT staffing company Artech Information Systems. When the victim refused to pay up, Sodinokibi operators posted 300MB of stolen data on a hacker and malware forum.

This tactic got a boost in late February. The ransomware crew created a website for file dumps to pressure the compromised businesses into cooperating. One of the records that were since published on that page is related to Kenneth Cole Productions, a well-known American fashion house that allegedly underwent a Sodinokibi raid recently. The extortionists claim to have stolen roughly 70,000 financial and work documents belonging to the company. The test leak only includes the first batch of the data and the criminals threaten to post more if the victim keeps ignoring their demands.

Nemty ransomware also stealing and spilling

The criminals behind another ransomware called Nemty also adopted a data-stealing strategy alongside malicious encryption. On a side note, this lineage is doing the rounds on a Ransomware-as-a-Service (RaaS) basis, which means that it is being distributed by different groups of cybercrooks who share their earnings with the authors of the harmful code. In mid-January 2020, security researchers discovered that Nemty makers added an announcement to their affiliate page about launching a website for dumps.

The crooks carried through with their intentions in early March by setting up the leak site. The only record posted on it at the time of discovery was about a U.S. footwear manufacturer that fell victim to the ransom Trojan and rejected the payment demands. The embedded link leads to a database containing 3.5GB of stolen data.

A trio of lesser-known ransomware families start doing the same

A ransomware sample called Nefilim was first spotted in mid-March 2020 and it appears to follow the “encryption plus theft” principle from the get-go. Its makers launched a website called “Corporate Leaks” that already includes some data extracted from two affected companies. Both victims are from the energy sector. By the way, analysts have identified ties between Nefilim and the above-mentioned Nemty ransomware: the two share a great deal of their source code and probably have common roots.

Sekhmet ransomware is also one of the strains that recently hopped on the bandwagon. It is far from being a mainstream sample and its activity is scarcely researched and documented. What is known at this point is that it uses a site for dumps called “Leaks leaks and leaks,” which currently contains files supposedly withdrawn from just one organization.

The authors of the CLOP ransomware, another specimen that plays dirty by pilfering victims’ data, have also set up a resource for publishing the records of “stubborn” businesses that rebuff the ransom demands. The site is called “CLOP^_-LEAKS” and contains information illegally obtained from four infected companies.

The bottom line

Ransomware is quickly evolving and the recent changes are a serious heads-up for businesses around the world. In addition to stealing corporate secrets in the aftermath of the original attack, extortionists may also harvest and leak personal information of the employees and customers. This can entail huge reputational risks down the road.

It means that an up-to-date data backup is no longer enough to fully recover from such a compromise. Under the circumstances, companies should be much more proactive in terms of ransomware prevention. Given that most of these attacks exploit unsecured RDP connections and leverage phishing hoaxes to execute the malicious payloads in enterprise environments, it’s in every organization’s best interest to address these weaknesses without delay.

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.