In the last week, the gangs behind two of 2020’s most prominent ransomware – Sodinokibi and DoppelPaymer – have revealed domains on which they plan to leak data stolen from victims who don’t pay up. This is part of a worrying trend amongst ransomware operators, many of whom now exfiltrate significant amounts of data from victims rather than simply encrypting their systems and relying on this to pressure them into paying. Now, in the aftermath of a ransomware attack, company admins have to worry both that their systems don’t work, and business is suffering with every passing minute. But also, that the company’s data is in the hands of cybercriminals and likely to be published, with potentially devastating effects for client privacy, organisational reputation, and share price. Ransomware infections are now data leaks.
It all started with Maze, a ransomware-as-a-service (RaaS) sold on the darknet. RaaS offerings provide ‘affiliates’ with a copy of the malware, instructions on how to use it, and support from the developers should buyers run into operating difficulties. All buyers have to do in return is share the proceeds of all their ransom demands with the RaaS operators – this can be as much as a 60/40 split of the takings, with the RaaS providers getting 40% of a paid ransom for very little work. The cybercriminals behind these services are generally skilled developers who want the profits of ransomware without the hassle of orchestrating campaigns.
Evidently, however, it isn’t all plain sailing in the ransomware world. It’s no longer as simple as: infect device, extort victim, laugh all the way to the bank. Victim companies are increasingly choosing to employ technicians to restructure their systems or recover them from back-ups held offline, meaning that the ransom goes unpaid and the threat actors find themselves out of pocket. In a bid to combat this, in mid-December, the gang behind Maze introduced a publicly available website displaying the names of victim companies, the date they were infected, a selection of files stolen from the victim and the total amount of data in gigabytes, as well as the IP addresses and machine names of the servers infected with Maze.
Ransomware operators have always been suspected of rifling through their victims’ data and stealing files prior to encryption. They have also routinely threatened the release of this data if their ransom demands are not met. These threats, however, had not been acted upon, until late-November last year when the Maze gang exposed 700MB of Allied Universal data on a hacking forum. Reporting through Bleeping Computer, the malicious actors stated that Allied had abandoned the ransom payment process and that this was 10% of the total amount of data stolen from the company. The remaining 90% would be released if no payment was received. As one security researcher stated: “Ransomware attacks are now data breaches” [1, 2]. In many ways, they always have been, but because of the potentially huge fines and loss of business, companies have frequently attempted to sweep incidents like this under the carpet either by paying the ransom or restoring their systems without telling clients or the authorities. With the unveiling of a public site, listing victims’ names, this option is no longer there.
The new tactic was soon adopted by others. In the second week of January 2020, the operators of the Sodinokibi (REvil) ransomware – another pioneering malware whose developers had popularised RaaS – claimed that they, too, were going to start leaking data from victims that decided not to pay their ransoms. The group vowed to start “keeping promises” and demonstrated this shortly after, by leaking 337MB of data from IT staffing company Artech. The operators and developers of the Ako, BitPyLock, Nemty, and Zeppelin ransomware all publicly stated that they had started exfiltrating data from victims prior to encrypting their systems. The tactic was now in the mainstream.
At the beginning of February, the DoppelPaymer ransomware operators made a public threat to sell or publish a victim’s data if they do not pay a ransom demand. They claim to have adopted the technique because Maze has “shown the world that success rates are increased after sharing some data.” This is an important admission, demonstrating that the cybercriminal business ecosystem functions in much the same way as the legitimate economy, with operators studying the tactics of others and implementing the most successful ones. The group claims that this is a tactic it has deployed in the past when a victim has not paid the ransom, stating that sensitive data has been collected from various victims over the past 12 months. The group also states that it has previously sold stolen data anonymously on the Darknet when a victim has refused to pay.
A few weeks after their public threat, the DoppelPaymer operators launched their leak site: “Dopple Leaks”. The site appears to be in test mode, with the threat actors using it to shame victims and publish a small selection of stolen files. Four companies are currently listed on Dopple Leaks: Mexican oil company Pemex, a US merchant account business, a French telecoms and cloud services organisation, and a South African logistics and supply company. The group has stated its intention to start exfiltrating more data from targets now that this website is up and running.
Around the same time as the launch of Dopple Leaks, the notorious Sodinokibi operators unveiled their own blog to publish stolen data. Sodinokibi (also known as REvil) affiliates are being asked to steal victim data and upload it to the site, with the exception of data that could be attractive to buyers, like Social Security Numbers (SSN), which is too valuable to post publicly and will almost certainly be sold on the darknet. As with Dopple Leaks, the Sodinokibi site is still in its infancy with just one file visible at the moment – 10.5MB of contracts and customer information from Dutch software company SoftwareONE and relating to a number of insurance companies.
In a darknet forum post heralding the new site, a representative for the Sodinokibi gang also suggested some other methods that may be used to pressure victims into paying up. Worryingly, the group appears to be considering emailing stock exchanges to inform them that a particular company has been attacked. The NASDAQ is mentioned by name. The potential effects of this tactic are obvious: not only might companies now face fines from governing bodies and the loss of customers’ trust and business, but they may also be hit with a tumble in the price of their shares on stock exchanges around the world. In combination, these may be terminal for a business.
For governments and many public sector organisations, however, winding up the company due to insolvency is not an option. And much of the data they hold is so sensitive that it cannot simply be changed, like a stolen password, to ensure the security of the individual involved. There are a number of instances over the last few years whereby charges have been dropped by police forces in the US after case files were lost in a ransomware attack. A report from Emsisoft – which was rushed to publication early because of the gravity of the issue – stated that “the threat level is now extreme and governments must act immediately to improve their preparedness and mitigate their risks.” The report continues, “at least 966 government agencies, educational establishments and healthcare providers [were hit by ransomware in 2019] at a potential cost in excess of $7.5 billion.” And that is just the US.
While many malware operators claim not to want to hit emergency services or those organisations involved in the saving of lives, the reality is that – surprising no one – not all cybercriminals are moral individuals, who care enough about the needs of their fellow citizens to take them into account. Like the ransomware attacks on US police forces, a malware infection at a hospital is more than likely to have a direct impact on people’s lives. Data stolen in these attacks is incredibly valuable, being sold on the darknet for malicious actors to deploy it in identity theft operations and other fraud. It is likely that, over the next year, more and more ransomware operators will adopt the tactic of stealing data before encryption and then leaking it when ransom negotiations are abandoned. These attacks are now data breaches: everyone is at risk.