Some popular peddlers of ransomware are planning to publishing data stolen from victims who refuse to pay up, says cyber-security researcher Brian Krebs. A ransomware gang has already created a public website naming recent victim companies that chose to rebuild their operations instead of paying up, he wrote.
Krebs adds: "The cyber-criminals behind the Maze ransomware strain erected a website on the public internet, and it currently lists the company names and corresponding websites for eight victims of their malware that have declined to pay a ransom."
The ransomware site explains: "Represented here companies don’t wish to cooperate with us, and trying to hide our successful attack on their resources," (sic) adding, "Wait for their databases and private papers here. Follow the news!"
The information disclosed includes the attack date, samples of stolen documents, total volume of the stolen data in Gigabytes and the IP addresses and machine names of the servers infected.
Kerbs verified that one of the companies listed on the site indeed suffered from a Maze ransomware infestation recently. The recent targets of Maze ransomware includes US wire and cable manufacturer Southwire and the City of Pensacola in Florida, USA, reported BleepingComputer.
The Maze disclosure comes close on the heels of "Sodinokibi/rEvil" ransomware group posting on a popular dark Web forum their plan to use stolen data as ransom leverage, wrote Kerbs.
"This type of naming and shaming represents a sea change in the ransomware field," said Ed Williams, EMEA director at SpiderLabs at Trustwave. "Organisations and enterprises need to consider where they are in terms of cyber-maturity and act quickly to ensure these types of attacks and their after effects are reduced."
This kind of open extortion is a new trend, says Allan Liska, senior threat intelligence analyst at Recorded Future.
"Cyber-criminals behind the Maze ransomware have been at the forefront of outing victims and using any extortion tactic they can find to cajole victims into paying. Most other ransomware actors aren’t organised enough to conduct this type of activity, but those who are, will follow suit," he told SC Media UK.
"Ransomware has been on the decline in recent times since victims have not been paying the ransoms and companies have been able to retrieve locked up files from their backups," said the latest Microsoft Security Intelligence report.
"Still, it continues to be a threat in some regions, primarily due to a lack of security hygiene, with occasional spikes in encounter rates."
"A collapse in the value of cryptocurrencies has made ransomware less profitable, prompting people to find other ways of making revenue from compromises," Luke Jennings, chief research officer at Countercept, told SC Media UK in June.
Ed Williams, EMEA director, SpiderLabs at Trustwave, disputes the observation.
"Cryptocurrencies have been the choice of the bad guys for a while and I don’t see that changing anytime soon. With the increase of ransomware as a service and the ability to scale ransomware attacks, this combination for attackers is still profitable due to the automatic nature of the infection, the way it can spread and the payment mechanism," he told SC Media UK.
"I don’t believe they are trying any harder because of the motivation of less potential pay-out," agreed Cybereason CSO Sam Curry.
"The criminals can always just ask for more bitcoin to adjust for rate exchanges or volatility, and their mechanisms are improving just fine without increased incentive. Their attitude and mercy in some cases might be on the decline, but their motivation is likely just fine with or without devaluation of cryptocurrencies," he told SC Media UK.
Ransomware is still the most profiting form of criminal activity, noted Liska.
"However Recorded Future has noticed a downward trend in victims paying the ransom. This trend, combined with the drop in value of cryptocurrency will force attackers to look for other ways to extort their victims," he added.
The situation where the data is exfiltrated rather than locked up shows that there is still no guarantee organisations will get their data back or that it won’t be used against their business or partners, warned Curry.
"The only other thing I can think of is that some folks might take pride in being outed like this and want to appear tough. But this will likely push those in the grey area to one side or the other," he added.
Such a move could backfire for the perpetrators of these ransomware attacks, commented Claroty CSO Dave Weinstein.
"If a company is tagged as refusing to pay, they are a less attractive target than, for example, another company that is more likely to pay or has a previous track record of doing so. It's worth nothing that businesses that don't pay either recovered their data from a backup source or employed a decryption key," he told SC Media UK.
However, the threat still remains for companies listed by cyber-criminals, noted Ed Williams, EMEA director, SpiderLabs at Trustwave.
"This list gives other attackers a very real ‘playbook’ of how this organisation was penetrated and data extracted. If I were them, I would very quickly ensure that all their patches are up-to-date and devices that have Internet connectivity are appropriately locked-down," he told SC Media UK.
"If the attackers simply list companies that refuse to pay-up, this could well amount to a roll of honour of victims who refused to give in to the demands of attackers," noted David Emm, principal security researcher at Kaspersky.
"On the other hand, if the attackers threaten to dox information, this could seriously damage a company’s reputation, especially if it emerges that the attack could have been prevented had the victim taken appropriate steps to secure the data."