Ransomware operators are adopting data exfiltration in addition to encryption models. Is this the future of ransomware?
Three more ransomware strains have created websites that are being used to disclose the stolen data of victims failing to pay ransom demands and further illustrates why all ransomware attacks should be considered data breaches.
Ever since the creators of Maze ransomware uploaded their “news” site to publish stolen data of their victims who choose not to pay up other ransomware actors such as Sodinokibi/REvil, Nemty, and others have been quick to follow.
Here are some others that have also taken to using public disclosure:
Nefilim Ransomware
The hackers behind Nefilim ransomware have launched a site called “Corporate Leaks” that is being used to dump the data of victims who do not pay requested ransom.
Nefilim ransomware is a fairly newer strain and believed to be the latest version of the Nemty ransomware.
CLOP Ransomware
CLOP ransomware has recently released a leak site that they are also using to publish stolen data for non-paying victims.
CLOP ransomware made news recently after it attacked Maastricht University and was paid 30 bitcoins by the university to recover its data.
Sekhmet Ransomware
A relatively new ransomware called Sekhmet has also released a leak website called “Leaks leaks and leaks”.
Not much is known about this ransomware other than that their ransom note is named “RECOVER-FILES.txt”.
Attack Against ZAHA Hadid Architects
Another recent attack against Zaha Hadid Architects has seen the victim say it will not pay a ransom following a cyber attack in April of 2020, where a hacker threatened to leak its data.
Zaha Hadid Architects first reported the incident to the authorities on April 21 of 2020, and is behind the design of hundreds of high-end buildings all over the world.
The hackers, who call themselves “Light”, stole data from the company’s network and encrypted everything with their ransomware. They are now threatening to release the files onto the dark web if the company refuses to pay ransom settlement. ZHA has said their data was backed up.
The hackers provided the website ZDNet with proof that they have ZHA‘s files in their possession and said that the architecture firm refused to negotiate. ZHA reportedly contacted the police soon as its staff knew of the data breach, but did not comment on additional questions about the hack.
Information technologies services giant Cognizant also suffered a cyber attack in April of 2020 allegedly by the operators of the Maze ransomware.
Cognizant is one of the largest IT managed services companies in the world with close to 300,000 employees and over $15 billion in revenue.
Cognizant remotely manages its clients through end-point clients, or agents, that are installed on customer’s workstations to push out patches, software updates, and perform remote services.
Another company recently victimized, sells “smart” parking meters and technology used by parking-enforcement agencies in cities around the world. CivicSmart, a Milwaukee firm that sells parking meters capable of processing mobile payments, and the hardware and software used in enforcing parking rules and mobile apps used by motorists and government employees alike, was hit last month with a form of ransomware known alternatively as Sodinokibi.
Messages posted to a website on which the hackers name their victims and leak stolen files in an attempt to elicit ransom payments suggest that CivicSmart paid a ransom to have its files decrypted.
Another attack carried out by a hacking group known as Ragnarok victimized EDP, which is the biggest energy company in Portugal and one of the largest wind power operators in the world. The attack utilized a custom Ragnar Locker ransomware that has been hitting managed service providers since late 2019.
Ragnarok ransomware has publicly threatened to dump sensitive information from the 10TB of data they stole if the energy company does not opt to pay their ransom demand of $10.9 million.
Tech Giants Respond
Microsoft says there was a “slight uptick” in the volume of ransomware attacks during the first two weeks of April, usually from ransomware groups that had already gained access to the victims networks several months earlier.
“Attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain,” Microsoft’s Threat Protection Intelligence Team said.
The attacks demonstrate that these groups really don’t care that they’re impacting critical services during a global crisis, according to Microsoft.
