Ransomware - Exposing Victim Data

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

For years, ransomware developers and affiliates have been telling victims they must pay the ransom, or their stolen data would be publicly released. However, this tactic existed when ransomware was mostly part of spam campaigns against a large number of disparate host systems asking for relatively small amounts of money from everyday users. The tactic did not hold the same kind of leverage it does today when large enterprise organizations are being selectively targeted and extorted for large ransom fees.

This past November was the first-time security experts observed a ransomware developer use the release of exfiltrated data as leverage for payment. Allied Universal was hit with the Maze Ransomware. The Maze group then stood up a website specifically geared towards the release of victim information, eventually releasing 700 MB of data and stolen files from the company.

As is typically the case in the dark underbelly of the cyber world, if something works, all the other threat actors start looking at adopting the tactic. The group behind the Sodinokini/REvil ransomware went so far as to make a public announcement declaring this shift in tactics. In a new post to a Russian malware and hacker forum, shared with Bleeping Computer by security researcher Damian, the public-facing representative of the REvil ransomware known as UNKN states that a new "division" has been created for large operations.

It is too soon to say whether these new tactics will push companies to treat ransomware attacks like data breaches, but as more ransomware developers publish stolen documents, we can expect lawsuits and public concern to rise.