Light Dark
February 17, 2021 By David Bisson 2 min read
News

Several digital gangs have gone back on their pledge to honor the ransomware payments made by victims.

The Digital Criminals Who Went Against Their Word

In its Quarterly Ransomware Report for Q3 2020, Coveware notes that nearly half of the ransomware attacks it had tracked during that quarter had included the threat to leak unencrypted data. Yet, multiple gangs did not always delete victims’ stolen data even if they received ransomware payments for that express purpose.

For example, the Sodinokibi/REvil gang extorted victims again for the same data just a few weeks after having received a ransom payment. This group made headlines back in early July last year when KrebsonSecurity learned the attackers were auctioning off the data stolen from an agricultural company.

A few months later, Naked Security wrote about how REvil’s handlers had used $1 million in an attempt to attract more affiliates. In November, the gang behind REvil acquired KPOT, a family of info-stealing malware. The Sodinokibi/REvil gang indulged in its greed for more ransomware payments. By contrast, the Maze group might have eschewed ransoms (willfully or by accident). They published stolen data on their leaks site before users even knew that attackers had stolen it.

In late October, Bleeping Computer covered the retirement of all of Maze ransomware’s attack operations and the migration of many of Maze’s affiliates to Egregor, a seemingly related crypto-malware strain.

Other attackers stood out for their decision to post stolen data after having received payment from their victims. Meanwhile, the Conti gang made noise by showing fake files to their victims as proof of deletion. This tactic enabled the attackers to return for more rounds of extortion in the future, if they so chose.

How to Deal With Ransomware Payments

The findings above raise an important question. Should you pay a ransomware attacker?

The answer is no. There is no guarantee a victim will receive a working decryption tool for their data even if they pay. Also, as Coveware’s report shows, there is no way to verify that attackers will really delete their victims’ data.

In paying a ransomware attacker, victims could also end up incurring fines from the U.S. government.

The U.S. Department of the Treasury in October 2020 clarified that it marked several malicious actors responsible for helping to create or distribute ransomware on its cyber sanctions program. Payments to those actors could help attackers fund more campaigns. These in turn could harm the United States’ national security and foreign policy.

As a result, the Treasury Department announced that it could impose civil liabilities on individuals who send ransomware payments to those actors — even if they didn’t know that what they were doing went against sanctions.

Users and organizations can respond to this development by focusing on their ability to prevent a ransomware infection. They can do this in a few ways. First, make sure you have working data backups. Be sure employees are familiar with phishing attacks and other digital threats. You can also use ongoing awareness training to cultivate such awareness throughout the workforce.

In addition, use threat intelligence to stay informed about evolving ransomware and ransomware payment trends and techniques so that you can better defend your organization.

 | 
David Bisson
Contributing Editor

More from News
December 19, 2023

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

August 16, 2023

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature