When Cyber Gangs Disregard Ransomware Payments, Victims Can Be Hit Twice

Several digital gangs have gone back on their pledge to honor the ransomware payments made by victims.

The Digital Criminals Who Went Against Their Word
In its Quarterly Ransomware Report for Q3 2020, Coveware notes that nearly half of the ransomware attacks it had tracked during that quarter had included the threat to leak unencrypted data. Yet, multiple gangs did not always delete victims’ stolen data even if they received ransomware payments for that express purpose.

For example, the Sodinokibi/REvil gang extorted victims again for the same data just a few weeks after having received a ransom payment. This group made headlines back in early July last year when KrebsonSecurity learned the attackers were auctioning off the data stolen from an agricultural company.

A few months later, Naked Security wrote about how REvil’s handlers had used $1 million in an attempt to attract more affiliates. In November, the gang behind REvil acquired KPOT, a family of info-stealing malware. The Sodinokibi/REvil gang indulged in its greed for more ransomware payments. By contrast, the Maze group might have eschewed ransoms (willfully or by accident). They published stolen data on their leaks site before users even knew that attackers had stolen it.

In late October, Bleeping Computer covered the retirement of all of Maze ransomware’s attack operations and the migration of many of Maze’s affiliates to Egregor, a seemingly related crypto-malware strain.

Other attackers stood out for their decision to post stolen data after having received payment from their victims. Meanwhile, the Conti gang made noise by showing fake files to their victims as proof of deletion. This tactic enabled the attackers to return for more rounds of extortion in the future, if they so chose.

How to Deal With Ransomware Payments
The findings above raise an important question. Should you pay a ransomware attacker?

The answer is no. There is no guarantee a victim will receive a working decryption tool for their data even if they pay. Also, as Coveware’s report shows, there is no way to verify that attackers will really delete their victims’ data.

In paying a ransomware attacker, victims could also end up incurring fines from the U.S. government.

The U.S. Department of the Treasury in October 2020 clarified that it marked several malicious actors responsible for helping to create or distribute ransomware on its cyber sanctions program. Payments to those actors could help attackers fund more campaigns. These in turn could harm the United States’ national security and foreign policy.

As a result, the Treasury Department announced that it could impose civil liabilities on individuals who send ransomware payments to those actors — even if they didn’t know that what they were doing went against sanctions.

Users and organizations can respond to this development by focusing on their ability to prevent a ransomware infection. They can do this in a few ways. First, make sure you have working data backups. Be sure employees are familiar with phishing attacks and other digital threats. You can also use ongoing awareness training to cultivate such awareness throughout the workforce.

In addition, use threat intelligence to stay informed about evolving ransomware and ransomware payment trends and techniques so that you can better defend your organization.