Coveware has released its Quarterly Ransomware report for Q3, 2020 highlighting the latest ransomware attack trends. The report confirms that data exfiltration prior to the use of ransomware continues to be a popular tactic, with around half of all ransomware attacks involving data theft. Attacks involving the theft of data doubled in Q3, 2020.
In cases where data are stolen prior to file encryption, victims are told that if they do not pay the ransom demand their data will be leaked online or sold to pressure victims into paying, but ransomware victims should carefully consider whether or not to pay. There are no guarantees that paying the ransom will prevent publication of stolen data.
Ransomware Gangs Renege on Promises to Delete Data
The Maze ransomware gang started the double-extortion trend in 2019 and many ransomware operators soon followed suit. In some cases, two ransomware demands are issued; one to return or delete stolen data and the other for the keys to unlock the encrypted files, The operators of the AKO and Ranzy ransomware variants have adopted this dual ransom demand tactic.
The Coveware report reveals that, in some cases, the attackers do not make good on their promise even when the victim pays the ransom in full. There have been several cases where stolen data were leaked or stolen after the ransom was paid, and one gang is known to re-extort victims.
The report lists four ransomware operations known not to delete data after the ransom has been paid. The operators of Sodinokibi ransomware have re-extorted some victims, the Netwalker and Mespinoza operators have subsequently leaked stolen data after the ransom was paid in full, while the operators of Conti ransomware have provided victims with proof that files have been deleted, but the proof was for the deletion of fake files. Maze, Sekhmet, and Egregor have similarly leaked data on occasion, although it is unclear whether the leaks after payment were intentional.
Coveware explains that some ransomware operations see data held by multiple parties, which means that even if the threat actor deletes data, there is no guarantee that all copies will be deleted. There have been cases where stolen data are posted in error on leak sites before the victim is even given the chance to make payment.
Coveware warns its customers that payment of the ransom does not guarantee stolen data will not be shared with other threat groups or be used in further extortion attempts. Coveware tells its customers to assume theft of data is a data breach and ensure all individuals impacted by the breach are notified to give them the opportunity to monitor their accounts and take steps to protect their identities, regardless of whether the ransom demand is paid.