How ransomware operators are joining forces to carry out attacks

Attackers buy stolen data from other criminals, while the Maze group publishes data captured by other gangs, says Positive Technologies.

Image: vchal, iStockphoto

Ransomware has become one of the most damaging forms of cyberattack, resulting in lost time, money, resources, and reputation for victimized organizations. Lately, ransomware operators have been upping their game by teaming up with fellow criminals as a type of organized cybercrime. A report published Wednesday by enterprise security provider Positive Technologies describes this latest trend in ransomware collaboration.

SEE: Ransomware: What IT pros need to know (free PDF)

Like most types of cyberthreats, ransomware continues to evolve. In the past, ransomware gangs typically would simply encrypt and hold the captured data until the victim paid the ransom. Now, these gangs are increasingly threatening to disclose the compromised data publicly unless the ransom is paid.

The Maze and Sodinokibi groups were the most active culprits of this type of extortion during the second quarter, according to Positive Technologies. DoppelPaymer, NetWalker, Ako, Nefilim, and Clop are also engaged in this type of threat. Some gangs, such as Ako, employ a “double extortion” scheme by demanding separate ransoms for decryption and nondisclosure of data.

To sell the compromised files, many ransomware groups create special data leak sites that publish the names of victims along with the stolen data. Other groups publish the information on hacker forums.

But in a move toward collaboration, groups have been teaming up with the Maze gang to post the compromised data. Specifically, Maze uses its own data leak site to publish information stolen by other criminals, forming an operation known as the Maze cartel.

As a further step toward banding together, ransomware operators are buying access to the networks of victimized organizations from other criminals groups. Further, the NetWalker gang has been hiring affiliates to help spread its ransomware by offering them a commission on the payout.

Although theses types of collaboration mean the criminals must share their profits, they’re still raking in a lot of money. In June, the University of California at San Francisco had to pay out $1.14 million following an attack by the NetWalker ransomware.

In May, the law firm of Grubman Shire Meiselas & Sacks received an extortion demand from the REvil (Sodinokibi) ransomware gang. The criminals claimed to have captured sensitive data about the firm’s celebrity clients, such as Lady Gaga, Madonna, Mariah Carey, Nicki Minaj, Bruce Springsteen, Bette Midler, and Jessica Simpson. After the firm offered to pay just $365,000 of the $21 million demanded, the group doubled its demands to $42 million.

Seeing the profit potential, other criminals have been employing ransomware by demanding payment for not publishing stolen data. In one example from May, attackers demanded a ransom from retail stories in exchange for not disclosing sensitive data. Though only asking $500 for each incident, the costs can mount up, especially since the victims are more likely to pay such a small amount to recover their data.

In another example, criminals hacked into LenovoEMC network-attached storage devices, encrypted files, and then demanded a ransom of $200 to $275 to restore the data. And in one more case, attackers easily compromised 22,900 MongoDB databases that had no password protection. The hackers not only asked for money to restore the data but also threatened to publish it and contact the General Data Protection Regulation (GDPR) enforcement authority to report the incident.