How ransomware operators are joining forces to carry out attacks

Attackers buy stolen data from other criminals, while the Maze group publishes data captured by other gangs, says Positive Technologies.

Computer security and hacking concept. Ransomware virus has encrypted data in laptop. Hacker is offering key to unlock encrypted data for money.

Image: vchal, iStockphoto

Ransomware has become one of the most damaging forms of cyberattack, resulting in lost time, money, resources, and reputation for victimized organizations. Lately, ransomware operators have been upping their game by teaming up with fellow criminals as a type of organized cybercrime. A report published Wednesday by enterprise security provider Positive Technologies describes this latest trend in ransomware collaboration.

SEE: Ransomware: What IT pros need to know (free PDF) 

Like most types of cyberthreats, ransomware continues to evolve. In the past, ransomware gangs typically would simply encrypt and hold the captured data until the victim paid the ransom. Now, these gangs are increasingly threatening to disclose the compromised data publicly unless the ransom is paid.

The Maze and Sodinokibi groups were the most active culprits of this type of extortion during the second quarter, according to Positive Technologies. DoppelPaymer, NetWalker, Ako, Nefilim, and Clop are also engaged in this type of threat. Some gangs, such as Ako, employ a "double extortion" scheme by demanding separate ransoms for decryption and nondisclosure of data.

To sell the compromised files, many ransomware groups create special data leak sites that publish the names of victims along with the stolen data. Other groups publish the information on hacker forums.

But in a move toward collaboration, groups have been teaming up with the Maze gang to post the compromised data. Specifically, Maze uses its own data leak site to publish information stolen by other criminals, forming an operation known as the Maze cartel.

As a further step toward banding together, ransomware operators are buying access to the networks of victimized organizations from other criminals groups. Further, the NetWalker gang has been hiring affiliates to help spread its ransomware by offering them a commission on the payout.

Although theses types of collaboration mean the criminals must share their profits, they're still raking in a lot of money. In June, the University of California at San Francisco had to pay out $1.14 million following an attack by the NetWalker ransomware.

In May, the law firm of Grubman Shire Meiselas & Sacks received an extortion demand from the REvil (Sodinokibi) ransomware gang. The criminals claimed to have captured sensitive data about the firm's celebrity clients, such as Lady Gaga, Madonna, Mariah Carey, Nicki Minaj, Bruce Springsteen, Bette Midler, and Jessica Simpson. After the firm offered to pay just $365,000 of the $21 million demanded, the group doubled its demands to $42 million.

Seeing the profit potential, other criminals have been employing ransomware by demanding payment for not publishing stolen data. In one example from May, attackers demanded a ransom from retail stories in exchange for not disclosing sensitive data. Though only asking $500 for each incident, the costs can mount up, especially since the victims are more likely to pay such a small amount to recover their data.

In another example, criminals hacked into LenovoEMC network-attached storage devices, encrypted files, and then demanded a ransom of $200 to $275 to restore the data. And in one more case, attackers easily compromised 22,900 MongoDB databases that had no password protection. The hackers not only asked for money to restore the data but also threatened to publish it and contact the General Data Protection Regulation (GDPR) enforcement authority to report the incident.

In light of these new threats, how can organizations protect themselves from ransomware attacks before they occur?

"Most attacks are reliant on exploiting existing vulnerabilities in computer systems, so the best way to prevent attacks is by implementing security 101 measures," Ekaterina Kilyusheva, head of research and analytics at Positive Technologies, told TechRepublic. "This means patching programs and enabling automatic updates, limiting permissions on systems, and having procedures to deal with disaster recovery."

Specifically, Kilyusheva advises organizations to implement the following measures:

  • Centralized update management.
  • Antivirus protection on all systems and endpoints, preferably with support for on-demand scanning by users of suspicious attachments prior to opening them.  
  • Sandboxes to analyze file behavior. 
  • Security information and event management (SIEM) capabilities, for timely attack detection.
  • Automated software audit tools to identify vulnerabilities.

And what should an organization do if it's been hit by a ransomware attack?

"Unfortunately, many companies, even when faced with a ransomware attack, make the wrong conclusions and question whether or not to pay, rather than developing a business strategy that includes IT risks (business continuity and disaster recovery) or quality backup policies," Kilyusheva said. "Most ransomware exploits well-known vulnerabilities that are easy to fix with the appropriate security updates or settings.

"For those falling victim to ransomware, take steps to localize the segments affected by the virus," Kilyusheva explained. "Take measures for further virus nonproliferation and immediately contact companies that offer specialized services for analyzing, investigating, and restoring infrastructure damaged by such attacks. Experts will provide professional advice and assess the likelihood and possibility of data recovery, depending on the particular form of ransomware."

This article has been updated.

Also see