A report has emerged stating that hackers are still publishing stolen data even if the ransom is paid by an organisation, signaling that organisations should be vigilant and proactive in preparing strategies for a potential data breach.
The report comes from tech and security firm, Coveware, who specialises in dealing with the aftermath of a ransomware attack. Coveware says that hackers are increasingly ditching the ethos of ‘honour amongst thieves’ as they continue to publish data stolen from individuals and organisations, even if the ransom is paid.
For context, the report is talking specifically about the actions of hackers after a ransomware attack is launched against an individual or an organisation. In a ransomware attack, an unauthorised third-party is able to encrypt files, making them unusable by the organisation until a ransom has been paid, whereby a hacker should hand over the decryption key.
The report from Coveware, however, states that cyber criminals are increasingly publishing the stolen data from the organisation, even if the ransom is paid in full. News like this could transform how organisations respond to ransomware attacks, which the authors of the report say is an absolutely essential consideration of doing business in the 21st century.
“Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cyber-criminals to delete the data,” the company says.
Coveware has warned organisations of all shapes and sizes to prepare a strategy covering how the business will respond to something like a ransomware attack, and consider how the organisation could be held accountable if that data were to be leaked.
Authors of the report say that implementing new strategies should include “getting the advice of a competent privacy attorney, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.”
“Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim,” Coveware says.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” Coveware says. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future.”
Sadly, the authors of the report say that ransomware threats present a “disproportionate problem for small and medium sized businesses,” stating that while ransomware attacks on large companies might make up the majority of news headlines, hackers remain a significant problem for small and medium-sized organisations.
This is due to the fact that small businesses often don’t have backups of files or the financial resources necessary to make a full recovery after a ransomware attack, according to Coveware. “Most victims of ransomware have less than $50 million dollars in annual revenue. This small-mid market profile demonstrates just how damaging these attacks are to the backbone of the US economy,” the firm adds.
The industries most commonly targeted by ransomware attacks, according to Coveware, are the professional services, public sector, healthcare and financial services sector, while consumer services, retail and software services were also frequently targeted.
According to a report from InfoSecurity Magazine, “business interruption now stands at 19 days, up 19% from the second quarter, while the average payment is up 31% to $233,817, as attackers increasingly target larger enterprises.” The author continues to explain that hackers have “realized over recent months that doing so will significantly enhance margins without increasing operating costs of risks.”
Coveware says that “although victims may decide there are valid reasons to pay to prevent the public sharing of stolen data, Coveware’s policy is to advise victims of data exfiltration extortion to expect the following if they opt to pay.” These include:
The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt
Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future
The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt.