{"id":15350,"date":"2020-02-06T19:22:54","date_gmt":"2020-02-07T00:22:54","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/ransomware-data-disclosure\/15350\/"},"modified":"2020-09-02T21:33:15","modified_gmt":"2020-09-02T17:33:15","slug":"ransomware-data-disclosure","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ransomware-data-disclosure\/15350\/","title":{"rendered":"Backing up is no panacea when blackmailers publish stolen data"},"content":{"rendered":"

Backing up data has been one of the most effective, though labor-intensive, safeguards against encrypting ransomware so far. Now, malefactors seem to have caught up with those who rely on backups. The creators of several ransomware programs, confronted with victims refusing to pay the ransom, shared their data online.<\/p>\n

Data publication makes threats into reality<\/h2>\n

Threats to make confidential information public are nothing new. For example, in 2016, the group behind the cryptoware that infected the San Francisco Municipal Railway<\/a>\u2018s systems tried that trick. They never followed through on their threat, though.<\/p>\n

Maze was the first<\/h3>\n

Unlike its predecessors, the group behind Maze ransomware delivered on its promises in late 2019 \u2014 more than once. In November, when Allied Universal refused to pay up, the criminals leaked 700MB of internal data online<\/a> including contracts, termination agreements, digital certificates, and more. The blackmailers said they had published just 10% of what they had stolen and threatened to make the rest available publicly if the target did not cooperate.<\/p>\n

In December, Maze actors created a website<\/a> and used it to post the names of victimized companies, infection dates, amount of data stolen, and IP addresses and names of infected servers. They uploaded some documents as well. At the end of that month, 2GB of files, apparently stolen from the city of Pensacola<\/a>, Florida, appeared online. The blackmailers said they published the information to prove they weren\u2019t bluffing.<\/p>\n

In January, the creators of Maze uploaded<\/a> 9.5GB of Medical Diagnostic Laboratories data and 14.1GB of documents from cable maker Southwire, which had earlier sued the blackmailers for leaking confidential information. The lawsuit made the Maze website shut down, but that will not last.<\/p>\n

Next came Sodinokibi, Nemty, BitPyLock<\/h3>\n

Other cybercriminals followed. The group behind the ransomware Sodinokibi, which was used to attack international financial company Travelex on New Year\u2019s Eve, stated its intention in early January to publish data belonging to the company\u2019s customers<\/a>. The cybercriminals say they have more than 5GB of information including birth dates, social security numbers, and bank card details.<\/p>\n

For Travelex\u2019s part, the company says it\u2019s seen no evidence of a leak, and that it refuses to pay. Meanwhile, the offenders say the company has agreed to enter negotiations.<\/p>\n

On January 11th, the same group uploaded<\/a> links to about 337MB of data to a hacker message board, saying the data belonged to recruiting company Artech Information Systems, which refused to pay the ransom. The offenders said the uploaded data represented only a fraction of what they had stolen. They said they intended to sell, not publish, the rest unless the victims complied.<\/p>\n

The authors of Nemty malware were next to announce<\/a> plans to publish nonpayers\u2019 confidential data. They said they intended to create a blog for posting piece by piece the internal documents of victims who won\u2019t fulfill their demands.<\/p>\n

The operators of BitPyLock ransomware joined the trend<\/a> by adding to their ransom note a promise that they would make their victim\u2019s confidential data available publicly. Although they have yet to do so, BitPyLock may well prove to be stealing data as well.<\/p>\n

No mere ransomware<\/h2>\n

Advanced features added to ransomware programs are nothing new. For example, back in 2016, a version of the Shade Trojan installed remote administration tools<\/a> instead of encrypting files if it found that it had hit an accounting machine. CryptXXX both encrypted files and stole Bitcoin and victims\u2019 logins<\/a>. The group behind RAA equipped some specimens of the malware with the Pony Trojan<\/a>, which targeted logins as well.\u00a0 Ransomware\u2019s ability to steal data should surprise no one \u2014 especially now that companies are increasingly recognizing the need to back up their information.<\/p>\n

It is worrisome that there is no safeguarding oneself against these attacks with backups. If you are infected, there is no way for you to avoid losses, which will not necessarily be limited to ransom; blackmailers provide no guarantees. The only way to protect yourself is not to let malware into your systems.<\/p>\n

How to protect yourself from ransomware<\/h2>\n

Whether this new ransomware trend will prove effective or be abandoned remains to be seen. These attacks are only starting to gain momentum, so you need to stay protected. That means more than just avoiding reputational losses and disclosure of trade secrets \u2014 if you let a client\u2019s personal data get stolen, you may face serious fines. So, here is some advice:<\/p>\n