February 17, 2021 By David Bisson 2 min read

Several digital gangs have gone back on their pledge to honor the ransomware payments made by victims.

The Digital Criminals Who Went Against Their Word

In its Quarterly Ransomware Report for Q3 2020, Coveware notes that nearly half of the ransomware attacks it had tracked during that quarter had included the threat to leak unencrypted data. Yet, multiple gangs did not always delete victims’ stolen data even if they received ransomware payments for that express purpose.

For example, the Sodinokibi/REvil gang extorted victims again for the same data just a few weeks after having received a ransom payment. This group made headlines back in early July last year when KrebsonSecurity learned the attackers were auctioning off the data stolen from an agricultural company.

A few months later, Naked Security wrote about how REvil’s handlers had used $1 million in an attempt to attract more affiliates. In November, the gang behind REvil acquired KPOT, a family of info-stealing malware. The Sodinokibi/REvil gang indulged in its greed for more ransomware payments. By contrast, the Maze group might have eschewed ransoms (willfully or by accident). They published stolen data on their leaks site before users even knew that attackers had stolen it.

In late October, Bleeping Computer covered the retirement of all of Maze ransomware’s attack operations and the migration of many of Maze’s affiliates to Egregor, a seemingly related crypto-malware strain.

Other attackers stood out for their decision to post stolen data after having received payment from their victims. Meanwhile, the Conti gang made noise by showing fake files to their victims as proof of deletion. This tactic enabled the attackers to return for more rounds of extortion in the future, if they so chose.

How to Deal With Ransomware Payments

The findings above raise an important question. Should you pay a ransomware attacker?

The answer is no. There is no guarantee a victim will receive a working decryption tool for their data even if they pay. Also, as Coveware’s report shows, there is no way to verify that attackers will really delete their victims’ data.

In paying a ransomware attacker, victims could also end up incurring fines from the U.S. government.

The U.S. Department of the Treasury in October 2020 clarified that it marked several malicious actors responsible for helping to create or distribute ransomware on its cyber sanctions program. Payments to those actors could help attackers fund more campaigns. These in turn could harm the United States’ national security and foreign policy.

As a result, the Treasury Department announced that it could impose civil liabilities on individuals who send ransomware payments to those actors — even if they didn’t know that what they were doing went against sanctions.

Users and organizations can respond to this development by focusing on their ability to prevent a ransomware infection. They can do this in a few ways. First, make sure you have working data backups. Be sure employees are familiar with phishing attacks and other digital threats. You can also use ongoing awareness training to cultivate such awareness throughout the workforce.

In addition, use threat intelligence to stay informed about evolving ransomware and ransomware payment trends and techniques so that you can better defend your organization.

More from News

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

What to expect from the new National Cyber Director

4 min read - As cyber threats show no sign of slowing down in terms of sophistication and frequency, the role of the National Cyber Director (NCD) in the United States is becoming a cornerstone of the nation’s defense strategy. Inaugural NCD Chris Inglis set a high bar for the office during his tenure, steering the country through a gauntlet of cyber challenges. Now, as Harry Coker Jr. steps into this critical role, he faces a landscape that continues to evolve with new threats on…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today