February 17, 2021 By David Bisson 2 min read

Several digital gangs have gone back on their pledge to honor the ransomware payments made by victims.

The Digital Criminals Who Went Against Their Word

In its Quarterly Ransomware Report for Q3 2020, Coveware notes that nearly half of the ransomware attacks it had tracked during that quarter had included the threat to leak unencrypted data. Yet, multiple gangs did not always delete victims’ stolen data even if they received ransomware payments for that express purpose.

For example, the Sodinokibi/REvil gang extorted victims again for the same data just a few weeks after having received a ransom payment. This group made headlines back in early July last year when KrebsonSecurity learned the attackers were auctioning off the data stolen from an agricultural company.

A few months later, Naked Security wrote about how REvil’s handlers had used $1 million in an attempt to attract more affiliates. In November, the gang behind REvil acquired KPOT, a family of info-stealing malware. The Sodinokibi/REvil gang indulged in its greed for more ransomware payments. By contrast, the Maze group might have eschewed ransoms (willfully or by accident). They published stolen data on their leaks site before users even knew that attackers had stolen it.

In late October, Bleeping Computer covered the retirement of all of Maze ransomware’s attack operations and the migration of many of Maze’s affiliates to Egregor, a seemingly related crypto-malware strain.

Other attackers stood out for their decision to post stolen data after having received payment from their victims. Meanwhile, the Conti gang made noise by showing fake files to their victims as proof of deletion. This tactic enabled the attackers to return for more rounds of extortion in the future, if they so chose.

How to Deal With Ransomware Payments

The findings above raise an important question. Should you pay a ransomware attacker?

The answer is no. There is no guarantee a victim will receive a working decryption tool for their data even if they pay. Also, as Coveware’s report shows, there is no way to verify that attackers will really delete their victims’ data.

In paying a ransomware attacker, victims could also end up incurring fines from the U.S. government.

The U.S. Department of the Treasury in October 2020 clarified that it marked several malicious actors responsible for helping to create or distribute ransomware on its cyber sanctions program. Payments to those actors could help attackers fund more campaigns. These in turn could harm the United States’ national security and foreign policy.

As a result, the Treasury Department announced that it could impose civil liabilities on individuals who send ransomware payments to those actors — even if they didn’t know that what they were doing went against sanctions.

Users and organizations can respond to this development by focusing on their ability to prevent a ransomware infection. They can do this in a few ways. First, make sure you have working data backups. Be sure employees are familiar with phishing attacks and other digital threats. You can also use ongoing awareness training to cultivate such awareness throughout the workforce.

In addition, use threat intelligence to stay informed about evolving ransomware and ransomware payment trends and techniques so that you can better defend your organization.

More from News

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

A proactive cybersecurity policy is not just smart — it’s essential

3 min read - It’s easy to focus on the “after” when it comes to cybersecurity: How to stop an attack after it begins and how to recover when it's over. But while a reactive response sort of worked in the past, it simply is not good enough in today’s world. Not only are attacks more intense and more damaging than ever before, but cyber criminals also use so many different attack methods. Zscaler ThreatLabz 2024 Phishing Report found that phishing attacks increased by…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today