Ransomware steals data and extorting victims with public data

Increasingly insane ransomware has allowed many companies to begin to strengthen security measures and actively back up data, as long as the backup data should be safe for ransomware. After all, most ransomware encrypts data and then requires the victim to ransom to receive the decryption key, but companies can ignore ransom if they have a backup. Although not many companies are actively backing up data on a regular basis, leaders in the company have begun to make changes, and these leaders are actively responding to data backup.

The latest research cases published by Morphisec security companies show that some ransomware has started uploading data to the server before encrypting all data. The main targets of this ransomware are enterprises and enterprise users. After pre-selecting the targets, they use targeted phishing or spam attacks. After successfully entering the intranet of the enterprise, the ransomware does not directly encrypt all data, first infects other devices on the intranet and then starts packaging and uploading corporate data. The ransomware will only start the encryption after the corporate data is completely uploaded to the hacker’s server, and then ask the victim to ransom a high amount of ransom after the encryption is completed. The probability of success is very high because hackers select targets in advance, and these hackers do not need to worry about the victim companies being unwilling to pay the ransom.

“Cryptolocker ransomware”by Christiaan Colen is licensed under CC BY-SA 2.0

Why do hackers need not worry about the victim’s reluctance to pay the ransom? If the enterprise has data backup, then restore directly from the backup data? Yes, companies can recover from the backed up data, but the purpose of hackers uploading corporate data is still a threat. If the company does not pay the ransom, it will make the data public. The targets selected by these hackers are usually technology, financial or other commercial enterprises. These enterprises are more worried about the leakage of internal confidential data. Moreover, these hackers will also warn companies directly on the ransomware interface: Without paying the ransom, not only cannot the data be decrypted, but confidential data will be also released publicly. Hackers will also disclose in the blackmail content the victimized companies whose data was disclosed because they did not pay the ransom, thereby threatening the companies to pay the ransom immediately.

What is worrying is that multiple ransomware families are currently trying to use this strategy, that is, uploading key corporate data to the server before encrypting the data. Security companies anticipate that many of these ransomware for the enterprise will adopt this type of strategy in the future because disclosure of trade secrets does in some ways really matter. However, it is even more worrying that even if the company pays the ransom, it cannot guarantee that the data will be completely deleted by the hackers, and the data may also be sold to underground properties. If these ransomware development teams collude with commercial spies in the future, the threat will be even greater, which may be bad news for enterprises. Of course, the only thing that can and must be done to deal with this type of attack is to strengthen the security defense. Regular backup of corporate data can no longer cope with such threats.