Search Here: Ransomware Groups Refine High-Pressure Tactics

Free Searching on Stolen Data and Higher Ransom Demands Among Latest Innovations
Search Here: Ransomware Groups Refine High-Pressure Tactics
The BlackCat/Alphv ransomware group's data leak site now provides searching on stolen data for victims that failed to pay it a ransom. (Source: Kela)

Ransomware groups continue to refine the tactics they use to better pressure victims into paying.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

And they're succeeding. "In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid," the heads of Britain's lead cybersecurity agency and privacy watchdog warned last week in an open letter to the legal industry.

The impetus for the alert from Britain's National Cyber Security Center - the public-facing arm of intelligence agency GCHQ - and the Information Commissioner's Office: They're urging solicitors to never advise clients to pay a ransom. Doing so will not lessen any penalties the ICO might levy, helps perpetuate the ransomware business model and could violate U.S. sanctions, they say.

But the increase in ransoms being paid speaks to the success of ransomware groups' continuing innovation.

Psychological pressure remains a specialty. After infecting systems, many types of ransomware reboot infected PCs to a lock screen that lists the ransom demand, a cryptocurrency wallet address for routing funds and a countdown timer. Oftentimes such ransom notes include a threatening message, warning that all data will be wiped - or the ransom demand doubled or stolen data publicly leaked - should the countdown reach zero.

This BlackCat ransom note includes a countdown timer to pressure victims into paying. (Source: Palo Alto Networks)

Attackers pressure victims into paying quickly. The BlackCat group, aka Alphv, recently upped its default ransom demand to $2.5 million but says victims can pay about half that amount if they send funds quickly, Los Angeles-based cybersecurity firm Resecurity reports.

"The average time allocated for payment varies between five to seven days, to give victims some time to purchase BTC or XMR cryptocurrency," Resecurity says, referring respectively to Bitcoin and Monero cryptocurrency. Bitcoin remains the dominant type of cryptocurrency demanded by attackers.

Some groups will also charge one ransom for a decryptor and another for a promise to delete stolen data, perhaps offering a "discount" if victims purchase both.

Free Searching on Stolen Data

To add more pressure on victims to keep paying, last week BlackCat announced via the Exploit cybercrime forum that it has introduced a "free" search feature for all files, folders and images stolen from victims. It says the feature is designed to appeal to members of the BlackCat community who are looking for passwords and confidential information such as Social Security numbers.

"The information uploaded to the system was obtained by our team from real networks and is not a copy-paste," BlackCat says in its post. "The search is carried out both by the name of files/directories, and by the contents of the file, including by images. The software can find text on an image, including inside a PDF document."

Bleeping Computer reports that LockBit has debuted a similar feature on its data leak site, except so far it's only designed to search for company names. It also says the Karakurt group's leak site has introduced a search bar, although the feature currently appears to be broken.

BlackCat tested a search feature last month after stealing information on customers and employees of a luxury spa and resort in Oregon called the Allison Inn & Spa. The ransomware group created a dedicated site for searching stolen data, reachable via a website with a fake URL designed to look like the one for the spa. The impetus appears to have been to allow individuals whose personal details were stolen to find themselves on the data leak site and potentially demand the spa pay attackers to get their data removed.

Whether or not such strategies lead more victims to pay in return for a promise to remove their searchable data from the data leak site remains to be seen.

Dozens of Fresh Victims Listed

Getting an accurate count of how many victims pay a ransom remains difficult. Blockchain intelligence companies can watch the flow of cryptocurrency to wallets known to be operated by ransomware groups.

Many but not all ransomware groups run dedicated data leak sites. Victims who don't quickly pay a ransom can end up getting listed on these sites, to add pressure on them to pay.

Threat intelligence firm Kela reports that since the beginning of July, more than 85 fresh victims have appeared on data leak sites run by these 15 ransomware groups: BianLian, BlackByte, Black Basta, BlackCat/Alphv, Everest, Hive, Karakurt, LockBit, Lorenz, Midas, Quantum, RansomHouse, RedAlert/N13V, Snatch and Vice Society.

Collaboration and Cooperation

To what degree different ransomware groups collaborate or interoperate remains unclear. For example, the powerhouse group Conti retired its name in May, having burned the brand by supporting Russia's invasion of Ukraine. But New York-based threat intelligence firm AdvIntel says that by then, Conti's leadership had already spun up other subsidiaries, including BlackBasta, BlackByte and Karakurt. AdvIntel also reported that the Conti organization already had close alliances with the likes of Alphv/BlackCat, AvosLocker, Hive and HelloKitty/FiveHands.

Conti was unusual in part because it ran most attacks from within the organization, likely because that allowed the group to pay relatively low wages to salaried employees and keep more of the ransom proceeds for themselves.

LockBit data leak site's FAQ for affiliates promises them an 80% cut of every ransom paid. (Image: ISMG)

Many ransomware operations instead are run as a service, via which operators provide regularly updated crypto-locking malware to affiliates. These affiliates may work with initial access brokers to find victims or practice network penetration skills. For every victim they infect with an operation's ransomware, the affiliate receives a prearranged cut, which is typically 70% or 80%.

Western Governments Seek Disruption

Clearly, a variety of innovations are helping ransomware remain a viable business model for the criminally inclined.

Since last year, however, many Western governments have been making more concerted efforts to disrupt the business model, by tracking attacks, disrupting operations and arresting suspects - when they're not in Russia, which never extradites its citizens.

Governments have also been focusing on improving domestic cybersecurity resiliency to make businesses tougher to hack. In short, they've been treating ransomware as a national security threat.

Many victims do continue to pay a ransom to attackers, despite law enforcement authorities regularly urging them to better prepare so they won't have to pay. In some cases, victims claim they're paying in exchange for a guarantee from attackers to not sell or leak stolen data.

Alert: Paying Won't Decrease Liability

Britain's ICO, in the open letter to the legal sector that it issued last week with the NCSC, warned organizations that paying a ransom will in no way reduce their liability for any underlying business failures. In other words, any failure to properly protect people's private information or other violations of the EU and U.K. General Data Protection Regulation, could still trigger fines.

Paying criminals perpetuates an illicit business model, doesn't guarantee that a victim will receiving a working decryptor, and may make them a repeat target. In addition, it too often simply adds to the total cost of recovery, says Paul Ducklin, a security researcher at Sophos.

"Paying off the crooks almost certainly won't save you money, not least because you still have to go through a recovery exercise that will take as much time as restoring in conventional ways, as well as paying the blackmail," Ducklin says in a blog post based on repeat Sophos surveys of ransomware victims. "We also found that the decryption tools supplied by the criminals who attacked you in the first place are often unfit for purpose."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.