Scam PSA: Ransomware gangs don't always delete stolen data when paid

Ransomware gangs are increasingly failing to keep their promise to delete stolen data after a victim pays a ransom.

In 2019, the Maze ransomware group introduced a new tactic known as double-extortion, which is when attackers steal unencrypted files and then threaten to release them publicly if a ransom is not paid.

Now, not only are victims being extorted through the encryption of their files but also by the risk of their data being published and causing a data breach.

This tactic was quickly adopted by other ransomware operations, who began to create data leak sites used to publish victims' stolen files.

As part of this double-extortion tactic, most ransomware operations require a victim to pay a single ransom that will provide both a decryptor for their encrypted files and a promise not to share and to delete stolen files.

Some ransomware operations, like AKO/Ranzy, demand two ransom payments, one for the decryptor and another not to publish stolen data.

Ransomware gangs not keeping their promise

In the Coveware Q3 2020 ransomware report released today, we learn that some ransomware gangs do not keep their promise to delete stolen data after a ransom is paid.

According to the new report, certain groups are leaking stolen data after a ransom was paid, using fake data as proof of deletion, or even re-extorting a victim using the same data that was paid not to be released.

• Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.

• Netwalker: Data posted of companies that had paid for it not to be leaked

• Mespinoza: Data posted of companies that had paid for it not to be leaked

• Conti: Fake files are shown as proof of deletion

Maze, Sekhmet, and Egregor, who appear to be all related, were also mentioned as having a problem keeping data secret after getting paid. In a conversation with BleepingComputer, Coveware's CEO Bill Siegel explained that as Maze grew larger, their operation became disorganized, and the victim's data was mistakenly posted on the data leak site.

Siegel also told BleepingComputer that Conti used file-sharing sites to share proof of stolen data with victims. When uploading data to these sites, removal links are also generated that allow anyone with the link to remove the uploaded data.

According to Siegel, Conti provided victims fake removal links after a ransom was paid that contained dummy data and not the victim's actual data. These links were meant to trick the victim into thinking their data was deleted, when in reality, Conti continued to hold on to the data.

Unlike a ransomware decryptor, which a threat actor can't take away once given, there is no way for a victim to know for sure if a ransomware operation is deleting stolen data after a ransom payment is made.

Due to this, Coveware told BleepingComputer that it does not make sense to pay a ransom as there is no way to know for sure it will not be used to extort you further in the future.

With this in mind, Coveware tells victims to expect the following if they do decide to pay, so their data is not released:

• The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt

• Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future

• The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt

Companies should automatically assume that their data has been shared among multiple threat actors and that it will be used or leaked in some manner in the future, regardless of whether they paid.

Instead, companies should treat the attack as a data breach and properly inform all customers, employees, and business partners that their data was stolen as required by law.

Doing this makes the companies look better for trying to do the right thing and gives those who were exposed the ability to monitor and protect their accounts from fraud.