Ransomware gangs are reportedly sending victims fake evidence that stolen data has been deleted, only to use that data again in a second extortion attempt.
Notorious hacking groups such as Sodinokibi, Maze, and Netwalker have been tricking victims into a false sense of security, according to a Q3 Ransomware report from cyber security firm Coveware.
The report found that it has now become the default position for groups to hold onto data they have acquired, regardless of whether a ransomware payment has been paid by the victim. In fact, the cyber security firm found evidence that many groups are providing faked files that claim to prove that the data has been deleted.
Although some victims may decide there are valid reasons to pay, cyber security experts frequently advise against it. This is largely because there is no credible way to prove data has been deleted, or a way to ensure data has been returned, if that was the arrangement. There's also the potential that stolen data has already been traded, sold, or held by other threat actors for reuse.
Conti (aka Ryuk), which was recently revealed to be behind a third of all ransomware attacks in 2020 and is mentioned in the report, was recently blamed for an attack on French IT service Sopra Steria at the end of October. Although the company agreed to pay the ransom demanded by the hackers, it's now believed that the evidence provided to show deletion was in fact fabricated, according to Coveware.
RELATED RESOURCE
How to improve cyber security for remote working
13 recommendations for security from any location
"Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end," the report stated. "Once a victim receives a decryption key, it can't be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting."
-
Cyber resilience in the UK: learning to take the punchesColumn UK law now puts resilience at the centre of cybersecurity strategies – but is legislation simply catching up with enterprise understanding that resilience is more than just an IT issue?
-
CISPE claims European Commission gave Broadcom a ‘blank cheque to raise prices, lock-in, and squeeze customers’ with VMware dealNews Cloud providers have issued a formal response to the General Court of the European Union after the Commission defended its approval of the deal
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
