Fraud Management & Cybercrime
,
Ransomware
Review of Attacks Finds Inconsistent Data Leaks and Victim Naming, Broken Promises
Double extortion demands from ransomware groups aren’t subtle: Pay us, or we’ll publish stolen internal data for all the world to see. Being listed on the group’s dark web leak sites is an intermediary step.
Like all bullies, ransomware groups hope threats are enough to sway victims so they don’t actually have to follow through. That’s because it turns out that publishing leaked data is harder than it seems, and some victims never even make it to the leak site.
For victims who do pay a ransom, the results are practically guaranteed to be less than advertised – more akin to buying a pig in a poke than a contractual guarantee of service.
Take the Russian-speaking Akira ransomware group that emerged in March 2023. While the cybercrime outfit regularly threatens to sell stolen data if a victim doesn’t quickly pay a ransom, threat intelligence firm Kela said in a new report that it can find no evidence of any data sale ever occurring.
In some cases, Akira listed a nonpaying victim but ultimately never leaked the supposedly stolen data. This may be because it never stole such data in the first place. Another ransomware-as-a-service group, the now apparently defunct LockBit operation, at one point had the opposite problem: It apparently amassed so many victims so quickly that it didn’t have robust enough infrastructure to get all of their leaks online, according to ransomware researcher Jon DiMaggio at Analyst1.
For victims who pay, aside from potentially receiving a working decryptor, everything else is hot air. Whatever videos or other types of supposed proof attackers might furnish, there’s no evidence whatsoever, in the history of ransomware, that criminals have ever permanently deleted all copies of stolen data.
The security reports aren’t worth the paper they’re printed on – or in cases of Akira infestations, the negotiation chat window with victims they’re pasted into. Kela found that Akira appeared to send mostly or exclusively generic information to victims.
Akira also often failed to honor promises made to many victims. “Akira specifically does not delete negotiation chats despite promising to do so,” the researchers said. In addition, some victims didn’t receive a decryptor in a timely manner and had to wait days, instead of the hours they’d been promised. And furnished decryptors didn’t always work as promised.
The group is not an outlier. Kela researchers found that Black Basta, which also promises to delete negotiation chats for victims who pay – to make evidence of the attack tough for others to find, appeared to not do so in at least one-third of known incidents.
Making Victims Pay
Akira couches its extortion as payment for “decryption, evidence of data removal and the provision of a ‘security report,'” although thanks to the extortionists’ generosity they will allow a victim to only pay for some of these “services,” Kela said. The decryptor is typically valued at 50% to 70% of the total demand, evidence of data removal from 25% to 50%, and a security report less than 10%.
What happens when a victim does pay a ransom? The Akira group typically demands ransoms worth 0.1% to 12% of a victim’s annual revenue, averaging at 3%. It also found that victims successfully negotiated their ransom payments down 6% to 90%, and a 40% discount was the average.
Compare that with Russian-speaking Black Basta, a Conti spinoff first seen in April 2022, which Kela said typically demands a ransom worth 1.5% to 2.5% of a victim’s annual revenue, which they said victims appeared to be able to negotiate down by as much as 90%.
Whether the ransomware groups were negotiating with professional negotiators hired by the victims isn’t clear.
Security experts and law enforcement officials have long urged organizations to never pay a ransom. Instead, they recommend investing in preparation, in part by funding proper backup and recovery practices, better defenses and a good and well-practiced incident response plan.
In some cases, experts may have access to workarounds for decrypting files that criminals don’t know about. Security firms Emsisoft and Avast, as well as France’s national computer emergency response team, last month revealed that they helped hundreds of organizations infected by the Windows PE version of Rhysida, using a secret workaround that enabled them to decrypt their crypto-locked files. The firms said the workaround functioned until researchers in South Korea published a free decryptor for the flaw, which no doubt highlighted the problem to Rhysida and drove it to fix its locker, eliminating the workaround.
Such lucky breaks for victims aside, the alternative to planning ahead – still practiced by too many organizations – is taking chances by paying for promises from criminals. In light of the myriad ways in which criminals break those promises, “paying the ransom should not be considered an effective response strategy,” Kela said.