- Aug 17, 2014
Ransomware gangs are increasingly likely to break their promise not to leak stolen data once a victim has paid them, Coveware has warned.
The security vendor claimed in its analysis of Q3 2020 that data exfiltration is now a part of almost half of all ransomware attacks — used to drive monetization among victim organizations that have backed up.
However, the tactic has now reached a tipping point, with groups such as Sodinokibi, Maze, Netwalker, Mespinoza and Conti starting to publish data even after payment, and/or demand a second ransom be paid to prevent publication, Coveware claimed.
“Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cyber-criminals to delete the data,” it explained.
The vendor urged victim organizations to think carefully about their strategy and long-term liabilities when formulating a response.
“This includes getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel,” it said. “Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim.”
Ransomware Groups Posting Stolen Data Even After Payment. Coveware warns organizations to think carefully about their post-breach strategy
Ransom payments in Q3 increased as more victims were impacted by new combinations of attacks leveraging both encryption ransomware and data exfiltration.