More and more ransomware operators are stealing sensitive data before encrypting the target system and using it as leverage in negotiations. This is according to a new report from cybersecurity firm Coveware, which argues that roughly half of ransomware cases also involve data being taken hostage.
When ransomware first started making headlines, security experts advised businesses and individuals not to pay the ransom, but instead to frequently back-up their systems and simply execute a restore if an attack were to occur.
Once ransomware operators started stealing the data too, and threatening to release it, the question surrounding whether to pay the ransom became more complicated.
However, experts are now warning there is no guarantee the data will be deleted, even if the ransom is paid. As a matter of fact, chances are the hacker will attempt to extort the victim for a second payment.
Sodinokibi, Maze/Sekhmet/Egregor, Netwalker, Mespinoza and Conti operators have all previously failed to delete sensitive data after being paid the ransom, the report says.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” the report states. “With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps.”
Coveware suggests targeted businesses investigate what data was stolen, notify the affected customers, and plan to mitigate further damages.
“Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or longer term liability, and all considerations should be made before a strategy is set.”