Another Ransomware Will Now Publish Victims' Data If Not Paid

The operators of the REvil Ransomware, otherwise known as Sodinokibi, have announced that they will use stolen files and data as leverage to get victims to pay ransoms.

A new tactic by ransomware developers is to release a victim's data if they do not pay the ransom. While we have seen these threats in the past, only recently have Ransomware operators, such as Maze, actually followed through.

In a new post to a Russian malware and hacker forum shared with us by security researcher Damian, the public-facing representative of the REvil ransomware known as UNKN states that a new "division" has been created for large operations.

They claim that a recent operation from this group is the attack against the CyrusOne data center that was reported last week. As part of this operation, UNKN claims that they have stolen files from the company before encrypting their network.

REvil goes on to say that if a company does not pay the ransom, the ransomware actors will publicly release the stolen data or sell it to competitors. It is in their opinion that this would be more costly to the victim than paying the ransom.

The original Russian text from the above post is below:

Если не отвечаем - значит не интересны. Либо мест нет.

Мы открыли отдельное подразделение, которое занимается крупными операциями. Неделю назад был осуществлен доступ к CyrusOne. Судя по СМИ - платить они не собираются. Очень жаль. Тактика "потратим 100 миллионов на восстановление с нуля, чем 15 на выкуп" такая же эффективная, как и оправдания Гарика Куколда Харламова. Инвесторам потом будете объяснять, где выгода. Каждая атака сопровождается копированием коммерческой информации. В случае отказа выплаты - данные будут либо проданы конкурентам, либо выкладываться в открытые источники. GDPR. Не хотите платить нам - платите в х10 раз больше правительству. Нет проблем.

Очень странно, что cdhfund.com до сих пор молчат. Они также были подвержены атаке, все данные скопированы и зашифрованы. В случае отказа - наши действия обозначены выше.

The English translation via Google Translate can also be read below:

If we don’t answer, then it’s not interesting. Or there are no places.

We have opened a separate division, which is engaged in large operations. A week ago, access to CyrusOne was made. Judging by the media, they are not going to pay. Very sorry. The “spend 100 million to restore from scratch than 15 to buy” tactics are as effective as Garik Kukold Kharlamov’s excuses. Then you will explain to investors where the benefits are. Each attack is accompanied by a copy of commercial information. In case of refusal of payment - the data will either be sold to competitors or laid out in open sources. GDPR . Do not want to pay us - pay x10 times more to the government. No problems.

It is very strange that cdhfund.com is still silent. They were also susceptible to attack, all data was copied and encrypted. In case of failure - our actions are indicated above.

Ransomware attacks are now data breaches

For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data would be publicly released.

While it has been a well-known secret that ransomware actors snoop through victim's data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it.

This all changed at the end of November when Maze Ransomware threatened Allied Universal that if they did not pay the ransom, they would release their files. When they did not receive a payment, they released 700MB worth of data on a hacking forum.

During ransomware attacks, some threat actors have told companies that they are familiar with internal company secrets after reading the company's files. Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out.

Now that ransomware operators are releasing victim's data, this will need to change and companies will have to treat these attacks like data breaches.

This is because employee medical records, personal information, termination letters, salaries, and much more can potentially be disclosed. Furthermore, if any third-party information is stolen, which is highly likely, then that requires further disclosure as well.

It is too soon to say whether these new tactics will push companies to treat ransomware attacks like data breaches, but as more ransomware developers publish stolen documents, we can expect lawsuits and public concern to rise.