Ransomware now demands extra payment to delete stolen files

A ransomware family has begun a new tactic of not only demanding a ransom for a decryptor but also demanding a second ransom not to publish files stolen in an attack.

For years, ransomware operators have been claiming to steal data before encrypting a company's network and then threatening to release the data if a victim does not pay.

It wasn't until November 2019, though, that the Maze ransomware operators actually followed through with this threat and publicly released stolen files.

Since then, almost all network-targeting ransomware families such as Maze, Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker have adopted this practice and have created "leak" sites where they publish the stolen data of non-paying victims.

Ako ransomware now demands two ransoms

In a new leak site created by the operators of the Ako Ransomware, the threat actors indicate that some companies are required to pay both a ransom payment for the decryptor and a separate amount to delete stolen files.

As an example, Ako has published the data for one of their victims and stated that they received a $350,000 payment for the decryptor, but released the files anyway after not receiving a payment to delete stolen files.

One of the Ako ransomware operators told BleepingComputer that this double-extortion tactic is only used on certain victims depending on the size of the company and the type of data that was stolen.

"company with big revenue scared when we talk about stolen files. so its motivation for other companies what need pay", the Ako operators told BleepingComputer.

This second extortion demand ranges from $100,000 to a maximum of $2,000,000, which is on top of the ransomware's decryption price.

When asked if some victims have paid to delete data but did not pay for a decryptor, we were told that healthcare organizations with sensitive data had gone this route.

"yep, some medical orgs from usa (patients data, ssn and other)," the threat actors told us.

BleepingComputer has not been able to verify if this is true.

Ransomware attacks are data breaches

Stealing unencrypted files during an attack has become a standard tactic used by almost all active enterprise-targeting ransomware families.

In many cases, the stolen data includes social security numbers, ID cards, medical records, termination letters, accounting documents, and trade secrets.

This stolen data can lead to significant reputational and financial harm to a victim. To the employees, though, it could be even worse as they face identity theft due to their private information being released.

For this reason, all ransomware attacks should be treated as data breaches, employees need to be informed, and government agencies must be notified.

While some companies such as Magellan Health and ExecuPharm have filed data breach notifications, most victims either pretend the attack never happened or deny that data has been stolen.