New Treacherous Tricks of Ransomware Authors

Ransomware operators are giving their sketchy repertoire an overhaul. These attacks used to be about unauthorized data encryption and now they are adding data theft to the mix. As a result, not only do the criminals hold the victims’ files for ransom, but they also threaten to leak sensitive information in a scenario of nonpayment. Effectively, this is an element of pressure aimed at coercing “stubborn” targets into paying ransoms. Here is a rundown on how this new tactic caught on and where it is heading.

The Wake-Up Call

A lesser-known ransomware strain called Maze pioneered the two-pronged extortion model. This lineage hadn’t been anywhere near the pantheon of the most sophisticated file-encrypting threats until late November 2019, when its operators hit Allied Universal, a major U.S.-based security services and staffing company with hundreds of thousands of employees and billions in annual revenue.

The cybercriminals reportedly orchestrated an attack that allowed them to access the facility’s servers. Before setting the malicious encryption process in motion, though, they piggybacked on the elevated access to perform reconnaissance and furtively exfiltrate about 7GB of proprietary records. They then contacted the target, demanding 300 bitcoin for reinstating the scrambled data.

The criminals additionally threatened to make a portion of the stolen sensitive information publicly available unless Allied Universal coughed up the amount (which equaled more than $2 million) before a specified deadline. Since the victim refused to pay, the extortionists uploaded 10% of the data (700MB) to popular cybersecurity outlet Bleeping Computer. Although this information was deleted by the site’s administration, the pilfered records shortly surfaced on a Russian hacking forum.

Analysts who scrutinized the leaked info claimed it appeared to be valid data belonging to the compromised organization. The cybercriminals have since said they would submit the remaining 90% of the files to WikiLeaks in case Allied Universal ends up rejecting the increased ransom demands.

High-Profile Ransomware Crew Follows Suit

They say bad behavior can be contagious. The groundbreaking tactic used by the Maze cybercrime group has had a toxic effect and incentivized another syndicate to try it. In mid-December 2019, the perpetrators behind Sodinokibi (aka REvil) ransomware used a Russian darknet forum to spread the word about their new extortion mechanism. They claimed to have breached the networks of the CyrusOne data center provider, which supposedly allowed them to obtain the target’s data prior to the dodgy encryption.

Their threat was to sell the information to a competitor or release it into the public domain unless CyrusOne opted for the ransom offer. It’s unclear whether the hacked company has given in to the original demands, and there is no evidence that the attackers have carried through with their promises at this point. However, in the case of a ransomware malady as complex and effective as Sodinokibi, this is a fundamental shift that complements the extortion logic with serious risks of reputational damage and industrial espionage.

The “all bark and no bite” strategy changed in early January when the architects of the REvil campaign actually leaked files stolen from one of their victims.

Having compromised Artech Information Systems, an IT staffing firm based in the United States, the cybercriminals made an unsuccessful extortion attempt and apparently decided to take it up a notch, dumping more than 300MB of the company’s data via a Russian cybercriminal forum and stating that the target was unwilling to get in touch. Unfortunately, this was only a part of business-critical information illicitly obtained by the malefactors and they are purportedly going to sell the rest to third parties if there is no reaction on the victim’s end.

Maze Group Sticks With Their Foul Play

The above-mentioned Maze ransomware, the progenitor of this adverse trend, has been the most active so far. After the Allied Universal incident hit the headlines, the criminals have executed several more attacks against large computer networks.

One of them was fired at Andrew Agencies, a Canadian insurance company with more than 100 employees and 18 offices across the country. The attack reportedly took place Oct. 21, 2019. However, it didn’t gain the public’s attention until December, when the ransomware crew reached out to well-known security researchers with evidence of the incursion and some details of the negotiations with the company executives. As a side note, Maze operators appear to be fond of interacting with white hat malware analysts in a fairly easygoing manner, for some reason.

Zooming back in, the crooks claim to have encrypted files stored on 245 computers. The amount of this data is a whopping 62TB. They also got hold of usernames and passwords the employees use to sign into corporate network resources. To top it off, they allegedly obtained over 1GB of information about customers of the insurance firm.

Given the mind-boggling scope of the potential damage, the attackers wanted 150 bitcoin (equal to $1.3 million) for the decryptor. According to their statement, Andrew Agencies first agreed to pay and asked for some time to collect the sum, but discontinued the communication altogether in the long run. Although the payment deadline expired at the end of November, it seems that the criminals have allowed extra time before the stolen records are made public.

The insurance brokerage company admits falling victim to the ransomware but denies exfiltration of any data, including personal records of the customers. At the time of writing, the Maze group hasn’t leaked any information purportedly extracted from the breached organization, and there haven’t been reports about a ransom payment either. Hopefully, it will stay this way.

In another move, the malicious actors behind Maze ransomware gained a foothold in the IT networks of the city of Pensacola, Florida. The attack was executed in early December, disrupting the local administration’s email and phone services and knocking computer systems offline for a while. Later on, it turned out that the perpetrators had additionally harvested about 32GB of data from the city’s servers before unleashing the deleterious encryption. They instructed the officials to submit $1 million worth of bitcoin for data recovery.

The city apparently didn’t meet this demand, and the Maze crew started spilling the stolen files later that month. They released 2GB of the data through a public website, stating that the remaining 30GB would be divulged if Pensacola continues to ignore their demands.

In a private discussion with security researchers, Maze operators pointed out that extra pressure on the city wasn’t their primary motivation. Instead, they purportedly wanted to demonstrate that they could exfiltrate a significant amount of data during an attack rather than a few files, which is how the media tends to put it. There haven’t been any reports about further developments since. However, the fact that gigabytes of potentially important files have already been leaked is disconcerting enough to make other municipalities and companies strengthen their defenses against such breaches.

Nemty Ransomware Gets On the Hype Train

Nemty, a rapidly evolving strain of ransomware originally spotted in August 2019, is one more player in the arena of attacks involving a combo of data encryption and theft. It is distributed on a RaaS (ransomware-as-a-service) basis. According to analysts’ insights, the “News” section in the Nemty affiliate dashboard includes an announcement about a new website where the ransomware operators plan on leaking data pilfered from organizations that refuse to purchase the data decryptor.

Nemty RaaS also stands out from the rest as it allows affiliates to build ransomware binaries that specifically zero in on enterprise computer networks. This approach revolves around leveraging one encryption key to lock down all data in the compromised corporate environment. This way, the targets are unable to unencrypt information on individual hosts even if they manage to brute-force the appropriate private key.


While encryption continues to be at the core of ransomware attacks homing in on businesses and municipalities, some threat actors now additionally steal victims’ data to conduct extortion from a position of greater strength.

As a result, targets not only run the risk of losing valuable files, but they also may encounter reputational issues and deal with lawsuits for failing to protect the personal data of their customers. Effectively, such ransomware attacks are double trouble because they are also data breaches.

In light of this new tactic, the FBI has recently issued an advisory to help companies safeguard their sensitive information proactively. Among other things, the agency recommends creating dummy data to deceive potential offenders. Putting these files in plain sight makes them a decoy asset cybercriminals are likely to steal before deploying malicious encryption. This technique may dupe crooks into focusing on the red herring while ignoring data that actually matters.

Furthermore, social engineering is the primary attack vector used by ransomware operators. Even relatively secure devices running Linux or macOS can be infected. Therefore, security training of employees is paramount. As the potential damages from such a multi-layered breach are escalating, every employee should understand their role in an organization’s security posture and exert caution with suspicious emails, including ones impersonating senior management and government entities.

David Balaban