The Shift from Ransomware to Data Theft Extortion

At the end of April 2021 the criminal ransomware-as-a-service organization known as Babuk announced it was quitting its illicit affiliate program in favor of data theft extortion.

Until this point Babuk was a well-known cybercriminal organization that described itself as the “best penetration testers [on the] dark net”. They made ransomware software available for other cybercriminals, and took a share of the payments their partners earned using the software.

As a ransomware ring, the organization and its partners would encrypt large volumes of data from businesses and public institutions, demanding large sums of money for decryption keys that enabled victims to get their data back.

Now Babuk is changing course in a way that many other cybercriminal organizations have already followed. Instead of encrypting data and selling decryption keys to victims, they are now directly extorting the individuals whose data they steal.

In a typical ransomware attack there is usually one victim – the target. There is a great deal of collateral damage, especially if the target is a public institution or a hospital, but the ransom demand itself is directed at a single organization, and largely ignores everyone who isn’t a direct stakeholder.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Data theft extortion is slightly different. Instead of crippling a business by holding its data to ransom, this approach focuses on exploiting sensitive data by extorting the individuals who would be hurt most if the data became public.

Instead of a single ransom demand, there may be hundreds or thousands. In most cases, cybercriminals are adopting a dual-revenue model where a single, large-scale ransom demand is accompanied by individual ransoms for affected parties.

One of the largest examples of data-theft extortion is the Vastaamo cyberattack. In late 2020, cybercriminals targeted a Finnish psychotherapy center along with 40,000 of its patients.

Vastaamo’s attackers first attempted to extort a ransom from the center’s managers. After that, individual patients started receiving extortion threats by email. The attackers told Vastaamo patients that their psychiatric transcripts would be published online unless victims sent €200 in Bitcoin within 24 hours.

By directly extorting peoples’ most sensitive data, cybercriminals are moving beyond the usual ransomware attack plan. Now, anyone is a potential victim.

The long-term impact of this attack is far greater than if it had been negotiated solely between Vastaamo’s managers and the cybercriminals responsible. Individuals have very little control over how companies handle their data, and thus feel forced to pay.

In the case of Babuk, its latest cyberattack puts this approach on full display. After hacking the District of Columbia’s Metropolitan Police Department (MPD), the group responded to negotiations breaking down by posting psych evaluation results from individual police officers.

After that, Babuk threatened to identify police informants which could put those informants’ lives in danger. Other gangs and criminal syndicates would be able to identify the people who reveal their operations to the police.

MPD officials responded to Babuk’s $4 million ransom with a $100,000 counteroffer. Babuk claimed this was unacceptable and has since posted 250 gigabytes of internal files and data, – including the police department’s human resources files, organized crime databases, and the police chief’s daily intelligence briefings over the past three months.

While the FBI strongly recommends not paying ransoms to cybercriminals, many victims feel like they have no choice. The development of data theft extortion makes the challenging process of negotiating with cybercriminals even more complex.

Primary victims now have to weigh their decisions along with the individual reactions of every other victim the attack targets. This brings a new dimension to the potential for legal liability in the world of cybercrime.

A victim organization may refuse to pay a large ransom, but hundreds or thousands of individual victims may disagree and pay anyway. This situation is a variant of the Prisoner’s Dilemma, where each individual victim’s choice impacts the strength of every other victim’s position. Under these circumstances it is very difficult for negotiators to minimize negative outcomes after a cyberattack.

As a result, victims have increasingly begun relying on professional negotiators. Negotiators with a strong track record of successfully reducing ransoms are able to justify the costs compared to a disastrous alternative. Over time, the best negotiators gain insight into how specific cybercriminal groups like Babuk work, and use that knowledge to improve outcomes.

This goes against the FBI’s advice to simply refuse ransom demands. However, negotiators have shown that well-prepared companies can significantly drive down ransom costs, even if they were unable to prevent attacks entirely.

Data theft extortion and ransomware victims who successfully negotiate with cybercriminals often have two elements on their side: time and data.

The more time a company can live without its data the stronger its negotiating position becomes. Companies that can run off of high-quality backups are able to delay payment in order to obtain better terms.

Data exfiltration protection can turn the tables on attempted extortioners entirely. Data exfiltration prevention solutions can stop the unauthorized removal of any data from the systems they exploit, effectively disabling the attack and the associated data theft extortion.

This gives IT Security leaders the upper hand. Instead of remaining passive victims, companies can now actively prevent network intrusions to identify attacks at their source, stopping hackers before they even get started.

Investing in data exfiltration protection ensures that cybercriminals who gain unauthorized access to a device cannot remove sensitive data without being discovered. High-performance security solutions like BlackFog can proactively block threats and identify anomalies well before cybercriminals get a chance to exploit sensitive data.

BlackFog is a cybersecurity leader whose data exfiltration prevention technology prevents hackers from exfiltrating data. BlackFog blocks threats across mobile and desktop endpoints and give companies the edge they need to protect their organization from data loss, data theft extortion and cyberattacks.