REvil Ransomware Extortionists Auction Stolen Data
REvil ransomware cyber extortionists are auctioning off sensitive data hijacked from companies in an arm-twisted move to force victims to pay up or else, multiple reports said.
The tactic takes cyber racketeering to another level beyond the headlock maneuver hackers favor to openly offering material to the highest bidder in the dark web’s version of an event. In the last few days, REvil ransomware crooks have used their dark web “happy blog” to announce an auction to sell files allegedly lifted from a Canadian agricultural production company that so far has rebuffed its extortion demands.
A successful bidder will win three databases and more than 22,000 files stolen from the agricultural company, KrebsonSecurity reported. The minimum deposit of $5,000 in virtual currency is required, with the starting price of $50,000.
Some cybersecurity experts have suggested that an auction is a hacker’s way to compensate for the inability of companies hit hard by the coronavirus (COVID-19) pandemic to meet ransomware demands. “The problem is a lot of victim companies just don’t have the money [to pay ransom demands] right now,” Lawrence Abrams, editor of the BleepingComputer website, told KrebsonSecurity. “Others have gotten the message about the need for good backups, and probably don’t need to pay. But maybe if the victim is seeing their data being actively bid on, they may be more inclined to pay the ransom.”
One notable crew is demanding two payments, one to unlock hijacked files and another to permanently delete data stolen from the victim without publishing it, Abrams said. “Some of these [extortion groups] have said if they don’t get paid they’re going to sell the victim’s data on the Dark Web, in order to recoup their costs. Others are now charging a fee not only for the ransomware decryptor, but also a fee to delete the victim’s data. So it’s a double vig.”
There’s no clear cut consensus if ransomware victims should pay or refuse. Security provider Kaspersky recommends never to pay. In a report issued last April, Kaspersky principal researcher Brian Bartholomew said, “paying a ransom will never guarantee that all of your data will be returned – it might be partially returned or not at all. There is also no way to tell if your information has been sold in underground markets once obtained.”
Still, many organizations will hand over money to cyber attackers to mitigate a ransomware attack. But doing so may double their incident recovery costs, according to a Sophos report released in mid-May. The average cost of addressing a ransomware attack was approximately $730,000 for organizations that did not pay a ransom, the report said. By comparison, the average cost rose to $1.4 million among organizations that did pay.
Here are some recommendations to lower your risk of a ransomware attack: (via KrebsonSecurity)
- Patch a lot: Many ransomware attacks exploit known security flaws.
- Disable RDP: Many businesses running Windows are victimized because they leave the remote desktop protocol (RDP) feature open to the Internet with weak passwords.
- Filter email: Invest in security systems that can block executable files at the email gateway.
- Isolate mission-critical systems: Consider hiring an MSSP to ensure this is done correctly.
- Backup key files and databases: Backing up to a secondary system that is not assigned a drive letter or is disconnected when it’s not backing up data is key.
- Disable macros in Microsoft Office: Educate users that ransomware very often succeeds only when a user opens Office file attachment sent via email and manually enables Macros.
- Enable controlled folder access: Create rules to disallow the running of executable files in Windows from local user profile folders.