Ransomware as a Service: Attackers are Publishing Data of Companies Not Paying Ransom

Ransomware attacks are popular for how they operate: they steal data, encrypt them and offer them back to their victims at a price – ransom. The response of victims depends on the value they place on the data, and most times, every single piece of data is valuable. Successful attacks are popular for raking in millions of dollars for its operators, making it a lucrative cybercriminal activity. This popularity and lucrativeness has given birth to different models of the malware, one of which is Ransomware as a Service (Raas).

RaaS is considered the malware for lazy crooks who do not want to go through the hurdles of learning the technicalities of malware attacks; they just want to launch attacks at the pressing of a button. It works in such a way that the creator of a malware sells it to different distributors with agreement on kickbacks. It has proven to be a highly lucrative model over the years; one type of ransomware can be sold and distributed among cybercriminals, and everybody gets to share the spoils.

Because of the easy distribution of RaaS and the increase in attacks, there has also been an equal rise of unpaid ransoms. As a result of this, most victims, falling back on backup and replication architectures, stopped paying ransoms. This has led to the escalation of attacks by prominent purveyors who are currently sending signals of their plans to start publishing data of their victims on auction websites.

A perfect example is the recent event where Sodinokibi (aka Sodin or REvil) published data of over 12GB, allegedly belonging to Brooks International, a victim that refused to pay ransom. The details of the data are not clear, but we know that Brooks International is a global professional services firm with clients in a lot of sectors and industries. And the data will most likely contain usernames and passwords, card statements and many more.

These new methods devised by RaaSers further illustrate how victims need to treat ransomware attacks seriously. It is now beyond just getting your data back from operators, but the risk of the data being exposed or sold to other attackers. This will not only expose the company to attackers, but its clients also. It will also bring problems with data and privacy laws. A lot of companies avoid reporting ransomware events as they can dodge forensic evidence that sensitive data of clients were exposed. With the new approach from attackers however, it poses a much greater challenge for these companies.