Terrorizing Firms With ‘Name and Shame’ Tactic Becomes New Normal for Ransomware Operators

  • Initiated by Maze ransomware operators, the tactic was first used against the security staffing firm, Allied Universal.
  • The trend is also followed by Clop, Nemty, DoppelPaymer, and Neifilm ransomware.

Ransomware operators have evolved their attack tactics to put more pressure on organizations. As if encrypting data and files was not enough, they have gone to another level to tarnish the reputation of firms. From late November 2019, they have added an additional stage, a new ‘Name and Shame’ tactic, to ruin the brand name of firms and it has become an persistent trend in Q1 2020. Prior to encrypting victims’ databases, attackers extract large quantities of sensitive information and threaten to publish it unless their ransom demands are met.

The pioneer of the tactic
Initiated by Maze ransomware operators, the tactic was first used against the security staffing firm, Allied Universal. The attackers had published almost 700 MB of stolen data and files when the firm denied to pay the ransom. In a later post on a Russian hacking forum, the attackers had included a link to claim that they had published only 10% of the stolen information and increased the ransom demand by 50%.

Other ransomware operators following the trends
Creators of several notorious ransomware have adopted this new tactic of naming and shaming organizations since its inception, with some of them leaking the data on their own websites. To name a few, the trend is followed by Clop, Nemty, DoppelPaymer, and Neifilm ransomware. Apart from publishing on sites, some ransomware groups are also offering these stolen files and documents for sale to make quick money.

Shaming the victim companies
Unlike the traditional ransomware attacks that gave the option to recover everything from backups, the new tactic presents a serious dilemma for victim organizations - surrender to criminal demands and pay ransom with a hope to receive decryption keys.

In the first quarter of 2020, many victim organizations had defied the attackers’ ransom demands and as a result, their names along with stolen documents were published online. Some of the victim organizations included Brooks International, Hammersmith Medicines Research, and Bird Construction.

TA2101, the gang behind Maze ransomware alone had listed 21 organizations - that were attacked between October 21 and December 14, 2019 - on their website. The site also included samples of data stolen from these organizations and threatened to dump it online if the victims did not pay the ransom. Since the launch of the site, the group has published the details of dozens of law firms, medical service providers and insurance companies.

To further hamper the brand value of organizations and put more pressure on victims, the operators of Sodinokibi ransomware came with an idea to auto-email stock exchanges, such as NASDAQ, about a company’s attack and hurt the value of their stock.

Some institutions avoided the jeopardy
Some affected organizations overcame this double-extortion trap by paying the ransom. This included the University of Maastricht and the foreign exchange platform, Travelex. These institutions decided to pay the ransom demands with the hope to receive decryption keys and protect their sensitive data from being published.

The new reality
This new and evolved ransomware attack tactic is something to worry about. Resorting to backups clearly does not terminate the attack. To make it worse, paying the ransom also does not guarantee that attackers will not sell the information to third parties.