To pay or not to pay? Organizations are in a bind as ransomware gangs adopt a new tactic

• Ransomware gangs have signaled to publish the data stolen from victims who refuse to pay the ransom.
• Cybercriminals behind the Maze ransomware have erected a website on the public internet that identifies recent victim companies that opted not to pay a ransom.

Ransomware gangs have now up the ante of their attacks to cause massive losses for victim organizations. They have signaled to publish the data stolen from victims who refuse to pay the ransom.

Making the matter worse

While the destruction is slowly in progress, cybercriminals behind the Maze ransomware have erected a website on the public internet that identifies recent victim companies that opted not to pay a ransom and chose to rebuild their operations.

The website which was created in less than 48 hours, currently includes the eight affected companies and their corresponding websites. All these victim companies had declined to pay a ransom demand, thus making their customers’ data viable to identity theft and more.

This new change in the tactic of Maze ransomware operators came to notice only in November when it infected Allied Universal systems and later released 700MB worth of sensitive data on a hacking forum after the firm refused to pay the ransom demand.

More insight into the stolen data

To make it worse, the site has also exposed several volumes of files and documents belonging to each victim companies.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims as well as the IP addresses and machine names of the servers infected by Maze.

Other cybercriminals are also in a row

This change in the operation of Maze ransomware operators comes just days after the cybercriminals responsible for managing the Sodinokibi/REvil ransomware posted on a popular dark web forum that they also plan to publicly publish the stolen data of victims who fail to pay ransoms.

As part of the operation, UNKN, the public-facing representative of REvil ransomware, claimed to have stolen files from the CyrusOne data center before encrypting their network.

The bigger picture of data loss

With sensitive data at stake during ransomware attacks, organizations can face steep fines and other penalties for failing to safeguard their customers’ data. However, these victims may be able to avoid the penalty if they can show forensic evidence demonstrating that customers’ data was never accessed but with the sites like the one that Maze ransomware has now erected, situations can turn more complicate.

To pay or not to pay is the question

The key aspect is that organizations should treat a cybersecurity incident as a serious issue. For this, they should be well-planned and prepared. The security personnel and employees should quickly and effectively know how to respond and recover when faced with a ransomware attack. It is always better to be prevent incidents than to later be looking for a solution.

Microsoft suggests that there is no guarantee that encrypted data will be restored even after the victim pays the ransom.

“We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers. The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored. The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored,” Microsoft explains in its blog post.