Ransomware: pay or not to pay?

"We have broken your security perimeter and have access to all the servers in the company's network in different countries across all your international offices.

We have therefore downloaded more than 2TB of your total volume of your SENSIBLES PRIVATE data, including accounting files, bank statements, government letters, license certificates; Confidential and/or exclusive business information, celebrity agreements, customer and employee personal information (including Social Security numbers, addresses, phone numbers, etc.) ; Enterprise agreements and contracts with distributors, importers, retailers, non-disclosure agreements.

This article will also interest you: Pay to receive access to your own data

We also hold your private corporate correspondence, emails and filing cabinets, marketing presentations, audit reports and many other sensitive information. a memo sent by cybercriminals to the Italian alcoholic beverage marketing company, Campari Group, read. The attack is believed to have occurred since November 1. Hackers claim to have nearly 2 to of sensitive information belonging to the company. To get rid of this information, and to allow the latter to access its computer system, the cyber attackers ask the Italian company to pay them a ransom of 15 million euros. To justify holding this information, cybercriminals took screenshots to prove it. As a result, the victim society faces a dilemma. As is often the case in a ransomware attack.

However, there is an important fact to be noted. According to a study by Coveware, whose report was published last week, it has been shown that hackers who use ransomware for computer attacks rarely, if ever, get rid of the information they steal during their operations. The same study also showed that nearly half of ransomware-based computer attacks are accompanied by a threat to publish information stolen from targets if ransom payments are refused. This is usually, for example, a trigger that causes victims to execute. The threat is justified by the fact that when a victim of a cyber-attack on ransomware has taken care to safeguard his data adequately, he would simply have to restore it. This is in some ways a waste of time for the cybercriminal, because the company would not see any reason to want to get in touch with them. It is in this context that hackers now steal information. If this data can be restored, they simply threaten to disclose it knowing of course that some of this information is very sensitive.

Coveware's study led to the idea that data exfiltration techniques have reached a tipping point. If in some situations several companies have agreed to pay the amount demanded by cyber criminals, it is because their data is not disclosed. However, hackers in many of these cases did not get rid of his data. It was highlighted several examples 2 groups that cybercriminals who did not always keep their word even after the payment of their victim:

– Sodinokibi: this group demanded a second payment to its victims a few weeks after they paid the first ransom demanded.

– Netwalker: as for this group, they simply disclosed the stolen data to companies that were willing to pay the ransom demanded so that it did not do so.

– Mespinoza: they did the same as the previous group. That is to say publish on a website data stolen when the latter had paid the ransom.

– Conti: this group simply tried to fool its victim by deleting fake files instead of the real ones. This means that real data is always available to them.

Faced with this situation and many other Coveware advises victims of cyberattacks on ransomware, before paying to think about several situations that are more or less proven:

– There is no guarantee that the data will actually be deleted after payment;

– There is a good chance that the attackers will communicate (perhaps through a black market sale and dark web) the stolen data to other cyber-malicious groups;

– Cyber criminals may return to demand a second ransom payment

– Hackers who stole the data did not secure it, exposing the same information to a second computer hack by other groups of cyber criminals;

– Stolen data can be published later by mistake

– hackers can publish the information before the victim can react to the extortion.

In this context, Coveware advises companies affected by ransomware attacks to turn to specialists for information and advice: "This includes obtaining advice from privacy lawyers, investigating the data collected and making the necessary notifications that result from this investigation and this lawyer. Paying a malicious actor does not spare you any of the above, and given the results we have recently seen, paying a malicious actor not to disclose stolen data has virtually no benefit to the victim. There may be other reasons to consider, such as trademark damage or long-term liability, and all considerations must be taken before a strategy is defined." Explains the firm.

Now access an unlimited number of passwords: