Ransomware groups now give priority to theft of data from workstations used by top executives and company managers. Their goal is to steal important information, which they can later use to pressure and blackmail a company's top executives into paying high ransoms.
This new tactic of hackers was revealed by ZDNet last week after it made a phone call to a company that paid a multimillion-dollar ransom to its gang. Clop ransomware. Similar calls to other Clop victims and interviews via e-mail with companies cyber security later confirmed that this is a technique that the Clop gang has perfected in recent months.
In the last two years, ransomware groups have evolved, now targeting not high-end consumers but high-profile companies. Hackers violate corporate networks, steal sensitively archives, which are then encrypted, and leave ransom notes to the violators computers.
In some cases, a ransom note informs companies that they must pay a ransom to obtain a decryption key. In the event of data theft, some ransom notes also inform victims that if they do not pay the required ransom, the stolen data will be published on data leak sites.
The ransomware teams hope that companies will do everything they can to avoid disclosing their confidential and sensitive data, which, in the event of exposure, will be accessible to competitors. Therefore, they will be more willing to pay the required ransom, rather than attempting to recover from backups.
There are also cases in which ransomware groups have told companies that publishing their data would also be tantamount to infringement which would probably lead to a fine being imposed on the victim by the authorities, while also tarnishing his reputation. This is clearly something that companies also want to avoid.
However, ransomware groups do not always manage to steal data or sensitive information attacks their. This reduces their ability to negotiate and pressure victims. That's why, in recent attacks, a team that has frequently used the Clop ransomware strain is specifically looking for workstations within a corrupt company, used by its top executives.
In particular, hackers search a manager's files and emails while stealing data that they believe may be useful to threaten or pressure a company's management. The same people who would probably be responsible for approving the ransom request days later.
Stefan Tanase, a cyberspace expert at CSIS Group, told ZDNet the following: "This is a new modus operandi of ransomware gangs, but I can say that I'm not surprised. Ransomware groups usually target the "gems" of a business. They are usually file servers or databases when it comes to deleting data for the purpose of leaking them. "It makes sense for top executives to follow, if that's going to have an even bigger impact."
In addition, Brett Callow, a threat analyst at cybersecurity company Emsisoft, told ZDNet that so far they have only seen such tactics in Clop ransomware-related incidents. Callow added that in the last two years, the tactics used by ransomware groups have become more and more extreme, as they now use every possible method to pressure their victims. Tactics used include harassment and threats through phone calls to both executives and customers and business associates. Facebook, press approach and threats to reveal "dirty money" of companies.
Evgueni Erchov, director of incident and cyber threat response at Arete IR, also said that one of his business associates REVil/ Sodinokibi ransomware has already adopted this technique from the Clop gang. In particular, he managed to find documents concerning internal discussions of the victims. He then used this information and contacted the executives via email, threatening to publish the data of the alleged "misdemeanor" of the administration.
Bill Siegel, CEO and co-founder of the security company "Coveware", pointed out that in many cases, the data used in extortion aimed at managing a company, does not always correspond to reality. He added that no case has been reported where the stolen data showed real evidence of corporate or personal misuse. For the most part, it's just a horror tactic for hackers to increase their chances of paying a ransom. Finally, Siegel stressed that these are criminal extortionists, who say many "fantastic" things, if they are going to bring them money.
This is information collected by ZDNet, with the help of the security company S2W Lab.