Blackmail viruses adjust strategy: If a company fails to pay, it will publish its data.
3 min readTable of Contents
Blackmail virus authors are starting to use a new method of extortion. If the company does not pay the ransom in time, it will publish its data. One of the cases has now been reported in detail by Bleeping Computer.
Data was stolen in targeted attacks
Sodinokibi blackmail virus was unveiled last May, targeting mostly companies and organizations around the world. It is spread through unsolicited e-mail messages, but is often used in tightly targeted attacks.
In targeted attacks, hackers search for computers with remote security over RDP (Remote Desktop Protocol). After they gain access, they search for and download any interesting files, steal stored credentials, and attempt to infiltrate other computers on the network.
Eventually, the attackers launch the blackmail virus itself, or file encryption. After encrypting the files, you will be prompted to pay the ransom and basic instructions on how to proceed.
The first files have already been published
However, encrypting files does not seem to stop there. One of the authors of ransomware Sodinokibi said on an unnamed russian forum that from now on will publish data from companies that will not pay the ransom.
In this context, the attackers also released a 337MB archive that allegedly contains files originating from the US company Artech Information Systems. This should be just a small sample of the data they have. The remaining files containing business, personal and financial information will be published if the company still does not pay the ransom.
Authors of other threats also want to publish data
Like the extortion virus Sodinokibi, Nemty focuses primarily on organizations and various companies. It was unveiled last August, spreading through other malicious codes or in the form of unsolicited emails.
Its authors also want to use the same model based on the publication of stolen data. Bleeping Computer found that the attackers are planning to launch a special website. This will, of course, contain data from companies that do not pay the ransom.
The new model of blackmail apparently liked the attackers. Publishing sensitive business information is often worse than “plain” file encryption. Most companies back up their data on a regular basis, so recovery is a matter of minutes.
On the other hand, leakage of sensitive materials, trade secrets, invoices, supplier lists or employee data can cause incalculable damage. The attackers are aware of this, so it is to be expected that a new form of extortion will be used by many more extortionists.
Data publishing began a month ago
Finally, let’s remind you that the madness of publishing sensitive data was started by the authors of the extortion virus Maze. Less than a month ago, they started massively publishing data from companies that refused to pay ransom.
The special site contains the names of companies, their URLs, the start date of the infiltration, the list of affected IP addresses, the names of the infected servers, as well as the total amount of stolen data listed in gigabytes. Each victim is also assigned an archive containing stolen documents and PDF files.
