Security Market Segment LS
Thursday, 12 November 2020 09:42

Ransomware is now all about data leaks, Kaspersky researchers claim Featured

Ransomware is now all about data leaks, Kaspersky researchers claim Pixabay

Ransomware has changed from being just about encrypting a victim's data and become primarily about data exfiltration, the Russian security firm Kaspersky says.

In a detailed blog post about two ransomware families — Ragnar Locker, whom the company described as a veteran operation, and the more recent entrant Egregor — researchers Dmitry Bestuzhev and Fedor Sinitsyn said the data loss was not the main item either, with the publication of stolen data on the Internet being the culmination of an attack.

The duo said there were several main initial vectors: commercial VPN software, RDP-enabled machines which were exposed to the Internet, and also vulnerable router firmware.

"Sometimes ransomware threat actors may rely on traditional malware like botnet implants previously dropped by other cyber-criminal groups," Bestuzhev and Sinitsyn said.

"And finally, if we recall the Tesla story, the attempt to infect that factory was through someone working at the company. That means physical human access is also a vector. It is complex."

They said Ragnar Locker was highly targeted, to the extent that each sample was tailored for the organisation that was being attacked.

ragnar shame

Screenshot of the Wall of Shame where stolen data is exposed. Courtesy Kaspersky

The group had three .onion domains and one Internet domain, with the latter registered on 16 June; if victims refused to pay, then their stolen data was published on a so-called Wall of Shame section on the websites.

However, Ragnar Locker did not see itself as an extortionist. "Curiously, this group is positioning itself as a bug bounty hunting group," the researchers wrote.

"They claim the payment is their bounty for discovering vulnerabilities that were exploited and to provide decryption for the files and OpSec training for the victim; and, finally, for not publishing the stolen data.

"Of course, if the victim refuses to pay, the data goes public. Besides that, if the victim chats with the Ragnar Locker threat actor and fails to pay, then the chat is exposed along with the stolen data."

Bestuzhev and Sinitsyn provided a detailed breakdown of a sample of the Ragnar Locker malware that they had discovered, pointing out that it avoided infecting systems within certain locales – Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russian, Uzbekistan, Ukraine and Georgia.

On any systems outside these locales, the malware stopped certain services on a system that it had gained access to and then proceeded to do it job.


Example of a chat negotiating to pay the ransom. Courtesy Kaspersky

The Kaspersky duo said Egregor had been discovered only in September and its code had many similarities with another strain known as Sekhmet and also Maze, which recently shut down its operations.

Egregor had one .onion domain and two Internet domains, the two researchers said. The two surface Web domains appeared to be constantly under attack and hence the Egregor actors had a disclaimer posted on the main page of the .onion domain.

When Egregor gained access to a system, a check was done to see what languages had been installed. If any of Armenian (Armenia) Azerbaijani (Cyrillic, Azerbaijan), Azerbaijani (Latin, Azerbaijan), Belarusian (Belarus), Georgian (Georgia), Kazakh (Kazakhstan), Kyrgyz (Kyrgyzstan), Romanian (Moldova), Russian (Moldova), Russian (Russia), Tajik (Cyrillic, Tajikistan), Tatar (Russia)
Turkmen (Turkmenistan), Ukrainian (Ukraine) or Uzbek (Latin, Uzbekistan) were present, then the attack went no further.

If other languages were used on the system, then the process of halting running services, exfiltration of data and encryption proceeded.

"Unfortunately, Ransomware 2.0 is here to stay," Bestuzhev and Sinitsyn said. "When we talk about 2.0, we mean targeted ransomware with data exfiltration. The whole extortion process is primarily about the victims’ data not being published on the Internet and only then about decryption.

"Why is it so important for the victims that their data is not published? Because possible lawsuits and fines due to violations of regulations like HIPAA, PIC or GDPR can result in immense financial losses, reputational damage and potential bankruptcy.

"As long as companies see ransomware threat actors as typical malware threats, they will also fail. It is not about just endpoint protection; it is about red teaming, business analysts working with exfiltrated documents evaluating the ransom to pay. It is also about data theft, of course, and public shaming, leading to all sorts of problems in the end."

Read 5735 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News