Senior security expert John Shier said in a blog post, the fourth in a series published by the company under the title The realities of ransomware, that the new social method adopted by ransomware gangs had led to a new era where social pressure and shaming was being used to improve the attackers' bottom line.
Shier pointed out that when ransomware was in its early days, the process was entirely transactional.
"You received an unsolicited email, clicked on a link or opened an attachment, and your computer eventually ran the ransomware binary which encrypted all of your user-generated files," Shier said. "The process of recovery was fairly straightforward. You either recovered your files from back-up — after doing a full re-image — or you sent bitcoin to the criminals in exchange for the decryption key.
"In time, the criminals added the ability to communicate with them and things got a little more personal. These communications were mostly under the auspices of support. Not only could the criminals increase their reputation as ‘trustworthy’ merchants, but it also gave some individuals the ability to negotiate payment terms."
But then things changed in October 2019, when a group going by the moniker Shadow Kill Hackers attacked the city of Johannesburg and claimed they had stolen data from the compromised systems.
Said Shier: "The difference here is that the attackers didn’t encrypt any files. In this purely social attack, the criminals threatened to release financial and personal data of Johannesburg’s citizens if payment (4 BTC) was not made by the deadline. The city rebuffed the ransom demand and the attackers were silent. It took less than a month for this new tactic to catch the attention of more serious ransomware gangs."
He said the first ransomware group to start using this tactic, of steal and share as additional extortion pressure, was Maze.
"The first such incident occurred in November 2019 when the Maze crew released a portion of a victim's stolen data in a show of force and added social pressure for the company’s lack of payment," Shier said.
"Since then we’ve seen the Maze operators continue this behaviour and other prominent ransomware gangs have joined them."
Among the ransomware groups that have adopted this tactic are Ako, Avaddon, Clop, DoppelPaymer, Nemty, Nefilim, REvil (Sodinokibi), Netwalker, Pysa (Mespinoza), Ragnar Locker, Sekhmet and Snatch.
Shier said that it was not uncommon these days to hear of a ransomware victim being extorted into paying a ransom because they feared data exposure.
"We’ve seen some criminals use their total access to an organisation’s compromised systems to pit employees against their own executives and IT department by threatening to release stolen employee data if the company did not engage with the criminals and negotiate payment," he said.
"While it’s still too early to determine if this form of social pressure will be more profitable than more traditional methods, it has heralded a new era in ransomware where social pressure and shaming is being used to increase the attackers’ bottom line."