Being struck by ransomware used to mean that data would be lost forever unless you paid up. Those days are long gone. Today ransomware gangs are also stealing their victims’ data… and in some cases auctioning it off on Dark Web markets.
The hackers behind the REvil or Sodinokibi ransomware have siphoned off terabytes of data from the systems they’ve infected. When victims aren’t willing to meet ransom demands, the REvil gang is more than willing to use alternative means to profit from their attacks.
Researchers at Cyberint published a report this week that sheds light on this new approach. Once it’s clear that a victim is not going to pay, the stolen data is put up for auction. Anyone who wants to bid can do so anonymously. No proof of identity is required, just a successful completion of a CAPTCHA challenge.
The winning bid must be paid in the Monero cryptocurrency (XMR) and a 10% deposit is required to get the transaction started.
Whose data is being auctioned off? So far, Cyberint has spotted a handful of listings. There was a trove of documents from a major U.S. food distributor with a starting price of $100,000. A 50 gigabyte cache of sensitive files from a U.S. law firm was priced at $30,000.
The highest-priced listing: an legal firm specializing in intellectual property law. For a starting bid of $1.2 million, the winner would gain access to a digital library full of trade secrets, patent documentation, and internal communications.
REvil was one of the first groups to start selling its victims’ data. In mid-March the gang started selling access to data outright. Some of those hit by REvil saw gigabytes of private files sold off for few measly Euros.
Weighing the Risks
For victims, it’s a lose-lose-lose scenario. They can pay the ransom and regain access to the encrypted files, but they have to trust that a group of criminals is going to follow through and permanently destroy all other copies of the stolen data. That’s unlikely at best.
Victims could also choose to roll the dice and bid anonymously on their own data. Again, they’re trusting that a criminal won’t re-sell that data or hang on to it and use it for future extortion attempts.
They could opt to not pay and to ignore the threat of private data being exposed. A good set of backups can restore the data, but the data leak creates a host of new problems. Criminals can use the data to launch sophisticated business email compromise scams that can lead to multi-million-dollar losses – not to mention jeopardizing business deals, angering clients, or creating public relations nightmares.
Cyber attacks are surging. Victims keep paying ransoms, which gives ransomware gangs more incentive to continue with their attacks.
They won’t back off any time soon. The best defense: education.
Email inboxes are still the most common starting point for ransomware attacks. Being able to identify a phishing message could keep your secrets from being spilled to the highest bidder.