Ransomware gangs are prioritizing stealing data from workstations used by Top executives of the Company/business in the hopes of discovering valuable information to utilize in the extortion process.
A new trend is emerging amongst ransomware groups where they prioritize stealing information from workstations used by top executives and managers to be able to acquire valuable information that they can later use to extort an organization’s top executives into approving large ransom payouts.
Similar calls along with other Clop sufferers and email interviews with cybersecurity firms later affirmed that this wasn’t only a one-time fluke, but instead a technique the Clop gang had fine across the past few months.
The technique is a development of what we’ve already been observed from ransomware gangs lately.
For the previous two decades, ransomware gangs have developed from targeting home consumers in random strikes to going after large corporations in very targeted intrusions.
These classes breach corporate networks, steal sensitive documents they can get their hands on, encrypt files, then leave ransom notes onto the trashed computers.
In some cases, the ransom note advises companies that they must pay a ransom need to be given a decryption key. In case data was stolen, some ransom notes also inform victims that should they don’t pay the ransom fee, the stolen data will be published on the internet on so-called”leak sites.”
Ransomware groups hope that companies will be desperate to avoid having proprietary data or fiscal numbers posted on the internet and accessible to competitors and would be more willing to pay a ransom demand instead of restoring from backups.
In other scenarios, some ransomware gangs have advised businesses that the publishing of their information would also amount to a data breach, which would in many instances also incur a fine against governments, as well as reputational harm, something which employers also want to prevent.
However, ransomware gangs aren’t always able to receive their hands on proprietary information or sensitive info in all the intrusions they execute. This decreases their ability to negotiate and pressure sufferers.
That is why, recently intrusions, a team that has often used the Clop ransomware breed has been especially looking for workstations inside a breached company that are used by its top managers.
The team sifts through a manager’s files and emails, and also exfiltrates data they think may be useful in a threatening, embarrassing, or putting pressure on an organization’s management — the same people who would most likely be in charge of approving their ransom demand days later.
“Ransomware usually goes for the crown jewels’ of the company they’re targeting,” Tanase said. “It is typically fileservers or databases in regards to exfiltrating data to leak it. Nonetheless, it makes sense for them to proceed after exec machines if that is what’s going to create the biggest effect.”
Brett Callow, a hazard analyst at cybersecurity company Emsisoft, told that, so far, they’ve only seen strategies such as these in events involving the Clop ransomware.
“This style of blackmail may be the modus operandi of a particular [Clop] affiliate, and that affiliate may also work for other [ransomware] classes,” Callow told us.
The Emsisoft analyst described this development in extortion tactics as”not in any way surprising” and”an inevitable and logical progression.”
“Within the last couple of years, the strategies used by ransomware groups have become increasingly extreme, and they currently use every possible method to stress their victims,” Callow said.
“Other tactics include harassing and threatening phone calls to both executives and clients and business partners, including Facebook ads, media outreach, and threats to show companies ”dirty laundry’.”
But at a similar interview with Evgueni Erchov, director of incident response and cyber threat intel at Arete IR, it seems that an affiliate of the REvil (Sodinokibi) ransomware-as-a-service operations has adopted this technique from the Clop gang (or this might be the same Clop affiliate that Callow mentioned previously ).
“Specifically, the threat actor was able to find documents related to ongoing litigations along with the victims’ internal discussions associated with that,” Erchov told.
“Afterward the threat actor used that data and achieved directly to executives email and threatened to release the data of their alleged misconduct from the management’ publicly,” Erchov said.
Allan Liska, a senior security architect at Recorded Future, told that they have only seen this tactic with Clop attacks, but they don’t rule out other ransomware actors embracing it also.
“Ransomware gangs are very fast to adopt new methods, particularly the ones that create ransom payment more inclined,” Liska said.
“It also makes sense in the evolution of extortion tactics, as ransomware gangs have gone after bigger goals they have been required to try different ways of forcing payment.
“Leaking stolen info is the 1 everyone is aware of, but other tactics, for example, REvil threatening to email details of this attack to stock exchanges, also have been attempted,” Liska said.
“They [the ransomware bands ] create a variety of threats about what they might or might not have,” Siegel told.
“We have never encountered a case where stolen data showed evidence of corporate or personal malfeasance. For the most part, it’s only a scare tactic to increase the likelihood of payment,” Siegel said.
“Let us remember these are criminal extortionists. They’ll say or claim all kinds of fantastical things when it makes them money.”