Ransomware Operators Releasing Data of those not paying the Ransom

Sodinokibi and a handful of other ransomware variants are currently dominating discussions regarding ransomware. Continual updates; changes in tactics and infection vectors; and improved targeting tactics placing corporations and government organizations within their crosshairs, have all made Sodinokibi a nightmare to deal with if infected. Now another change in tactics adds to the threat posed by the ransomware variant. The change of tactics does not involve a new advanced code module or infection vector, rather the release of data stolen if the victim does not pay the ransom in time.

In December 2019, representatives of the Sodinokibi ransomware threatened to take such steps on an underground Russian hacker forum. The post was shared with the community by security researcher Damian who discovered UNKN, the public-facing representation of the ransomware, had posted the threat. Such a tactic has been seen before with Maze, another ransomware variant, published 700 MB of data stolen from Allied Universal. At the time this was believed to be only 10% of the data stolen by hackers while simultaneously conducting ransomware operations. The data was released in response to payment not being made by the victim. Sodinokibi now has followed suit.

UNKN has made similar threats in the past, namely to Travelex and CDH Investments, however, the threat was not enacted upon. Now that appears to have changed with an announcement from one of the ransomware's representatives that data belonging to Artech has been leaked to the public. The announcement contained links to approximately 337 MB of data belonging to the company which describes itself as an IT staffing company. The announcement stated further that more data would be leaked if the ransom payment was not made. Artech has not yet publically acknowledged that they have been infected with Sodinokibi and that the released data is in fact theirs. In this instance the silence is deafening and the hiding of such an attack has proved to be more detrimental in the past when compared with approaching the incident with transparency.

sodinokibi ransomware operators realeases data of artech company

The end of last year and the beginning of this year seems to be bringing Sodinokibi a lot of success. Added to the incidents mentioned above those behind Sodinokibi further managed to infect the Albany International Airport (ALB) in New York. The incident was confirmed in a statement made by the airport’s authority and which further confirmed it was indeed Sodinokibi which had encrypted files. Fortunately, the daily operations of the airport were unaffected, and personal and financial data did not appear to be accessed. The attack occurred after threat actors managed to infect the network of airport’s managed services provider, LogicalNet. From there, the ransomware soon spread to the airport’s network and backup servers. Five days later it was confirmed that the airport’s insurance provider had paid the ransom.

Extortion Tactics on the Rise

Since Maze, unfortunately, opened a Pandora’s Box of further extorting victims to pay up unless they want their data to be publically leaked, other ransomware operators have been threatening to the same. It would appear that Nemty has adopted a similar extortion method. In a recent article published by Bleeping Computer, those behind Nemty intend to create a blog that will be used to publish stolen data if the ransom demands are not met. According to the article versions of Nemty have been created that are already configured to carry out attacks on networks. Further, Nemty also includes a build mode that can be used to create executables that target an entire network rather than individual computers. This mode has been advertised to be able to decrypt all the devices, using one key, on the network and victims will not be able to decrypt individual machines.

As the tactic of further attempting to extort payment in this method is relatively new it is still unclear how much success it will yield. One possible theory behind this new tactic is that the paying of the ransom for corporations will be less than the fines accrued by the company for any personal or financial data that is meant to be protected. Fines can easily total in the millions of dollars if it is proved that the company mishandled the sensitive data and did not do their legal duty in protecting the data. This adds yet another dynamic to the pay or not to pay scenario that business leaders and upper management will need to consider if falling victim to a ransomware attack. As it stands ransomware operators already chose ransom amounts carefully to look more appealing than having to go through the process of recovering data and potential company downtime. Now with the added threat of government-imposed fines to worry about it is not unforeseeable that companies are more willing to pay the ransom in the allotted time.

Maze has set a new dangerous height for other ransomware operators to attempt to follow. Reports began emerging in early January that those behind the ransomware had leaked 14 GB of data belonging to Southwire, a cable manufacturer and apparent victim of Maze. Allegedly 120 GB of data was stolen and those behind Maze initially leaked 2 GB of the data, the same as had been done to the City of Pensacola previously, with the hackers demanding over 6 million USD in Bitcoin to decrypt the encrypted files. Further, those behind Maze stated in a post,

“But now our website is back but not only that. Because of southwire actions, we will now start sharing their private information with you, this only 10% of their information and we will publish the next 10% of the information each week until they agree to negotiate. Use this information in any nefarious ways that you want”.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal