Ransomware gangs pretend to delete stolen data to extort victims twice, report warns

Security experts warn that paying ransomware hackers will likely lead to more demands

Lines of code used to create a digital skull

Ransomware gangs are reportedly sending victims fake evidence that stolen data has been deleted, only to use that data again in a second extortion attempt.

Notorious hacking groups such as Sodinokibi, Maze, and Netwalker have been tricking victims into a false sense of security, according to a Q3 Ransomware report from cyber security firm Coveware.

The report found that it has now become the default position for groups to hold onto data they have acquired, regardless of whether a ransomware payment has been paid by the victim. In fact, the cyber security firm found evidence that many groups are providing faked files that claim to prove that the data has been deleted.

Although some victims may decide there are valid reasons to pay, cyber security experts frequently advise against it. This is largely because there is no credible way to prove data has been deleted, or a way to ensure data has been returned, if that was the arrangement. There's also the potential that stolen data has already been traded, sold, or held by other threat actors for reuse.

Conti (aka Ryuk), which was recently revealed to be behind a third of all ransomware attacks in 2020 and is mentioned in the report, was recently blamed for an attack on French IT service Sopra Steria at the end of October. Although the company agreed to pay the ransom demanded by the hackers, it's now believed that the evidence provided to show deletion was in fact fabricated, according to Coveware.

Related Resource

How to improve cyber security for remote working

13 recommendations for security from any location

How to improve cyber security for remote working - whitepaper from MimecastDownload now

"Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end," the report stated. "Once a victim receives a decryption key, it can't be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting."

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

One-in-seven Nasdaq-100 companies ranked as highly susceptible to a ransomware attack
cyber crime

One-in-seven Nasdaq-100 companies ranked as highly susceptible to a ransomware attack

16 Sep 2021
Microsoft brings passwordless security to consumer accounts
Microsoft Windows

Microsoft brings passwordless security to consumer accounts

16 Sep 2021
Datto launches its business continuity solution for Azure
disaster recovery (DR)

Datto launches its business continuity solution for Azure

15 Sep 2021
Smishing attacks increased 700% in first six months of 2021
scams

Smishing attacks increased 700% in first six months of 2021

14 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021