Everything old is new again? Ransomware groups stop encrypting and switch to theft/extortion model.

In a new post at The Register, Jessica Lyons Hardcastle reports, in part:

….. Increasingly, however, cybercrime rings still tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable.

The shift from locking data to just stealing it and attempting to extort victims sounds like a return to a decade ago when groups like Rex Mundi and then later, thedarkoverlord, would privately — and then publicly — threaten to start leaking or selling data that they had hacked and exfiltrated if their victims did not pay.

This week, DataBreaches received a copy of a communication that Hive threat actors have sent to a victim in the U.K. The victim is a firm of chartered accountants and auditors. Hive’s note reads:

Downloaded most important information of you and your clients. This information contains a lot of personal information, including passports, contracts, NIN’s and another sensitive data.

Since your company is not very big and it doesn’t have big revenue and good cyberprotection we decided not to damage your business and not to encrypt your entire network. But we still have a lot of your information that we can use in different ways. You can find link below this message with a sample of files that we downloaded. To ensure that your network has been hacked – you can ask your IT specialists.

We remind you that after the unauthorised publication of this data you should expect court fines, both from your clients and from the regulator, and also a huge business reputation loss.

We offer you to enter into negotiations with us as soon is possible, to do this you should only answer this e-mail. If you refuse to contact us for 3 next days we will be forced to publish all data from your network for free download. Plus we will send emails about this breach to all your customers.

Have a good day!

Appended to their note was a copy of a file tree and a sample of more than 100 files that appear to be from the named victim. The files were what you might expect from a firm of chartered accountants and auditors, with numerous client records, banking statements, completed tax forms for clients, payroll-related information on departing employees, etc.

[Note: DataBreaches is not naming the victim firm at this time because we have not contacted them to attempt to confirm any claims or to seek a response to claims. Nor would we want to interfere with any negotiations if any is going on.]

Will a return to the old theft/extortion model work as well in 2022 as the model that involved encryption? Will ransomware groups/threat actors lower their ransom amounts because no encryption or decryption key is needed?

And will more victims decide not to pay because the public now understands that pretty much all companies can become victims, so there is less potential reputation harm? And is there also less reason to pay when the law still requires you to notify even if you paid extortion to get assurances?

It will be interesting to see how this new approach plays out over time.


About the author: Dissent

Comments are closed.