Ransomware Goes Social In 2020

No photo availableByJohn Shier
3 min read

The early days of ransomware were very much transactional. You received an unsolicited email, clicked on a link, or opened…

Fotolia DigitalWorld 179442456 L

The early days of ransomware were very much transactional. You received an unsolicited email, clicked on a link, or opened an attachment, and your computer eventually ran the ransomware binary which encrypted all of your user-generated files. The process of recovery was fairly straightforward. You either recovered your files from backup (after doing a full re-image) or you sent Bitcoins to the criminals in exchange for the decryption key.

In time, the criminals added the ability to communicate with them and things got a little more personal.

These communications were mostly under the auspices of support. Not only could the criminals increase their reputation as ‘trustworthy’ merchants, but it also gave some individuals the ability to negotiate payment terms. In October 2019, the ransomware scene gave us a glimpse of things to come.

A group calling themselves ‘Shadow Kill Hackers’ attacked the city of Johannesburg, claiming to have stolen data from the city’s compromised systems. The difference here is that the attackers didn’t encrypt any files. In this purely social attack, the criminals threatened to release financial and personal data of Johannesburg’s citizens if payment (4 BTC) was not made by the deadline. The city rebuffed the ransom demand and the attackers were silent. It took less than one month for this new tactic to catch the attention of more serious ransomware gangs.

The criminals behind Maze ransomware began incorporating this tactic of steal and share as additional extortion pressure in their ransomware operations. The first such incident occurred in November 2019 when the Maze crew released a portion of a victims’ stolen data in a show of force and added social pressure for the company’s lack of payment. Since then we’ve seen the Maze operators continue this behavior and other prominent ransomware gangs have joined them.

Today it isn’t uncommon to hear of a ransomware victim being extorted into paying a ransom under threat of data exposure. We’ve seen some criminals use their total access to an organization’s compromised systems to pit employees against their own executives and IT department by threatening to release stolen employee data if the company did not engage with the criminals and negotiate payment.

While it’s still too early to determine if this form of social pressure will be more profitable than more traditional methods, it has heralded a new era in ransomware where social pressure and shaming are being used to increase the attackers’ bottom line.

John Shier is the Senior Security Advisor at Sophos.

Leave a Reply

Your email address will not be published.

One Comment

  1. I think we need to raise the level of awareness around ransomware and the dangers of an attack and that’s what we tried to do in this video https://youtu.be/tfOM3Fg3Bz4

    We’ve a whole section of short videos about information security (IoT, strong password etc) on our website and you can see them on our Showreel page here https://whatyouneedtoknow.co.uk/showreel

    What we’re trying to do also is to show the connection between information security at work and at home – good practice is good practice wherever it is.

    Reply
Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co