[BreachExchange] Ransomware Attackers Leak Stolen Data

Destry Winant destry at riskbasedsecurity.com
Tue Nov 26 09:59:21 EST 2019


https://www.databreachtoday.com/ransomware-attackers-leak-stolen-data-a-13438

Ransomware attacks have taken an unwelcome turn: The Maze gang
reportedly has begun leaking a victim's files to create pressure to
pay a ransom.

Security experts say that leaking data as part of a ransomware
shakedown isn't a surprising turn of events. But it's unclear whether
this tactic will catch on, they say, because simpler ransomware
attacks tend to be much more lucrative than attacks that involve data
exfiltration.

Even so, the group using Maze ransomware published almost 700 MB of
data that it stole from Allied Universal, a California-based security
services firm with a valuation of about $7 billion, Bleeping Computer
reports.

The "Maze Crew" tells Bleeping Computer that the leak only represents
a fraction of the 5 GB of data they stole, and that they'll dump the
rest - sending it to WikiLeaks - unless Allied Universal coughs up a
ransom of 300 bitcoins, currently worth about $2.1 million.

The attackers also claim to still have access to Allied's site and to
have stolen TLS and email certificates that they could use to
impersonate the security firm via email spam campaigns.

After attackers uploaded what it said was a sample of the stolen data
to Bleeping Computer's forums, the publication said it immediately
deleted the data, but it noted that attackers had also uploaded it to
a Russian language cybercrime forum and reported that they're now
demanding closer to $4 million. Allied Universal had said it would pay
no more than $50,000, the publication reports.

The company declined to comment on that report, but did confirm its
investigation. "Allied Universal is aware of a situation that may
involve unauthorized access to our systems," a spokeswoman tells
Information Security Media Group. "With the assistance of leading
cybersecurity experts, we have taken immediate and appropriate actions
to investigate the matter and reinforce our system security. We are
also working closely with law enforcement on their investigation into
this matter. Keeping our company data safe and that of our customers
and employees is of paramount importance."

Maze Ransomware

The relatively new Maze ransomware, also known as ChaCha, has been
tied to a number of attacks that since October have targeted
organizations in Germany, Italy and the United States. Spam emails
sent by the Maze group often lead to domains that impersonate
legitimate government websites - including the German Federal Ministry
of Finance, the Italian Revenue Agency and the U.S. Postal Service -
according to Proofpoint, which refers to the Maze gang as TA2101.

In some cases, the attackers have emailed malicious Microsoft Word
attachments to victims with macros which, if run, execute a PowerShell
script that downloads Cobalt Strike, a legitimate penetration testing
tool that's been repurposed by the attackers. In other cases,
Proofpoint says, the malicious payload has been Maze, or, in the U.S.,
the IcedID banking Trojan.

In July, VMware's Carbon Black noted that Maze was being distributed
by the Fallout exploit kit. Fallout has also been tied to
distributions of Sodinokibi, as well as AZORult, Kpot, Raccoon and
Danabot, according to Malwarebytes (see: Sodinokibi Ransomware Gang
Appears to Be Making a Killing).

In October, an independent security researcher found Maze being
distributed via the Spelevo exploit kit, which was targeting a Flash
vulnerability for which a patch is available.

'Natural Progression'

The Maze gang's attempt to force a ransom payment "indicates a natural
progression in the threat actors' focus," says David Stubley, CEO at 7
Elements, a security testing firm and consultancy in Edinburgh,
Scotland (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP
Exploits).

"With the rise of additional mitigation and recovery options that help
organizations avoid paying the ransom, the next stage is to force
payment, and it would be easy for the actor to post a number of
example files to Pastebin," perhaps initially in an encrypted format,
while threatening to post a decryption key, Stubley tells ISMG.

Attackers already regularly threaten to increase their ransom demands
the longer a victim doesn't pay. In theory, it would be a small leap
for them to begin automatically leaking stolen files as well or
publishing decryption keys for files that they have already uploaded
to Pastebin or released via BitTorrent to increase the pressure on
victims.

"Ever since the Chimera ransomware at the end of 2015, 'doxware' has
been considered by us and many others as a logical next step in the
more general, malware-driven cyber extortion business," says Fabian
Wosar, CTO of anti-virus firm Emsisoft. In the case of Chimera, for
example, the ransomware not only crypto-locked data, but threatened to
dump it. "The threat to reveal confidential and sensitive data stolen
by the attackers was only a bluff back then, but it has become a
reality now, almost four years later."

Extortionists often seek whatever leverage they can find. "Maze
themselves pointed out that the data is unimportant to them," says
Bleeping Computer's Lawrence Abrams. "They don't want to monetize it
on its own, but to use it purely as leverage to get the company to pay
the ransom."

So, are shakedowns that include ransomware as well as data leakage
likely to flourish?

"In our experience, data exfiltration is just a threat in ransomware
attacks," Bill Siegel, CEO of ransomware incident response firm
Coveware, tells ISMG. "We are seeing this threat more often, but so
far have not seen instances where the threat was actually validated or
carried out" (see: Ransomware Gangs Practice Customer Relationship
Management).

While ransomware attackers regularly threaten to dump stolen data - as
in the recent attack against the city of Johannesburg - it's almost
always an empty threat.

With the Allied Universal data leak, "it's the first time this has
happened, as far as we know," says Brett Callow, a spokesman for
Emsisoft.

Ransomware Versus Data Exfiltration

Economics is one explanation. "Data exfiltration as an extortion
tactic is not terribly lucrative as compared to ransomware," Siegel
says. "If a company finds out its data has been breached, the damage
is done. Paying the criminal is pointless, and the criminals know
that. Ransomware, on the other hand, causes downtime, and downtime can
bankrupt a company."

Attackers with the skills required to first gain remote access to a
targeted network - for example, via remote desktop protocol
credentials they purchased on cybercrime forums - tend to carefully
map the network and steal all potentially valuable data before
sometimes selling access to the hacked network to others, security
experts say.

"Remember, the ransomware itself may not need to have the exfil
ability; if threat actors have gained access via RDP, for example,
they have full access to the network for doing so," 7 Elements'
Stubley says.

"If [attackers] find data of value, they exfiltrate it and monetize
it, and when they are done, they sell off access credentials to a
ransomware group," says Coveware's Siegel. "Deploying ransomware and
exfiltrating data require very different skill sets in terms of
criminal tradecraft."

Ransomware also represents the final stage of an intrusion, because it
is noisy: Being unable to use PCs is an obvious sign something has
gone wrong, and victims will know their network has been penetrated
and can take steps to kick out attackers and block follow-on hack
attempts.

But whether more ransomware shakedowns get accompanied by actual data
leakage remains to be seen.


More information about the BreachExchange mailing list