Traditionally ransomware has held systems hostage while assuring business owners they have not/will not breach sensitive data. But recent hacks by Sodinokobi aka “rEvil” have broken even this “pirate’s code” by holding data for ransom too.
Even hackers need codes. The problem is that hackers make their living on finding ways “around the code.” So there is never a question of whether a code will be broken or bent, it’s when.
Until recently ransomware has operated almost exclusively on the same promise. The hacker holds business continuity for ransom, pausing operations but “promising” that when payment is made the business will return to full functionality. Payment is only made in good faith that when business IT returns the business will have the same value that it did before the hack.
It doesn’t sound particularly smart to break from the norm, does it? As soon as a cyber felon says they have stolen sensitive information, the business knows full functionality cannot be restored. It will need to spend significant resources to ensure proper notification of authorities, customers, etc. In many cases a public record will be created, causing additional damage to brand, etc. Doesn’t that reduce the value of the business, and the very IT resources held for ransom? Isn’t a hacker just shooting themselves in the foot at that point?
Two groups think otherwise, and despite what we might say about their sanity, no one can argue they are brilliant at what they do.
Two Ransomware Groups that Are Breaking the Code
In December 2019, Maze ransomware upped the ante by stealing and then publishing private data on the Internet. Like many previous ransomware attacks, the group targeted a municipality, the city of Pensacola. But they broke from tradition when they posted 2GB of city data on their private website just before Christmas for anyone to find, and more importantly just to show the city that they could. The content was quickly removed, but directories remained as proof, according to Ars Technica.
Authorities were able to take down that site eventually, only to see another site take its place. By January 29, dozens of businesses had been held hostage, 25 of which had suffered smaller bouts of data shaming on Maze’s new site.
Another group, Sodinokibi (aka REvil), has also threatened to publish data of any of their victims who refused to pay the ransom. Sodinokibi targets IT providers because this grants them access to all the IT firm’s clients as well, yielding in some cases hundreds of victims. Sodinokibi successfully hacked Colorado’s own Complete Technology Solutions (CTS) in November, using CTS as a staging ground to infect over 100 dentistry practices. As of December 19, each dental office was negotiating independently with REvil. Some had delivered the ransom to bring their practices back online. Some had refused to pay and remained offline. Others had restored from backups but were still forced to negotiate under threat that their clients’ records would be leaked.
Only two groups have escalated ransomware to this new level that we know of. However, there are other ransomware strains currently at large (Ryuk) that also provide the opportunity to steal data before holding the system hostage. Ryuk will be the topic of our next post. In addition Sodinokibi is thought to be the continued work of the same crew who wrote GandCrab ransomware, which was responsible for 40% of ransomware activity.
This means the hacking community is positioned with the precedent and the opportunity to adopt these aggressive practices on a much broader scale. We need to be prepared.
Platte River Networks Keeps Your Business Safe
Targeting larger organizations allows Sodinokibi to spend more resources on the infection stage. We have seen numerous attack trajectories from phishing and spear-phishing, to vulnerability exploits. Both attack types have demonstrated the ability for these attackers to be creative and find new ways to circumvent defenses.
Additionally Sodinokibi and Maze might be new in how they combine data piracy and ransomware, but these parts are both old news. With traditional ransomware, backups and business continuity planning were extremely effective. Against Maze and REvil these strategies are like putting up only 2 walls and calling that a defense. We are pointed to comprehensive cybersecurity solutions that include:
- Business continuity/backups
- Strong endpoint protection
- Zero-Trust
- Single Sign-on + Multi-factor Authentication
- DNS Internet & Web Application Monitoring, Filtering & Protection
- Security Awareness-Risk Management End User Training
- Enhanced Network, Services & Device Performance Monitoring & Management
- Corporate & User Policy Templates & Management
Platte River Networks Intuition+ Security adopts all of these practices to defend against the latest and most cunning threats like Maze and Sodinokibi. Our security grid has a 100% win rate after almost 20 years of service.
Please email david@platteriver.com for more information on cybersecurity.
