Researchers from Coveware have provided statistics that ransomwares does not always delete the data it have stolen and made recommendations to potential victims.
In 2019, Maze ransomware operators began using a new double-ransom tactic, in which attackers steal unencrypted files and then threaten to publish them if the ransom is not paid.
Many groups have adopted a similar strategy, but according to experts from the Coveware company, not all ransomware operators keep their promises to remove the stolen data even after paying the ransom.
Some gangs publish stolen data after paying the ransom, use fake data as evidence, or even re-extort the ransom from the victim.
For example, Sodinokibi repeatedly demanded a ransom from victims several weeks after payment, threatening to publish the same data, while Netwalker and Mespinoza published the data of the companies that paid the ransom, and Conti published fake files as proof of fulfilment of promises.
Maze, Sekhmet, and Egregor were also mentioned in the report as groups that are not responsible for their promises. As Maze grew, its operations became disorganized and victims’ data could have been mistakenly posted on a leaked site, experts say. Now the operators of Maze have announced that work on this project has been discontinued.
Conti, in turn, provided victims with fake links to allegedly deleted data after paying the ransom. The links were designed to trick victims into thinking their data had been removed.
The victim cannot know for sure if the ransomware operator deletes the stolen data after the payment has been made.
Because of this, Coveware recommends not paying the ransom as there are no guarantees of safety.
Companies are also encouraged to treat any cyberattack as data theft and, as required by law, inform all customers, employees and business partners that their data has been stolen.
Let me remind you that Microsoft estimated that ransomware attacks take less than 45 minutes.