Ransomwares doesn’t always delete stolen data after paying the ransom

Ransomwares doesn't always delete data

Researchers from Coveware have provided statistics that ransomwares does not always delete the data it have stolen and made recommendations to potential victims.

In 2019, Maze ransomware operators began using a new double-ransom tactic, in which attackers steal unencrypted files and then threaten to publish them if the ransom is not paid.

Many groups have adopted a similar strategy, but according to experts from the Coveware company, not all ransomware operators keep their promises to remove the stolen data even after paying the ransom.

Ransomware groups continue to leverage data exfiltration as a tactic, though trust that stolen data will be deleted is eroding as defaults become more frequent when exfiltrated data is made public despite the victim paying.write Coveware researchers.

Some gangs publish stolen data after paying the ransom, use fake data as evidence, or even re-extort the ransom from the victim.

For example, Sodinokibi repeatedly demanded a ransom from victims several weeks after payment, threatening to publish the same data, while Netwalker and Mespinoza published the data of the companies that paid the ransom, and Conti published fake files as proof of fulfilment of promises.

Maze, Sekhmet, and Egregor were also mentioned in the report as groups that are not responsible for their promises. As Maze grew, its operations became disorganized and victims’ data could have been mistakenly posted on a leaked site, experts say. Now the operators of Maze have announced that work on this project has been discontinued.

Conti, in turn, provided victims with fake links to allegedly deleted data after paying the ransom. The links were designed to trick victims into thinking their data had been removed.

The victim cannot know for sure if the ransomware operator deletes the stolen data after the payment has been made.

Because of this, Coveware recommends not paying the ransom as there are no guarantees of safety.

Coveware feels that we have reached a tipping point with the data exfiltration tactic. While victims may decide there is a compelling reason to pay to prevent public access to stolen data, it is Coveware’s policy to tell victims of extortion not to pay the ransom.say the researchers.

Companies are also encouraged to treat any cyberattack as data theft and, as required by law, inform all customers, employees and business partners that their data has been stolen.

Let me remind you that Microsoft estimated that ransomware attacks take less than 45 minutes.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *