KrebsOnSecurity recently identified a website associated with the creators of the Maze ransomware strain that did exactly that.
The introductory message on the landing page reads as follows:
“Represented here companies don’t wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!”
Many industry insiders and security experts have expressed shock and dismay at the emerging trend. They probably shouldn’t. After all, hackers who use ransomware almost always issue a warning that if their demands aren’t met, the data in question will be released to the public. It’s such a common threat that it’s almost become boilerplate.
The difference is that until recently, hackers haven’t actually followed through on the threat. That now appears to be changing, and it underscores an important point.
Hackers often snoop through and exfiltrate the data they encrypt prior to the encryption itself. Doing so essentially sees them get paid twice. If the company pays the ransom, they get the money. Meanwhile, they can auction off the juiciest bits of data to the highest bidder. Most commonly, this means selling personal information and credit card data, but it certainly can mean proprietary company data. In fact, it now appears that it does mean company data.
What this means though, is that ransomware attacks need to be considered data breaches and treated accordingly. If that’s not your company’s current stance where such attacks are concerned, it should be.