Ransomware victims that pay threat actors to keep them from releasing data that might have been stolen during an attack often end up getting doxxed and hit with additional demands for money for the same dataset anyway.
An analysis by Coveware of ransomware attack data during the third quarter shows several organizations were victimized in this manner after paying attackers the demanded ransom.
Coveware observed victims of the Sodinokobi ransomware group, for instance, being re-extorted just weeks after they had paid, with more threats to post the same dataset. The operators of the Netwalker and Mespinoza ransomware families publicly posted data belonging to companies that had specifically paid the groups a ransom for the data not be leaked. Conti, another ransomware group, provided fake files to victims as proof they had deleted stolen data.
Often, a threat actor that has already extracted money from a victim will disguise the second extortion attempt as being the work of another group, Coveware CEO and co-founder Bill Siegel says. However, there's not enough data to determine how frequently such incidents are happening, he says.
"But it's happening enough for us to believe no one should pay," Siegel notes.
Some one in two of all ransomware Coverware analyzed last quarter involved data theft and the subsequent threat by attackers to publicly leak the stolen data if they were not paid.
The trend has completely altered the dynamics of ransomware attacks because in the past, if a victim had an adequate data backup, they could simply restore data and get away without paying a ransom. Now that option is gone. With dat ..
Support the originator by clicking the read the rest link below.
