mins read

The Evolution of the Data Leak Extortion Ecosystem

The Evolution of the Data Leak Extortion Ecosystem

October 21, 2020
Green Alert
Last Update posted on
February 3, 2024
Secure your organization's sensitive information from data breach.

Protect your sensitive information from unauthorized access and data breaches with CloudSEK XVigil Credential Breaches module, ensuring the security of your valuable data

Schedule a Demo
Table of Contents
Author(s)
No items found.

 

Ransomware is one of the most disconcerting security issues in the cybersecurity ecosystem. It has evolved since its first appearance in 1989, when it was only a primitive trojan that spread via discs, injecting host computers with a virus that encrypts files and hides directories, which are returned only when the victim pays a ransom. They are significantly more sophisticated and costly now.

The release of CryptoLocker in the year 2013 was a milestone in the evolution of ransomware. Unlike its predecessors, this ransomware does not adhere to bullying, which only makes it worse. It directly encrypts all the files on the system and demands a ransom in exchange for its decryption. And now with the likes of Sodinokibi and Maze the ransomware lineage is operating at a huge scale.

Over the years, malicious ransomware operators have expanded the scope of the virus to include screen locker capabilities along with the ability to overwrite boot data records. And thanks to the prevalence of ransomware families, today, ransomware is a global threat that has advanced extortion capabilities and tactics. The perpetrators behind such ransomware groups also target the victim’s personal records and files.  

To ensure the complete surrender of victims,  threat actors have switched to two-fold attack techniques. If the victim refuses to pay the ransom, their data is leaked on public domains or data leak websites.

In this blog, we explain the evolution of the data leak extortion ecosystem through the advancements made by ransomware groups over the last three decades.

Police Lockers

The mid 2010s were dominated by Trojans that took away users access to their screens or browsers. In the year 2012, a fresh scam that involved one such Trojan invaded browsers. It sent messages and fake alerts that masqueraded as the law enforcement agency, only to dupe unsuspecting victims. The message would claim that the victim’s device was found to be involved in illegal activities such as copyright violation or child pornography. The victims are then scared into paying an amount as ransom using prepaid cards like MoneyPak, Paysaf, or Ukash.

During the same period, another ransomware that spread disguised as the FBI victimized thousands of computer users. However, this ransomware came with the additional ability to lock the host computer’s IP address, Windows version, location, and ISP name.

CryptoLocker

2013 witnessed yet another iteration of the malicious software that was capable of encrypting data. CryptoLocker was the first ransomware of this kind and it used 2048-bit RSA encryption. Also, the victims were asked to pay the ransom in Bitcoins for the first time or using prepaid cards. Over time, the operators behind CryptoLocker increased their demand from $100 to $600 per computer. The despicable success of this ransomware led to the launch of other such malicious software like PClock, CryptoLocker 2.0, and TorrentLocker.

Emergence of Ransomware-as-a-Service (RaaS)

In 2015, advanced groups of cybercriminals decided to monetize ransomware through RaaS platforms. In attacks that follow, customers procure ransomware from such platforms on the dark web and share the profit with the authors of the ransomware. RaaS has advanced tracking tools embedded as part of its services. It has been the reason for a surge of ransomware attacks across the world.

Locky Ransomware and KeRanger

The Locky ransomware that was released in 2016 spread malicious Microsoft Word macros, infecting millions of PCs around the world. Another ransomware that made an entry during this period was KeRanger, which leveraged the asymmetric RSA cryptosystem to lock down the victim’s data. KeRanger operators usually demand for $500 from the victim in exchange for the decryptor and instruct victims to visit sites hosted on Tor (anonymity network).

WannaCry and Notpetya

With time, ransomwares have been developed to be stealthier and devastating. In the year 2017, there were multiple ransomware outbreaks, namely WannaCry and Notpetya. These attacks were not detected initially.  And today, threat actors clearly distinguish between individuals and businesses, when they demand a ransom. They consider businesses and organizations to be juicier targets. The biggest pay-outs until then, that were a result of ransomware attacks, were reported in the year 2016.

A decline in the prices of Bitcoin and improved security awareness have indeed forced ransomware operators to revamp their mode of attack. Today, local governments, small and medium sized businesses, health care organizations, and educational institutions are major targets of the threat actors.

Ransomware groups like Sodinokibi and Ryuk spot unsecured ports like RDP ports to access networks. Most recent attacks show that actors are so sophisticated that once they hack service providers, they even invade networks of partner organizations.

Maze

Recently, in November 2019 Maze ransomware resurfaced the cyber ecosystem, and hacked a plan to attack a security organization – Allied Universal.

The group behind the attack extorted 7GB data, contacted the organization’s management, and demanded 300 Bitcoins in ransom. The actors even threatened to leak sensitive information about the organization unless the management of Allied Universal paid them. When the management refused to pay up, the operators sold around 700 MB of data to Russian hackers and uploaded the remaining data in the wild.

 

Conclusion

Ransomware is growing continuously and exponentially, adding new, sophisticated tools and methods to their arsenal. Businesses that fall prey to their attacks not only lose access to crucial data, but the entire incident tarnishes their reputation. To top it off, ransomware attacks invite lawsuits and compliance issues. To stay safe and to counter the threat actors, organizations need to have proper mitigation mechanisms in place. Maintaining a backup for the data wins you half the battle, but in the long run organizations need to use reliable security software such as CloudSEK’s XVigil to prevent most file encrypting threats. 

Author

Predict Cyber threats against your organization

Related Posts

Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma

Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Blog Image
February 19, 2024

Inaccurate Reporting Regarding RBI Data Breach: CyberExpress by Cyble Erroneously Links Rural Business Incubator (RBI) to Reserve Bank of India and Issues public Advisory

CloudSEK XVigil detected a security breach impacting the Indian Rural Business Incubator. Additionally, CloudSEK noticed an advisory from CyberExpress by Cyble that incorrectly linked the data leak to the Reserve Bank of India, creating unnecessary panic. 

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Breach

min read

The Evolution of the Data Leak Extortion Ecosystem

The Evolution of the Data Leak Extortion Ecosystem

Authors
Co-Authors
No items found.

 

Ransomware is one of the most disconcerting security issues in the cybersecurity ecosystem. It has evolved since its first appearance in 1989, when it was only a primitive trojan that spread via discs, injecting host computers with a virus that encrypts files and hides directories, which are returned only when the victim pays a ransom. They are significantly more sophisticated and costly now.

The release of CryptoLocker in the year 2013 was a milestone in the evolution of ransomware. Unlike its predecessors, this ransomware does not adhere to bullying, which only makes it worse. It directly encrypts all the files on the system and demands a ransom in exchange for its decryption. And now with the likes of Sodinokibi and Maze the ransomware lineage is operating at a huge scale.

Over the years, malicious ransomware operators have expanded the scope of the virus to include screen locker capabilities along with the ability to overwrite boot data records. And thanks to the prevalence of ransomware families, today, ransomware is a global threat that has advanced extortion capabilities and tactics. The perpetrators behind such ransomware groups also target the victim’s personal records and files.  

To ensure the complete surrender of victims,  threat actors have switched to two-fold attack techniques. If the victim refuses to pay the ransom, their data is leaked on public domains or data leak websites.

In this blog, we explain the evolution of the data leak extortion ecosystem through the advancements made by ransomware groups over the last three decades.

Police Lockers

The mid 2010s were dominated by Trojans that took away users access to their screens or browsers. In the year 2012, a fresh scam that involved one such Trojan invaded browsers. It sent messages and fake alerts that masqueraded as the law enforcement agency, only to dupe unsuspecting victims. The message would claim that the victim’s device was found to be involved in illegal activities such as copyright violation or child pornography. The victims are then scared into paying an amount as ransom using prepaid cards like MoneyPak, Paysaf, or Ukash.

During the same period, another ransomware that spread disguised as the FBI victimized thousands of computer users. However, this ransomware came with the additional ability to lock the host computer’s IP address, Windows version, location, and ISP name.

CryptoLocker

2013 witnessed yet another iteration of the malicious software that was capable of encrypting data. CryptoLocker was the first ransomware of this kind and it used 2048-bit RSA encryption. Also, the victims were asked to pay the ransom in Bitcoins for the first time or using prepaid cards. Over time, the operators behind CryptoLocker increased their demand from $100 to $600 per computer. The despicable success of this ransomware led to the launch of other such malicious software like PClock, CryptoLocker 2.0, and TorrentLocker.

Emergence of Ransomware-as-a-Service (RaaS)

In 2015, advanced groups of cybercriminals decided to monetize ransomware through RaaS platforms. In attacks that follow, customers procure ransomware from such platforms on the dark web and share the profit with the authors of the ransomware. RaaS has advanced tracking tools embedded as part of its services. It has been the reason for a surge of ransomware attacks across the world.

Locky Ransomware and KeRanger

The Locky ransomware that was released in 2016 spread malicious Microsoft Word macros, infecting millions of PCs around the world. Another ransomware that made an entry during this period was KeRanger, which leveraged the asymmetric RSA cryptosystem to lock down the victim’s data. KeRanger operators usually demand for $500 from the victim in exchange for the decryptor and instruct victims to visit sites hosted on Tor (anonymity network).

WannaCry and Notpetya

With time, ransomwares have been developed to be stealthier and devastating. In the year 2017, there were multiple ransomware outbreaks, namely WannaCry and Notpetya. These attacks were not detected initially.  And today, threat actors clearly distinguish between individuals and businesses, when they demand a ransom. They consider businesses and organizations to be juicier targets. The biggest pay-outs until then, that were a result of ransomware attacks, were reported in the year 2016.

A decline in the prices of Bitcoin and improved security awareness have indeed forced ransomware operators to revamp their mode of attack. Today, local governments, small and medium sized businesses, health care organizations, and educational institutions are major targets of the threat actors.

Ransomware groups like Sodinokibi and Ryuk spot unsecured ports like RDP ports to access networks. Most recent attacks show that actors are so sophisticated that once they hack service providers, they even invade networks of partner organizations.

Maze

Recently, in November 2019 Maze ransomware resurfaced the cyber ecosystem, and hacked a plan to attack a security organization – Allied Universal.

The group behind the attack extorted 7GB data, contacted the organization’s management, and demanded 300 Bitcoins in ransom. The actors even threatened to leak sensitive information about the organization unless the management of Allied Universal paid them. When the management refused to pay up, the operators sold around 700 MB of data to Russian hackers and uploaded the remaining data in the wild.

 

Conclusion

Ransomware is growing continuously and exponentially, adding new, sophisticated tools and methods to their arsenal. Businesses that fall prey to their attacks not only lose access to crucial data, but the entire incident tarnishes their reputation. To top it off, ransomware attacks invite lawsuits and compliance issues. To stay safe and to counter the threat actors, organizations need to have proper mitigation mechanisms in place. Maintaining a backup for the data wins you half the battle, but in the long run organizations need to use reliable security software such as CloudSEK’s XVigil to prevent most file encrypting threats.