Recently we wrote that ransomware operators come up with the new extortion tactics. However, now, information security experts say that Nemty ransomware’s operators also publish data stolen from victims.
For example, developers of Sodinokibi (REvil) are considering creation of a system that will automatically send emails to stock exchanges such as NASDAQ. It is planned to inform the exchanges about attacks on specific companies (which refuse to pay the buyback), which, of course, will negatively affect the value of the shares of the latter. Nemty ransomware operators also publish data stolen from victims.The stealing and publishing of stolen data, which in many cases includes company financials, personal information of employees, and client data, automatically escalated these ransomware attacks into data breaches”, — BleepingComputer cites specialists’ opinion.
In addition, the main trend of recent months among cryptographic operators has been the publication of available data stolen from affected companies. Therefore, malware developers urge affiliates to copy the victim’s data before encryption, so that this information can then be used as a lever of pressure (and if this does not help, make it public or sell).
Maze developers have already started their own sites for these purposes, and after them operators DoppelPaymer and Sodinokibi operators also acquired similar sites – “drain tanks”. Such information may include financial documents of the company, personal information of employees and customer data.
Now the Bleeping Computer publication has warned that a hack group behind the Nemty ransomware has acquired a similar resource for draining stolen data.
The Nemty Ransomware is the latest cybercrime development, which aims creating a data leak site to punish victims that refuse to pay ransoms.
Currently, data of one of the victims has already been published on the cybercriminals’ blog. The name of the affected company was not disclosed, it is only known that it is an American shoe company, and the published dump contains 3.5 GB of files.
As more and more ransomware operators begin utilizing this extortion tactic, victims will need to consider all ransomware attacks a data breach. This means file notification of the government, alerting affected people, and sending out breach notifications”, — write BleepingComputer journalists.
The attackers are hoping that these extra costs and the potential reputation hit may push some victims into paying a ransom.