Why risk having your ransomware victims refuse to pay when you can also add extortion threats that can ruin their business?

The days of typical ransomware (version 1.0) attacks are slowly giving way to an evolved form.

Widespread ransomware attacks—where criminals use malware to encrypt corporate victims’ data and hold it for ransom—are being replaced by more-targeted attacks against specific companies and industries.

In these targeted campaigns, attackers do not only threaten to encrypt data but publish confidential information online. Recent analyses of two notable ransomware families have demonstrated this trend of ransomware evolving into version 2.0.

Ragnar Locker joins Maze

Ragnar Locker attacks are highly-targeted with each sample specifically tailored to the intended victim, and those who refuse to pay have their confidential data published in the “Wall of Shame” section of their leaks site. If the victim chats with the attackers and then refuses to pay, this chat is also published. In July this year, Ragnar Locker operators stated that they had joined the Maze ransomware cartel, meaning the two will share stolen information and collaborate.

Egregor the newbie

Egregor is much newer than Ragnar Locker—it was first discovered only recently, in September. However, relying on the experience of Maze, it uses many of the same tactics, and also shares code similarities. Within 72 hours of breaching a network, if the victims refuse to pay, the attackers publish the names of the victims and links to download the confidential company data on their leaks site.

Egregor’s attack radius is much more extensive than that of Ragnar Locker. It’s been seen targeting victims across North America, Europe, and parts of the APAC region.

Ransomware 2.0

Newer ransomware campaigns are modifying their modus operandi: they are threatening to take stolen company information public. Attacks are becoming highly-targeted and the focus is not only on ransoming victims, but also extorting them with the sensitive stolen data.

Doing so puts not just companies’ reputations at risk, but also opens them up to lawsuits if the published data violates legal regulations. Said Kaspersky’s head of Global Research and Analysis Team in Latin America, Dmitry Bestuzhev: “There’s more at stake than just financial losses.”

Organizations now need to think about ransomware threats as more than just a type of malware, said another analyst at the firm. Security expert Fedor Sinitsyn said: “Oftentimes, ransomware is only the final stage of a network breach. By the time the ransomware is actually deployed, the attacker has already carried out a network reconnaissance, identified the confidential data and exfiltrated it. It’s important that organizations implement the whole range of cybersecurity best practices. Identifying the attack at an early stage, before attackers reach their final goal, can save a lot of money.”