Following the example of the operators behind both REvil and Maze, many other ransomware families have started to upgrade their arsenal with tools that allow them to gain the upper hand when it comes to ransom collection.
One thing, in particular, has been trending in the past several months, and that's the theft of victim data. The threat actors behind the LockBit ransomware have also reached a new phase in the development of their ransomware, which allows them to steal sensitive data from victims and then threaten to release it.
The LockBit ransomware also appears to have entered a phase in which its developers are comfortable with offering it on forums as ransomware as a Service (RaaS). They first created a topic named "LockBit Cryptlocker Affiliate Program" on a well-known underground forum in January, touting the capabilities of their product. From the post, we learn that the new version of the LockBit ransomware has been in development since September 2019. The latest version also has improved performance, using a smaller amount of system resources, in an attempt to enhance detection avoidance.
This Week in Malware Ep 6: Maze Ransomware #thisweekinmalware
The LockBit operators say that they "do not work in the CIS," meaning that the ransomware is programmed to avoid infecting any systems located in the Commonwealth of Independent States, which include Russia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Armenia, Moldova, Tajikistan, and Uzbekistan.
Evolving Extortion Method
The most recent version of LockBit drops a ransom note that is rather short and straight to the point. The attackers inform the victim that apart from encrypting their files, they will also "download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR."
As previously mentioned, under the EU's GDPR, companies and organizations are responsible for securing any customer data that they keep or face sanctions from the authorities. Threatening to publish valuable data that might include trade secrets, embarrassing correspondence, and sensitive customer and employee information has become a staple of ransomware gangs that want to incentivize their victims to pay up.
Stealing that information also gives the attackers a way to extort the victim, even if they have been prepared for a ransomware attack by backing up their systems. This tactic was first introduced by the Maze and REvil ransomware gangs, with Maze publishing chunks of data when victims failed to meet the ransom demand, but taking down the leaks once they paid. Needless to say, any data that finds itself on the internet once can never be safe again, even if the initial publisher removes it.