Ransomware has become the name of the game for hackers. Over the past year, we have seen a massive uptick in companies and government agencies attacked using encryption and ransom demands. However, hackers are swiftly changing their tactics to include new and more efficient ways to profit from a single incident.
In the past, ransomware criminals would install malware onto the server or computer and encrypt the data. The malware would then pop up a message demanding a sum of money for unlocking the data. If the person paid, they would provide the key to decrypt the hard drive. If not, the person was left to restore from a backup or trash the disk and lose everything. Very few companies could afford to lose that much data. Therefore, some pay, and some don’t. Some cybersecurity insurance companies are skilled at negotiating with terrorists to pay a more reasonable ransom unlocking the data.
In recent years, ransomware gangs have taken things up a notch by not only encrypting the victim’s hard drive but, before doing, so they exfiltrate the data and post samples on the dark web. They use extortion and threaten to expose all of the customer or company data if the ransom is not paid. This additional pressure has worked well for cybercriminals and netted them quite a profit. However, even these tactics have evolved.
Extortion from Clients/Customers
As reported by KrebsOnSecuity this week, threat researchers are seeing more malicious tactics from hacker groups. Not only are they exfiltrating customer and vendor data, but they are also contacting the victims’ customers and threatening to leak their data if they don’t convince the company to pay up.
KrebsOnSecurity posted a sample sent to RaceTrac Petroleum (a recent victim).
“Good day! If you received this letter, you are a customer, buyer, partner, or employee of [victim],” the missive reads. “The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data.”
“We inform you that information about you will be published on the darknet [link to dark web victim-shaming page] if the company does not contact us,” the message concludes. “Call or write to this store and ask to protect your privacy!!!!”
RaceTrac owns more than 650 retail gas stations and convenience stores. The message was sent to KrebsOnSecurity by someone whose information was included in the data leak. The Clop ransomware gang is responsible for this hack, and they posted information on their leak site, including financial records from the company.
This incident occurred due to a vulnerability with a third-party vendor of RaceTrac’s, Accellion Inc. The group has used this flaw to break into various companies associated with Accellion.
KrebsOnSecurity posted “By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of our RaceTrac Rewards Loyalty users,” the company wrote. “This incident was limited to the aforementioned Accellion services and did not impact RaceTrac’s corporate network. The systems used for processing guest credit, debit, and RaceTrac Rewards transactions were not impacted.”
This same tactic is being used with people associated with the University of California that also has links to Accellion technology. The Clop ransomware gang has perfected the one-two punch and has begun demanding two ransoms. The first ransom is to unlock data, and the second to prevent the leak of stolen information. These thieves are banking on the assumption that companies care about protecting the privacy of their customers, vendors, and employees.