A Canadian agricultural services company is apparently among the first victims of a new strategy in ransomware: Auctioning stolen data to other threat groups so they can leverage it.
A website called “Happy Blog” run by threat group dubbed REvil is auctioning data it says was stolen from a London, Ont., company that offers crop advisory and protection services. The auction notice says the data available includes accounting documents and customer accounts for the last three months.
Included as proof of what’s up for sale are two documents: A copy of a personal net worth statement from a credit union that would apparently pay for equipment which includes the applicant’s name, social insurance number, date of birth, cellphone number and financial net worth — information that could be used for identity impersonation; and a copy of a credit application to the agriculture company with the applicant’s name, social insurance number, date of birth and phone number.
Criminals who want to participate in the auction, which has a deadline of the end of this week, have to leave a $5,000 deposit. The starting price is $50,000, with a blitz price of $100,000.
IT World Canada hasn’t been able to contact the agricultural company to confirm it is the victim. Its phone line has been busy. We have decided not to email the company for comment because REvil is also reposting email messages from company employees referencing the attack, suggesting the attacker has control over messaging.
According to Brett Callow, a B.C. based threat researcher for the security firm Emsisoft, the goal of this new tactic is to increase pressure on victim companies to pay for decryption keys.
Ransomware started off several years ago as an encryption weapon, with the threat by attackers that unless the ransom was paid victims wouldn’t ever get access to their data. That was blunted to some degree if victim organizations had untouched backups; what they would lose would be some loss of productivity for restoration time and possibly the cost of new computers, servers and hard drives. Some security companies have also been able to crack the encryption of some malware and create decryption keys. Because ransomware isn’t data theft, some companies kept the incidents quiet from customers and regulators.
To get around this late last year the Maze ransomware group added a new tactic: Copying data before encrypting it, then threatening victims sensitive information would be released publicly unless the ransom was paid. For the attacker, this adds pressure to pay so the victim can avoid the embarrassment of a public release of data and the subsequent loss of customers. The most recent example is the ransomware attack on a New York City entertainment law firm — also allegedly by REvil — with the threat of the public release of documents about Madonna and other celebrity clients. There has also been the threat of releasing files on Donald Trump, but no documents yet have surfaced.
Now an auction has been added so the attacker can monetize stolen data if the victim refuses to pay the ransom. This is a tactic, Callow says, that is sure to be copied by other ransomware groups.
“The primary intention is to instill more fear into victims,” Callow said. “Having your data auctioned and sold to other criminals and possibly competitors sounds worse than having it published online.”
Emsisoft has heard of ransomware groups claiming to have sold stolen data to other criminal groups, but the auction tactic is new.
“It may not make them a huge amount of money,” he said. “But it will put additional pressure on future victims.”
One of the first warnings that threat groups were combining ransomware with data theft came from the Ontario Provincial Police, who told a conference of municipal infosec professionals last October that multi-factor authentication was one of the leading strategies organizations could use to slow the spread of ransomware.