Does brand and reputation still matter to ransomware gangs?
Ransomware only works if victims actually pay the ransom. A recent Telus report reported that 60 per cent of companies say they will not pay a ransom, pointing out that paying does not guarantee restoration of your data. Interesting, when you look only at companies that were actually attacked, that number shrinks to 37 per cent who actually did not pay the ransom. Still, it’s a significant percentage.
The Telus report notes: “Ransom payment is not a fair transaction for victims, since the attacker has no obligations or accountability and holds all of the power. It is not surprising that 37 per cent of respondents who did not pay ransom chose that route because their organizations were concerned that they could not trust hackers to engage in fair trade.”
In the early days of ransomware, attackers went to great lengths to make it easy to pay ransoms and prided themselves on ensuring data recovery occurred. Some even went so far as to conduct “user satisfaction surveys.”
The study from Telus can be downloaded from www.telus.com/RansomwareStudy. (Registration required)
It was almost as if the gangs were trying to establish brand reputation as a way of encouraging companies to actually pay the ransom. So why have some ransomware providers decided to abandon this “branding?”
This week we saw examples of continual name changes and in one case, an encryption method by one ransomware gang that permanently destroyed part of the victim’s data so it can’t be restored.
Ransomware by any other name – is still a supply chain threat
The Canadian Department of National Defence confirmed Tuesday that a key supplier – CMC Electronics – recently reported that they were victim of a ransomware attack. Supply chain attacks are nothing new, but this one involved a key supplier to a critical defence initiative.
CMC makes cockpit systems integration, avionics, display solutions, and high-performance microelectronics for military and commercial aircraft. It was also recently selected to supply the avionics and software applications for the Royal Canadian Air Force’s new Calidus B-250 turboprop light attack combat and training aircraft.
It was reportedly attacked by a gang calling itself AlphV, who are, according to the FBI also operating under the name BlackCat. Also according to the FBI report, the gang has compromised over 60 organizations worldwide as of March of this year.
A researcher at B.C. based Emsisoft identified AlphV as a rebrand of BlackMatter, which was itself a rebrand of Darkside. Darkside ransomware attained notoriety for its attack on U.S. based Colonial Pipeline in 2021.
Max Heinemeyer, vice-president of cyber innovation at Darktrace, stated that “these cyber-criminals continue to avoid accountability by changing their names and form while relying on the resources of other pre-existing ransomware gangs to perpetrate increasingly damaging and complex attacks.”
The question is, will these many changes in identity affect a victim’s willingness to pay the ransom? According to our next story, who it is that encrypts your data may make a real difference.
Sourced from an article in IT World Canada
Decrypting your data actually is child’s play.
The WannaFriendMe ransomware gang has made a surprising shift in their business model. While many attackers demand a ransom in Bitcoin, WannaFriendMe forces their victims to buy a decryptor from the wildly successful children’s platform Roblox.
Roblux may be a children’s game, but it is also a serious business. It has more than 150 million active users and has its own marketplace and its own currency. Victims must use that currency to buy the decryptor from Roblox’s Game Pass store.
In that store, the ‘Ryuk Decryptor’ is sold under the username ‘iRazormind’ and according to an article in Bleeping Computer, sells for 1,499 Robux as of June 5. That is a surprisingly small amount. According to a Robux to USD calculator on the site Sponsor Hunter, that would be the equivalent of US $18.74 (we have not provided links to Sponsor Hunter; it set off our malware detection when we visited the site).
While that price seems low, it might not be a bargain. According to MalwareHunterTeam researchers, although the WannaFriendMe ransomware is impersonating the notorious Ryuk ransomware, it is in reality a variant of Chaos ransomware.
The Chaos ransomware variant is reported to not only encrypt data, but also destroy it. Files that are larger than 2 MB are not encrypted, they are overwritten with random data. If victims purchase the decryptor, only files smaller than 2 MB can be recovered. Given that reputation, why would someone pay even a small ransom knowing that they could only decrypt a small portion of their files?
It also makes us wonder why a gaming world aimed at children would allow ransomware gangs into its marketplace. Roblux has already had some reputational damage, with reports of sexual exploits carried out on their platform. The idea that now criminals may infiltrate the marketplace may give parents more reason for alarm.