It might seem like a strange concept for a cybercriminal to have a sit-down interview with the media, but whether it is an attempt to justify their actions or an attempt to gain notoriety, some career-criminals have been happy to share some useful insights.

Over the past year a variety of individuals who are associated with hacking groups, including REvil, MountLocker and LockBit, have come forward for interviews to describe their strategies and target selection process. This gives us an opportunity to find out more about their motivations and tactics so we can better protect ourselves against ransomware cyber-attacks.

Hacking Groups Rebranding

When your average business is carrying an unwanted reputation it’s a common strategy to rebrand so you can appear to be a new and fresh company in the eyes of the consumer. When hacking groups come under a too much scrutiny or pressure, they sometimes secretly do the same. In the USA, following recent ransomware attacks the Biden administration escalated efforts to crack down on hacker and ransomware groups.

Just last month we spoke about the hacking group DarkSide and their ransomware attack on Colonial Pipeline, causing chaos as they disrupted gas supplies along the East Coast of the United States. On top of this a different hacking group, REvil (sometimes known as Sodinokibi), had earned themselves an $11 million pay-out through their ransomware targeting meat-processing giant, JBS, and software firm, Kaseya.

Following such high-profile attacks, the US and Russian government discussed how Russia can assist in the crack down on cybercriminals who operate within the country to attack businesses worldwide. Since then DarkSide and REvil have been unusually quiet. A new operation named BlackMatter has appeared, claiming to have “incorporated … the best features of DarkSide, REvil and LockBit.” – is it just a coincidence BlackMatter appeared as DarkSide and REvil disappeared, or have they simply rebranded?

False Claims of Data Theft

As we have said before, ransomware works by holding a company’s private data and forcing them to pay a ransom to avoid the cybercriminals leaking or deleting the data. But what if the hacking group simply lied, claiming they had accessed valuable information when they hadn’t?

Unfortunately, this is a scare-tactic that hackers will use in order to increase pressure on a company being attacked. This is proven in an excerpt from a conversation between one of REvil’s ‘customer support’ team and their victim where it clearly shows REvil claiming “We took your data” and later retracting their statement after receiving a payment for $25,000 from the victim, saying “We did not take any data from you.”.

Cybercriminals will use many tactics in an attempt to cover up the fact they do not really possess your data, nor have they ever had access to it. They do this in the hopes that you will be concerned enough to make a payment without the proof. Be sure to put pressure on and ask for solid proof of a cyber-attack before making any decisions regarding the ransom.

Double Extortion

As we’ve already established ransomware groups are criminals, and they will use whatever tactics they can to get their hands on more of your money. Whether it’s pretending to have data that they don’t, pedalling false promises, or pulling figures out of thin air, cybercriminals have a collection of lies ready to go.

A newer tactic called double extortion involves demanding a ransom for a decryption keys or software (which cannot be trusted anyway), then demanding a second ransom amount for the data to be deleted from their systems. Ransom recovery company, Coveware, warned that “unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,”, meaning hacking groups might not delete your data and come back for further ransoms in the future.

Some firms have even gone as far to use triple and quadruple extortion techniques, with REvil being noted as repeatedly going back to some firms and asking for even more money if they do not want their data leaked. Like Coveware stated, this is potentially endless money for the attackers as you can never truly guarantee that they have deleted your data.  

These are a few of the top tricks that hackers and hacking group use to get data and put pressure on a company to pay ransoms. If you want to know more about ransomware attacks then you can read one of our recent blog posts, “What We Can Learn from Ransomware Attacks in 2021” .

Here at Euclid Security, we can help you protect your firm against ransomware and other types of attacks through our technical and consultation services. We offer a variety of services to help do this, such as security assessments, security awareness and training and more. Get in touch today for a no obligation discussion.