A ransomware variant referred to as Ragnar Locker is specifically targeting services
used by managed service providers and threatening the public release of found documents. Managed service providers remotely manage a customer’s IT infrastructure and end-user systems. With the remote management services stopped, the ransomware can infect without intervention. The scariest thing about this ransomware is that it also claims to perform data exfiltration. According to the attackers, before the execution of the ransomware, they will perform reconnaissance and specific pre-deployment tasks on the network and the devices connected to it. The attackers state that one of these pre deployment tasks is to steal files and upload them to their server. They then say that if the ransom is not paid, the data will be publicly released.
The idea of ransomware coupled with a data breach seems similar to blackmail but is a relatively new concept. While not the first ransomware to claim that data was stolen, in October 2019, Maze ransomware released 700MB of stolen data from an affected company after they refused to pay the ransom. Then, in December, the criminals behind Maze created a website dedicated to those who refused to pay. This site contained the company names, date of infection, and any data stolen from that company. Around this time, the Sodinokibi ransomware also stated that they would start exfiltrating user data. While there haven’t been any observed dumps related to Sodinokibi, researchers confirmed that they are exfiltrating data as part of their attacks. However, just because the ransom note says that data theft is part of the attack, doesn’t mean that it was.
Telling users that their data will be made public if the ransom isn’t paid can be a convincing tactic to increase the rate of payment. In the business setting, the disclosure of sensitive data could make the organization liable for fines exceeding the cost of the ransom demand.
If the ransom note says that data theft occurred, it is essential to independently verify this as it is often used as a scare tactic. If unable to determine whether data theft occurred, a search of the ransomware variant may provide details as to its behavior. In addition to this, ensuring that backups are in place is an essential part of any ransomware recovery plan. Ragnar Locker is just one of
many ransomware strains that now say that they are exfiltrating data. Expect to see more and more ransomware variants claiming data exfiltration with some following up on that promise.
Sources
- https://www.bleepingcomputer.com/news/security/ragnar-lockerransomware-targets-msp-enterprise-support-tools/
- https://www.coveware.com/blog/marriage-ransomware-data-breach