Our friends at Bleepingcomputer report that the REvil group is threatening to use exfiltrated data obtained before the encryption process to increase pressure on victims to pay up or face more consequences.
According to Bleeping Computer: “ In a new post to a Russian malware and hacker forum shared with us by security researcher Damian, the public-facing representative of the REvil ransomware known as UNKN states that a new "division" has been created for large operations."
"REvil goes on to say that if a company does not pay the ransom, the ransomware actors will publicly release the stolen data or sell it to competitors. It is in their opinion that this would be more costly to the victim than paying the ransom."
This is not a first for this tactic. In early December ZDNET reported that CyrusOne data centers were hit by a Ransomware attack. A sample uploaded to VirusTotal determined the cause to be Sodinokibi/REvil. Bleeping Computer also reported that REvil persona UNKN "claimed " in a post on a Russian hacker forum that they retained and exposed data in that event. In November, Allied Universal was the victim of the Maze ransomware attack. To apply pressure, the MAZE ransomware group uploaded a small portion of Allied Universal’s data to a hacking forum and continued to apply more leverage with elevated threats of additional exposure.
These tactics puts victims in a serious dilemma. If the victim doesn’t pay the ransom, the bad guys can continue to apply extortion pressure by threatening to expose more and more of the exfiltrated data either to the dark web, their competitors or the public. The attack then may be considered a data breach if any of the data exposed includes PII, (personally protected information) protected Hipaa ( Health Insurance Portability and Accountability Act) information, or other "protected" data.
In addition to losing data, loss of business uptime, remediation, and forensic examinations of the compromised computer systems, the threat of civil legal suits or other consequences may follow from third parties. Ransomware continues to be a major threat. Bleeping Computer has the details.