Ransomware operators now threatening to publish stolen data in extortion demands

The big attack on Baltimore marked the beginning of a new trend, according to one analyst.

Ransomware attackers typically encrypt files with the promise of decryption if victims make good on hefty ransom demands.

But the status quo among ransomware operators has been shaken in the last several months, and they’re now beginning to move away from just demanding ransoms from victims. They’re also running hack-and-leak operations, according to CrowdStrike.

“[A] trend that we’re starting to see in the last couple of months is that when victims don’t pay the ransom … threat actors have actually been threatening to disclose their sensitive files. So they’re actually exfiltrating data from the victim and threatening to disclose it,” CrowdStrike vice president of intelligence Adam Meyers said Wednesday while speaking at the virtual CrowdStrike’s Fal.Con for Public Sector Conference, produced by FedScoop and CyberScoop.

In at least one case, attackers auctioned stolen data to the highest bidder on a custom-built website, Meyers said.


“This is an escalation in the ransomware operations where they’re now moving into extortion in a big way because they want to maximize their returns,” Meyer said.

Meyers wasn’t more specific about that breach. Yet his warning comes as the hackers behind Sodinokibi or REvil ransomware have launched an auction site, called “Happy Blog,” in recent days to sell stolen victim data to the highest bidder, according to Malwarebytes.

It’s “an alarming escalation in how they operate,” and can also serve “as a secondary way of enticing the victim to pay the ransom demand,” Meyers noted.

Given the typically high extortion fees that come with ransomware attacks, companies concerned about these hacks are often advised to prepare backups of their files so paying the criminals isn’t actually necessary. But with this shift in strategy, even the savviest companies run the risk of having their most sensitive files and information made public.

Meanwhile, paying the ransom also got a lot harder, according to Meyers. Ransomware operators have lately been increasing the price of their ransom demands, Meyers said, making it far less likely victims will be able to pay up, and far more likely their files could be released to third parties.


”Throughout the year [of 2019] the pricing was going up and up and up,” he said. “Different threat actors that we track have ranged from anywhere down to $1 million up to $12.5 million and recently we’ve been seeing ransom demands in the $20 million range. This is a disturbing trend.”

One of the earliest examples of this kind of extortion technique was the ransomware attack against Baltimore, Md. last year, in which criminal hackers targeted tens of thousands of Baltimore city government computers. Soon after, a Twitter account apparently affiliated with the Robbinhood ransomware gang leaked documents that it claimed served as evidence the hackers had been inside the city’s networks.

One suspected group of Russian attackers known as Wizard Spider has evolved in the last year to focus on exfiltration, Meyers said. Historically the group has focused on using TrickBot, a banking malware, to target victims.

“They’ve been taking files that have interesting names, or keywords in them, and some of those are actually of a national security concern, things like looking for classification, looking for sensitive government type documents, along with documents pertaining to SEC filings,” Meyers said.

Just this April, other ransomware actors leaked and sold a Los Angeles suburb’s data online after it did not meet a ransom demand.


More recently, other ransomware actors have threatened to leak data from colleges around the country that would reveal students’ personally identifiable information.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts