A newly discovered ransomware operator dubbed Ransomed.vc claims to have breached the Sony network and exfiltrated mass amounts of company data which is now being offered for sale on the dark web.
“The group also posted a file tree of the entire leak, showcasing around 6,000 files. For the researchers, this is relatively small, if “all of Sony systems” were compromised. Still, the file tree shows “build log files”, some Java resources, and HTML files. Plenty of the stolen files were in Japanese, it was noted,” Tech Radar reports.
The group is noted for employing a unique twist on the double extortion scheme by threatening to report victims for GDPR violations to EU authorities if they didn’t pay a ransom demand.
“In essence, Ransomed VC is leveraging the fear of these substantial fines to extort money from companies. This is an unusual approach, as most extortion or ransomware groups typically focus on encrypting data and demanding a ransom for its release, rather than exploiting data protection laws for financial gain.”
Takeaway: Sony is in a pickle for sure, and they understand all too well the risk of sensitive internal documents being leaked by attackers, as they have been burned by that flame before.
Today's more complex ransomware and data extortion operations are multi-staged attacks where the threat actors are looking to infiltrate as much of the targeted network as possible while exfiltrating sensitive data along the way to be used as leverage.
They threaten to expose the stolen data to put more pressure on the victim to pay the ransom demand and receive the decryption key to restore their systems. In some cases, the attackers will demand an additional payment for the stolen data in addition to the initial ransom.
While Sony has not released any details on the attack, we can assume that RansomedVC likely presented a ransom demand that was not met, which is why the data is being offered for sale.
The threat to expose Sony to possible regulatory sanctions under GDPR is yet another twist on the double extortion scheme, but RansomedVC are not the first to innovate on the double extortion gambit.
Earlier this year, the Snatch ransomware gang threatened to give cyber insurers details of how they infected victims in order to nullify coverage if those victims refuse to pay the ransom demand.
Other variations leveraged by threat actors include threats to inform insurers of infection vectors, threats to notify the victim’s customers their data has been breached, threats to attack customers and business partners, threats of denial of service (DoS) attacks and more.
The threat to expose victim organizations to regulators if they fail to pay could put victims in a tricky situation when considering the best course of action following a successful ransomware attack.
For example, if a victim organization did decide to pay a ransom because they believe that the attack would subject them to regulatory fines, they could be putting themselves in legal jeopardy for withholding material information from regulators, from their insurer, and from stakeholders.
No organization should ever entertain any offer of collusion with attackers. By doing so they would expose their organizations to a degree of legal jeopardy that simply is not worth contemplating.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).