The Cybernews research team has assessed that the platform Dolly.com, which offers on-demand moving and delivery services, was the victim of a ransomware attack that resulted in the leakage of sensitive company and customer data despite evidence the company paid at least a portion of the ransom demand.
“The attackers complained that the payment wasn’t generous enough and published the stolen data. Not only that, but the criminals also shared a chat with the company on an underground criminal forum,” Cybernews reports.
“One of the emails between the attackers and the victim, dated September 7th, showed that Dolly.com agreed to pay the ransom. In exchange, the attackers were asked to delete the stolen information.”
According to the threat actors, Dolly.com did pay at least a portion of the ransom demand, but it is assessed that the attackers may have kept the payment as well as the data.
“To add salt to the wound, the attackers uploaded the data and posted two download links on a forum infested with cybercriminals. Not only did the company allegedly lose money and data, but its attempt to mute the attack also failed, Cybernews reports.
“Dolly.com paid the ransomware operator to avoid the attack going public. The attackers felt the sum was insufficient. This was later presented as the main motivation to publicize the hack and announce a data auction along with sample files and free-downloadable archive dumps.”
Takeaway: Ransomware attacks today include data exfiltration which can compound recovery efforts, increase financial losses, and damage an organization's reputation leading to the loss of customer trust.
The tactic is called double extortion, where the threat to leak exfiltrated data is designed to motivate victims to pay the ransom demand even if they have the ability to recover from the ransomware attack itself.
The Biden administration recently hosted a summit for multinational security leaders from 50 nations where they encouraged non-payment policies regarding ransomware and data extortion attacks.
While this seems to be the logical approach in theory, in reality this is a very difficult decision that has the potential for serious repercussions no matter which path a victim organization chooses.
"Ransomware attacks on critical infrastructure providers and other organizations are rising to the level cyber-terrorism, and the government needs to start treating them as such,” said Jon Miller, CEO and co-founder of anti-ransomware solutions provider Halcyon.
There are no easy, one-size-fits-all answers here, and the government’s guidance belies this fact. It oversimplifies the problem and is further evidence that the authorities really do not have a handle on how to address the growing threat from ransomware and data extortion attacks.
“I’m at a loss for words. Just how disconnected from reality does someone need to be to think this will work. he US government is basically telling private industry that they should, in some cases, bankrupt their business because the government can’t protect them,” Miller explained.
“On the other hand, if you pay a ransom, odds are they are going to attack you again. If you can recover without paying the ransom, do it, your chances of them attacking you again are much lower."
Advocates for paying ransoms believe that it's the quickest and easiest way to regain access to valuable data and reduce the overall impact of an attack. Case in point: Caesars recently paid a ransom demand that was just a fraction of the losses MGM experienced after being attacked by the same threat actors.
Those who oppose paying the ransom rightly insist that doing so only incentivizes threat actors to continue their attacks by reinforcing the financial motivations that drive the ransomware economy.
This is the crux of the government’s argument, and while it’s an assertive position on its face, in reality it still leaves organizations on the hook regardless of which option they choose.
“Paying a ransom demand can present legal liability issues for the victim organization, especially if the attackers are sanctioned, as is the case with Russian ransomware operators. As well, not paying a ransom demand can also create legal and liability issues,” Miller noted.
For example, the U.S. Securities and Exchange Commission (SEC) announced enforcement actions against software services SolarWinds Corporation and the company’s chief information security officer, Timothy G. Brown, alleging fraud for internal control failures related to known security risks.
“Does anyone really think the government will stand behind the CEO after they are sued by investors because they saw a drop in share value for not paying a demand ransom because they are following the advice of the authorities?” Miller continued.
“The US government needs to stop telling American companies that they have to just to just fend for themselves. We need more than proclamations; we need intervention and protection from what are known to be nation-state threat actors freelancing in cybercriminal attacks on the side.
Ultimately, paying the ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Instead of paying the ransom, Miller advises that organizations should focus on implementing preventative and resilience measures to protect their organizations from ransomware attacks.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.