Ransomware Distributors are Increasingly Threatening Data Exposure

Summary

In late 2019, ransomware threat actors began threatening to release data stolen from victim networks if ransom demands were not paid. This tactic is increasingly common, and is consistent with recent incident reports submitted to the NJCCIC. Additionally, several threat actors – Darkside being one of the newest – are also running leak sites, which are used to upload stolen victim data. Threat actors threaten to release stolen data as an added pressure to pay ransoms, even when victims have usable data backups. The University of Utah is a recent ransomware victim that chose to pay the ransom demand due to the sensitivity of the data that was stolen by the threat actors.

Recommendations

The NJCCIC recommends businesses and organizations ensure they have a comprehensive data backup plan that includes keeping multiple, tested copies off the network, with at least one copy kept in a separate and secure location. Additionally, organizations are advised to keep any sensitive network data encrypted at rest and in transit to prevent threat actors from publicly exposing any stolen data. We encourage users and administrators to review and implement the recommendations in the NJCCIC Ransomware: Risk Mitigation Strategies guide.