+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Ransomware gangs are posting highly-sensitive stolen documents to pressure victims to pay up, including classified reports on multi-billion-dollar strategies of Fortune 50 companies and other dangerous secrets

Mar 14, 2020, 18:20 IST
Omar Marques/SOPA Images/LightRocket via Getty Images
  • Ransomware gangs have recently posted highly sensitive documents they have stolen from companies, including classified business information, a confidential diagram from a defense contractor, and documents related to power plants.
  • Some of the business documents discuss multi-billion-dollar strategies, key vulnerabilities, and deals of Fortune 50 firms.
  • The recent tactic of releasing data as well as locking it up with encryption turns up the heat on victims of ransomware, a $170 billion global problem.
  • Once ransomware has struck an organization it has few good options - experts urge them not to pay for release of their information - and now they also face the release of confidential information.
  • Visit Business Insider's homepage for more stories.

Cybercriminals are hitting businesses with a ruthless new trend in ransomware - public dumps of the companies' highly sensitive documents, including some with national security implications and others that lay out classified vulnerabilities of Fortune 50 firms.

Documents from some of the biggest names in the industries of oil and gas, defense contracting, energy, and restaurants are present in the data dumps, as reviewed by Business Insider.

According to Brett Callow, a researcher at the Japan-based cybersecurity firm Emsisoft, key documents were leaked after three recent ransomware attacks by well-known ransomware groups. Visser Precision, an aerospace parts manufacturer, was hit by the DoppelPaymer ransom group, which posted Visser's data relating to Lockheed Martin and other companies on a website the group created to pressure its ransomware victims. An international consulting firm was hit by the REvil ransomware group, which posted the consultants' data on Fortune 50 companies on its blog on the dark web, Emsisoft found. And the firm found an industrial power systems manufacturer was hit by the Maze ransomware group, which posted information about power plants' machinery on a website that group maintains.

Ransomware attacks have traditionally locked up an organizations' computer systems by encrypting their data and making it inaccessible. The attacks are often triggered by employees clicking on links or attachments in "phishing" emails, which lure victims into engaging with messages made to look like important information. The recent attacks steal the documents as well as encrypting them, then post them to websites with threats to reveal even more if payment is not made soon.

Advertisement

The documents, as reviewed by Business Insider, can be jaw-dropping in their sensitivity:

  • Confidential consultant reports that describe Fortune 50 companies' greatest vulnerabilities and the risks in multi-billion-dollar deals.
  • Credit card information, tax records, and banking information for individuals and small towns.
  • Paperwork and diagrams related to the machinery, processes, staffing, and repair needs of power plants, including a nuclear power plant.

This recent tactic has turned up the heat on organizations caught in a perilous dilemma: Pay criminals to release their data - which they often don't do, anyway - or suffer downtime as they try to bring their computer systems back up and reclaim their data. Now they have little time to find a solution, because the clock is ticking as their biggest secrets are slowly revealed to the world.

One of the ransomware gangs recently added this message to a data dump that included passwords linked to Defense Department files:

"Every day more and more information will be uploaded."

Weapons plans posted publicly

Early this month a ransomware gang posted data that included what appears to be a diagram from a large weapons project. The document, reviewed by Business Insider, includes the warning "DESTROY BY ANY METHOD THAT WILL PREVENT DISCLOSURE." The document says that it contains Lockheed Martin proprietary information.

Advertisement

The defense contractor said it was "aware of the situation," which was a data dump of information from one of its suppliers, Visser Precision. Lockheed Martin said it was "following our standard response process for potential cyber incidents related to our supply chain. Lockheed Martin has made and continues to make significant investments in cybersecurity, and uses industry-leading information security practices to protect sensitive information."

Visser said it "was the recent target of a criminal cybersecurity incident, including access to or theft of data. The company continues its comprehensive investigation of the attack, and business is operating normally."

Risk to national security and Fortune 50 companies

Cybersecurity analysts do not take these document leaks lightly.

"The data that was stolen in these incidents could pose a risk to national security," says Callow, the threat researcher at Emsisoft who found the documents. "The data could be sold to foreign governments or possibly even simply downloaded by them. It is almost a given that other governments are monitoring these websites in case sensitive and usable information is posted."

But Callow believes the cost to businesses could be a bigger and more widespread problem. Recent data dumps Callow has found that have been reviewed by Business Insider include confidential corporate guidance that consultants gave Fortune 50 companies in deals estimated at $12 billion and $20 billion. Some of the advice was later quoted by stock analysts after significant moves by the companies.

Advertisement

In data dumps, clients' information is spilled, too

"In data-exfiltration cases, it may not only be the victim company's own data that it is compromised, but also the data of its clients," Callow says. "This is a nightmare scenario for any business, especially as threat actors post stolen data."

Callow believes companies have an obligation to disclose such attacks, and treat them as they would a data breach. "Incidents must be disclosed promptly to clients and business partners. A company that does not do so is exposing their clients and partners to risk and depriving them of the opportunity to devise a mitigatory strategy in response to the breach."

But what should those strategies be? As Baltimore's painfully expensive experience shows, not paying can be a difficult approach. But paying ransoms encourages more attacks, experts say.

No More Ransom Project offers tools - and hope

The No More Ransom Project, an initiative by the Netherlands' police, Europol, and the cybersecurity companies Kaspersky and McAfee aims to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

"We don't encourage payment, as it helps feed a vicious business model that impacts and damages society with devastating consequences," says Raj Samani, McAfee's chief scientist. "It's important to establish a working plan which you practice if or when you are a victim of ransomware. This means you want to be absolutely clear about the latest tactics, and your plan considers a possible escalation in hostilities."

Advertisement

Forrester recently reported that most large companies are practicing how they respond to cyberattacks, and investing in expert guidance in this growing area. In a recent report, Forrester found that "62% of global enterprise security decision-makers indicated that they have implemented incident-response-as-a-service and a further 17% plan to do so in the next 12 months."

A $170 billion global problem

The costs can be staggering. Emsisoft found that In 2019, the US was hit by "an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion" - just for those three sectors.

The company found that a third of companies said they paid a ransom - even though payment, often through cryptocurrency, often does not buy them decryption of their data. Criminals often provide a faulty computer program "key" that doesn't release files, or no key at all. Payments average $84,000 apiece.

But the ransom payments are often nothing compared to the cost of computer downtime, which Emsisoft estimated at $10,000 a day for organizations. The total cost of ransomware this year, Emsisoft estimates, will be at least $9.3 billion for the US and $170 billion globally.

Baltimore's painful - and expensive - lesson

Perhaps no organization has felt the dilemma of whether to pay a ransom more keenly than the City of Baltimore. In May 2019, the city was hit with a ransomware attack demanding $76,000, and it decided not to pay - following the guidance of many cybersecurity companies. As recovery from the attacks dragged on, that decision cost the city at least $18.2 million in restoration costs and lost revenues, according to new research released Wednesday by Deloitte.

Advertisement

The research found that ransomware attacks may be inevitable for many organizations, and governments in particular, and urged companies to practice ransomware situations. "Rehearse with a realistic scenario so that you're able to simulate the decisions that you might have to make," the Deloitte report says. "You don't want to be forced to decide under duress."

Callow, the Emsisoft researcher who has made a study of the documents, says the most concerning thing about the documents is that "it could be that only less-sensitive data has been published so far. Were an actor to publish a company's 'crown jewels,' it would have far less incentive to pay to prevent the remaining data being published."

NOW WATCH: How running shoes can be recycled into ski boots

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article