Ransomware Operators Turn Evil for Late Reposnders and Non-paying Victims

• A group of ransomware actors have threatened to publish data stolen from a German automotive supplier.
• Another group announced that they are going to release 9.5GB of data of a healthcare firm.

Maze ransomware actors have announced they will publicly release 9.5 GB of data stolen from infected machines of Medical Diagnostic Laboratories (MDLab). On the other hand, attackers behind the Sodinokibi Ransomware threatened GEDIA Automotive Group of publishing stolen data after the group allegedly chose not to respond to their ransom demands.

Maze Ransomware threat

As claimed by the attackers, they infected computers from Medical Diagnostic Laboratories (MDLab) files on 231 MDLab stations on December 2, 2019.

• The computers stored tens of terabytes of data but attackers exfiltrated archives totaling 100GB.
• Attackers said that they directed MDLab to ransomware recovery company Coveware to negotiate the payment and seal the deal.
• But, Coveware seems to have a strict policy of not reacting to referrals from ransomware actors.

Sodinokibi Ransomware

GEDIA Automotive Group employs over 4,300 employees all around the world and had a turnover of over $665 million in 2017. The organization was attacked by Sodinokibi ransomware operators in a recent incident.

• Sodin attackers claimed to steal more than 50 GB of data, including drawings, data of employees and customers.
• The group reportedly published an MS Excel spreadsheet containing an AdRecon report with information on an Active Directory (AD) environment.
• Hackers said nobody from the group has contacted them yet so they might leak the data.
• “All this is carefully prepared for implementation on the stock exchange of information,” hackers wrote in an email.

Data exfiltration trend to encourage ransom payment

Stealing and then threatening the victims to release their data is a newly adopted technique by the ransomware gangs. It was discreetly started by the Maze actors last year in November and then picked up by Sodinokibi, Nemty, BitPyLock, and some others.

Experts suggest that the trend is likely to continue in the future to amplify pressure on victim organizations, who already have the increased regulatory and reputational risks hovering over them.