The Ransomware Arms Race: Malicious Actors Up the Ante

In an arms race, rivals war for superiority in the development and accumulation of weapons, with each side one-upping the other and increasing the overall threat to everyone involved, including uninvolved civilian victims. From rival street gangs to warring nations, the pattern of competition for more effective and destructive weapons is an all too common one.


For those working in incident response and cybersecurity, engaging in a game of cat-and-mouse with ransomware authors isn’t a new phenomenon. It is standard practice that new variations of ransomware get written as a response to actions taken to defeat or mitigate the old versions. One great example of this is the ransomware GandKrab. There are at least five different versions of the GandKrab ransomware, and each version features several revisions to improve GandKrab’s ability to resist detection and removal. The updates occurred as the malware matured and in response to countermeasures achieved by industry security experts.

A Dangerous New Milestone: The Publication of Victim Data

We have watched ransomware wielding threat actors engaged in an arms race, which has recently reached a new and dangerous milestone.  That milestone is the public naming of victims and sharing of stolen data stolen from victim organizations who cannot afford or refuse to pay ransoms to leverage payment.  In the past, ransomware incidents might include the scraping of small amounts of data such as usernames and passwords. Now, however, multiple gigabytes of stolen, unencrypted data are being shared as leverage to guarantee ransom payment.

Maze Ransomware (also known as ChaCha20) operators were among the first to publicly name their victims and to post their pilfered data late in 2019. Initially publishing victim data on a website hosted in Ireland, following a lawsuit in December of 2019, the Maze site was successfully taken down but was then revived again in January of 2020, this time with the stolen data dumps hosted in Singapore.  And as of February 4th, 2020, the Maze threat actors are at least temporarily protecting their domain using Cloudflare for protection against Distributed Denial of Service (DDOS) attacks. (Federal Law Enforcement has been notified and will work with Cloudflare to resolve this issue.)

Thus, begins an international game of legal whack-a-mole as victims try to claw back public access to their data through lawsuits against the criminals responsible for posting it publicly and ISPs who host that data and threat actors work to protect their profits.

Other Ransomware operators, including Sodinokibi (REvil), followed suit in January 2020 with the confirmed publishing of stolen data after victims failed to make the ransom payment on time. Now, lesser-known variants, including BitPyLocker, are at least threatening similar actions.

Ransomware Ramifications: Data Breach Notification

Ransomware incidents already carried substantial ramifications for affected companies, including the monetary costs of business interruption, restoration from backup, and recovery or from payment of ransom.  Reputational costs and the costs of investigation, regulatory fines, or notification cause additional impact.  Now the stage is set for ransomware attacks to be even more devastating, with a higher probability that any given attack may also be a full-blown data breach.  For companies that might have been able to recover from backups and move forward previously, that may no longer be an option if the threat actors publish their confidential data.

Some Things Remain the Same: Intrusion Methods & Techniques

Yet one thing remains consistent — the initial intrusion methods. The old techniques for ransomers, including targeted phishing campaigns with malicious attachments, open RDP ports, leftover remote access tools from vendors, unpatched operating system vulnerabilities, and unpatched software, are still the way into a victim network to carry out the attack.  Now, more than ever, it’s imperative to cover the network security basics.

Don’t fall victim to the apparent ransomware arms race. The Tetra Defense Ransomware Stress Test is a free and convenient way for your organization to determine your preparedness against ransomware attacks.  The professionals in our proactive security team can help you implement effective prevention strategies. If you are already dealing with one, our incident response experts are standing by to help your business respond and recover.

Check out some related content on our blog: