Back to the list

Here Is How Ransomware Operators Sucker-Punch Stubborn Victims

19 July 2021 12:30, UTC
David Balaban

A shift towards targeting companies rather than individuals was one of the biggest milestones in ransomware evolution. This tactic gained momentum around 2018 and continues to be the name of the game in the cyber-extortion area these days. Ransom demands have soared ever since, reaching tens of millions of dollars per infected company.

Threat actors’ logic is as clear as crystal: businesses can pay more than end-users to redeem their data. True, but the only flaw in this train of thought is that the “pay or not” quandary is incredibly tough when a huge amount of money is at stake.

It comes as no surprise that most plagued organizations refuse to cooperate. This makes criminals think outside the box and come up with ways to intimidate victims into coughing up the ransoms. Let us go over these intricate coercion techniques.

Leaking stolen data

Most ransomware distributors quietly download companies’ files to their servers in addition to encrypting the original versions. This approach was first used by a gang called Maze in November 2019 and is now the norm in this segment of cybercrime. The fact that attackers possess their victims’ data gives them a leg up in ransom negotiations.

The double-extortion boils down to the following narrative: paying the ransom is a prerequisite for both data decryption and the secrecy of the company’s sensitive information. In case of non-payment, malefactors threaten to implement their plan B by leaking information related to customers, employees, and corporate secrets via special “public shaming” sites or hacker forums. Since the disclosure of critical data is disastrous for the average enterprise, many victims give in to riffraff.

The DDoS scare

Some extortion groups deluge the websites of breached companies with anomalously large amounts of traffic when the initial negotiations turn out unsuccessful. At the time of writing, this method is in the handbook of Avaddon, REvil, RagnarLocker, and SunCrypt ransomware authors.

When a corporate website goes offline, an organization’s online presence can be seriously disrupted, not to mention reputational issues. Therefore, the victim may become more submissive and accept the felons’ demands to stop the DDoS attack. This kind of blackmail will likely thrive due to the low cost of DDoS-for-hire services on the dark web

Repurposing receipt printers in stores

A unique extortion tactic was unleashed against a large Chilean retail company Cencosud last year. In addition to raiding the victim’s networks with a file-encrypting program, the makers of the Egregor ransomware hacked its point-of-sale receipt printers and remotely executed scripts to make the devices print ransom demands.

This was happening right in front of numerous customers who were visiting the organization’s stores across the country. Businesses usually do their best to avoid publicity when faced with ransomware incidents, but a quirk like this makes such efforts futile and puts more pressure on any victim.

Misusing Facebook ads

In November 2020, a gang at the helm of the Ragnar Locker ransomware leveraged an offbeat method to subdue a “disobedient” victim. They ran a sketchy advertising campaign from a compromised Facebook account belonging to a well-known deejay. This way, the criminals were trying to spread the word about a ransomware attack previously fired against Campari Group, a popular Italian beverage maker.

The campaign collected thousands of ad views before Facebook’s anti-fraud systems pulled the plug on it. This activity fits the mold of a mechanism aimed at informing people about the target’s crude security practices.

Phone calls to journalists

In March 2021, a ransomware group called REvil announced plans to step up its extortion schemes. The malicious actors started recruiting people to make voice-scrambled VoIP calls to news outlets and victims’ business partners. The objective is to boost the publicity of the attacks and force companies to cooperate. To top it off, REvil authors launched a service allowing their affiliates to execute L3 and L7 DDoS attacks against mulish victims.

Manipulating the customers

Earlier this year, the group at the helm of a ransomware family called Clop began an email campaign, contacting the customers of organizations whose data was stolen in a large-scale Accellion data breach that took place in December 2020. On a side note, this compromise parasitized several vulnerabilities in File Transfer Appliance (FTA), one of Accellion’s flagship products. This foul play allowed crooks to obtain data belonging to jet maker Bombardier and energy company Shell, to name a few.

In their provocative emails, Clop ransomware authors emphasized that the recipients’ sensitive files had been leaked and would end up on publicly available resources unless the affected organization pays up. This stratagem could make some customers submit official inquiries to the companies regarding the intactness of their data, which is an element of pressure in and of itself.

Service interruption making clients frown

In late February 2021, a major US-based payroll platform PrismHR had to halt some of its critical operations due to an IT incident. This outage was hugely impactful because more than 80,000 corporate customers heavily rely on the company’s turnkey HR management services.

The organization never explained what caused this disruption. However, researchers believe it was the aftermath of a ransomware attack, given that the situation occurred over the weekend when most extortionists piggyback on victims’ low preparedness to tackle a cyber incursion.

Although PrismHR reportedly had up-to-date backups in place, restoring such massive systems and databases takes time. In the meanwhile, thousands of disgruntled clients could push any company to look for shortcuts and resume its services faster, which is exactly what criminals want.

Extortion marketplaces kick in

To diversify their data monetization schemes, cybercriminals have recently launched several leak marketplaces that sell records stolen in breaches and ransomware attacks. A few examples are Dark Leak Market, File Leaks, and Marketo. The latter took this disgusting business to the next level in June 2021. Its proprietors have been contacting victims’ competitors with offers to buy stolen data.

Last April, Marketo authors claimed to have hacked a high-profile defense technology firm and put its data up for sale. This move probably did not meet the felons’ expectations, and they switched to a different strategy. They started sending emails to the victim’s business rivals to offer a demo portion of data about its tax reports, customers, and partners. When in the wrong hands, this information can be used to cause serious reputational damage or give unscrupulous entrepreneurs a competitive advantage.


From data leaks and DDoS attacks to ad campaigns on social networks and ransom note printouts, the scare techniques in ransomware developers’ repertoire are increasingly effective. No matter how hard the predicament may appear, though, organizations should consider all alternatives before surrendering to crooks.

Let us face it: every ransom paid is an investment in one of today’s most revolting cybercrime vectors. Moreover, no one can possibly guarantee that the attackers will keep their promises and decrypt data or wipe stolen information from their servers.

The most reasonable approach is to focus on prevention. Data backups, a security awareness program for employees and proactive protection of the enterprise digital infrastructure through tools that detect malware, intrusion detection systems (IDS), and DDoS mitigation services should do the trick.

About the Author

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.