Home » Rest in peace, but not too much: this is how ransomware gangs make fun of their victims

Rest in peace, but not too much: this is how ransomware gangs make fun of their victims

by admin

In the beginning there was simple extortion. Cybercriminals they found a hole in the victims’ cyber defenses, they encrypted the data and then demanded a ransom.

Later, if the victim did not recognize the damage and refused to pay, the threat came on time to publish the data collected in the intrusion to harm him: double extortion was born. But if the victim continued to refuse to negotiate the payment of a ransom, the gang hit the target’s website with a DDoS attack, i.e. Distributed Denial of Service attack, aiming to saturate access to web services by causing them to collapse due to too many simultaneous requests. : it was the so-called triple extortion.

Finally the criminals devised a fourth level of aggression beginning to send e-mails to all the contacts of the affected companies, announcing the imminent publication of their data online following the victim’s refusal to collaborate, inviting them to contact them to buy the data and avoid its dissemination.

Lockbit alarm

Accenture in check of the ransomware that devastates Italy

by Arturo Di Corinto


After the damage, the insult too
As if that weren’t enough, now ransomware gangs mock victims: if they don’t pay the ransom, if they don’t give in to the threat of making a bad impression on the media and their customers, if they are equipped to respond to DDoS attacks, criminals post the data of the target and more often of their customers on a new and purpose-built site, with the official name and a different suffix. Another way to put pressure on the victims.

Payload.bin, for example, a relatively new ransomware group, has created an ad hoc shaming site to entice victims to pay by making them feel ashamed for the intrusion suffered. He did not do it on a darknet (from military jargon, a hidden network) like the well-known Tor, but on the Web that we all know, accessible to everyone and indexed by normal search engines, creating a page with the company’s customers’ emails. hit. A kind of evolution of the blackmail strategy based on reputational damage in addition to posting on their DarkWeb leak site.

See also  Startup of October 27, the new entries

The novelty, however, is not so much this, but that of registering a domain equal to that of the victim replacing the suffix .com (to cite the most common example) with .rip, having the purpose of mocking the victim or victims and publishing their data there.

The use of .rip domains to ridicule victims
It is not explicitly stated, but .rip domains were designed to honor a loved one who has passed away, since the acronym Rip stands for the Latino Rest in Peace, ciè Riposa in pace in Italian or Rest in peace in English. The domain (a top level domain) .rip belongs to a new class of domains just created to facilitate the recognition of the contents like the new .love, .sexy and .lgbt. But in English the word rip also means to tear, tear and, in compound forms, criticize, disassemble, destroy, tear apart.

What does it mean to use it this way? It’s a bit of a threat and a bit of a mockery. Threat that everyone understands when associated with death, but which in this case becomes symbolic and metaphorical: if you don’t pay the ransomware ransom, your business is also dead. Because? Because there will no longer be anyone who will want to use your services, as you have proved vulnerable to these attacks. In short, the criminals they exploit the supply chain, that is the production chain, to their advantage of a single company to increase the pressure and reputational damage of its victims.

They do not know, however, that Italian companies are starting to become aware that there is no shame in being punctured by cybercriminals, because it is now clear, with about 95 ransomware attacks in August alone on the part of Lockbit, Conti, BlackMatter and the like, that the trust of customers or users is no longer linked to the alleged impermeability of the services offered to them, as to the perceived ability to respond to the attack with adequate strategies, thanks to a solid program of cyber risk and incident response management combined with the ability to communicate honestly and transparently with customers who may be affected by the attack. Which the Lazio Region hit by the ransomware did not do, and that other companies affected in the summer (such as Erg, Zegna and Accenture) did halfway, perhaps communicating with customers and little or nothing with journalists.

See also  Jinmen Tigers lose and send Shenhua to relegation six rounds ahead of schedule Yu Genwei apologizes to Tianjin fans

Points to be clarified

The attack on the Lazio Region, the backup that saves everything and the doubts about the ransom

by Alessandro Longo


Criminals negotiate, but with reservations
Along with this tendency to mockery, unfortunately there is another one to add. The ransomware groups that are attacking our country with Lockbit 2.0, Lockfile, Conti and others, are equipped to enter into confidential negotiations with preventive deposit. They are the same counselors who mediate with the victims who select potential buyers and warn them that if they want to see evidence of the intrusions they have to pay a cash deposit. So if they find that they are interested in the material they will pay for it by deducting the deposit, which will otherwise be lost. Why do they do it? For avoid wasting time with journalists and researchers who are slowly learning how to get to the posts of criminal groups on the DarkWeb and see what they have to offer.

It is a non-linear process: inside the gangs (which they love to call themselves crews, for a sort of harmony with the culture of writers and privateers) there is some quarrel: someone wants the site with the stolen data disguised by invitation, others public, but accessible via Tor to urge the victims to decide whether to deal or not.

According to Darkfeed, which has so far collected more than 2,000 data breaches, 37% of ransomware victims paid a ransom of around $ 180,000 on average. On the homepage it says that the revenues of ransomware cartels “have reached $ 150 million since we went online and continue to increase”.

See also  symptoms, differences and common points

Unfortunately for us, in ransomware groups there are people who know how to work in an organized way, communication experts, with knowledge of media and social dynamics and with a explicit economic purpose, of a criminal nature. The numbers of attacks are so high that even in this case, as in the cases of traditional crime, it is time to start investigating the gray area of ​​professionals who favor these cyber mafia circuits.

.

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy