More ransomware groups threaten to publish data stolen data from non-payers

More and more ransomware groups are starting to steal data before encryption in order to blackmail their victims into paying up

Three new ransomware groups have established websites where the sensitive data of non-payers will be published, adopting the strategy established last year by the Maze ransomware group. That approach was subsequently copied by the Sodinokibi/REevil group, Nemty and DoppelPaymer and now looks to be going mainstream among cyber-crime groups.

The new groups include the Nefilim ransomware group, which has set-up a site called ‘Corporate Leaks'; the CLOP ransomware group, responsible for an attack on Maastricht University in February; and, the Sekhmet ransomware group, a relatively new group, according to Bleeping Computing, which has set up a site called "Leaks leaks and leaks".

The Sodinokibi/REevil group was responsible for the attack on Travelex on New Year's Eve. This took the company's systems down for a month. Travelex's parent company, Finablr, is now on the verge of calling administrators.

It's not known whether the Sodinokibi ransomware group exfiltrated data from Travelex prior to encrypting the company's systems, and it hasn't publicly threatened to publish any Travelex data - yet. The company is also believed to have negotiated with the gang regarding payment, although Travelex has refused to confirm or deny whether it paid up.

The group is believed to have taken advantage of an unpatched Pulse Secure VPN server to gain entry, and could had access to Travelex's systems for months before it launched the attack.

Information about the Travelex ransomware is sketchy as the company has refused to release any comprehensive information.

Travelex had claimed that , strictly speaking, it had not suffered a data breach as there was no evidence of data exfiltration having occurred. As a result, it argued that it did not need to report the attack to the Information Commissioner's Office (ICO) within the 72 hours required under GDPR.

The ICO, however, will almost certainly have a different interpretation, with ransomware widely believed to constitute a data breach under GPDR.