The Bleeping Computer publication says that ransomware operators have begun to use a new tactic that allows them to get more money from victims. Now, the creators of malware demand two ransoms from the affected companies: one for decrypting the data, and the other for deleting the information that the hackers stole during the attack. In the event of non-payment, attackers threaten to publish this data in the public domain.
Journalists recall that at the end of 2019, the creators of the extortionate malware began to act according to a new scheme. It all started with Maze ransomware operators, who began to publish files that they stole from the attacked companies if the victims opened to pay. Hackers set up a special site for such “sinks,” and soon other groups followed, including Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker.
Now they are joined by the authors of the ransomware Ako, but they went even further than their "colleagues." The grouping forces some companies to pay a ransom twice: for decrypting files and for deleting stolen data. As an example, one of the victims’s data was published on Aco’s website: the company paid $ 350,000 to decrypt the information, but hackers still published its files on their website because they did not receive a “second ransom” for deleting the stolen files.
One of the Ako operators answered Bleeping Computer's questions and confirmed that double extortion is used only for some victims: it all depends on the size of the company and the type of data stolen. As a rule, the size of the second buyback ranges from 100,000 to 2,000,000 US dollars, that is, it usually exceeds the cost of decrypting the data.
Attackers argue that some companies generally prefer to pay for deleting data, but not for decrypting it. For example, unnamed medical organizations from the USA went this way, from which confidential patient data, social security numbers and so on were stolen. Journalists failed to confirm or deny these statements by criminals.