A cybersecurity expert explained why he is convinced that the promises made by ransomware groups amid the pandemic are irrelevant.

Brett Callow — threat analyst at cybersecurity firm Emsisoft — told CryptoNewspeople that multiple ransomware groups recently made promises to halt their activity against medical organizations amid the coronavirus pandemic. Still, he believes that those promises are irrelevant:

“The claims of a ceasefire made by ransomware groups are irrelevant [and] should be completely disregarded. Would you leave your front door unlocked simply because the local burglars had pinky-promised not to rob you? Probably not. The story of the frog and the scorpion comes to mind.”

Empty promises by ransomware groups

In mid-March, cybersecurity news outlet BleepingComputer, reported that it contacted a number of ransomware groups. At that time, some of them promised not to attack health and medical organizations during the ongoing pandemic. This is in line with Callow’s comment:

“Claims made by ransomware groups should be taken with a grain of salt. They’ve put lives at risk by attacking hospitals in the past, and it would be a mistake to assume that they would hesitate in doing so now.”

It is worth pointing out that — shortly after making the promise — black hat hacker group, Maze, has infected the infrastructure of a firm researching the coronavirus with ransomware. As CryptoNewspeople reported yesterday, a recent report also suggests that — despite the promises — while global ransomware attacks decreased, hospitals are still being attacked. Because of the unreliability of their promises, Callow advises media outlets to avoid covering the ransomware groups’ promises:

“Personally, I do not think the press should repeat claims made by ransomware groups as there is really no point or benefit in doing so. The details that the criminals choose to release will be cherry-picked and only information that they want to be in the public domain – probably because they believe it will help their cause in some way.  […] The press should avoid portraying ransomware groups as being in any way Robin Hood-like or repeating claims that assist them.”

The cybercriminal groups behind ransomware attacks are highly organized and — according to Callow — in many ways resemble legitimate companies. He explained:

“Ransomware groups operate like legitimate businesses in a number of ways. They adopt strategies that have been proven to work by other groups. […] They test price sensitivity in order to determine the optimal ransom demand. They try to make it easy as possible for ‘customers’ to ‘purchase’ their product, which is why Bitcoin, the most widely known and stockpiled cryptocurrency, is their currency of choice.”

Ransomware is a constantly evolving threat

Ransomware is widely believed to be one of the biggest cybersecurity threats in the world. This kind of malware is rapidly evolving in ways that continue to make it even more dangerous. Callow pointed out one such change:

“The biggest changes in the ransomware world have been the transition from encryption-only attacks to encryption [and] exfiltration attacks and, more recently, the weaponization of exfiltrated data. Ransomware groups no longer simply publish their victims’ data; they threaten to sell it to competitors, expose ‘dirty secrets’ and use it to attack companies’ customers and business partners.”

Recently, the ransomware group behind malware Sodinokibi announced its upcoming switch from Bitcoin (BTC) to Monero (XMR) to prevent tracking by law enforcement. Callow pointed out that this may be the start of a new trend among ransomware-specialized cybercrime organizations:

“While there are some instances of demands being made in alternative currencies, this will be the first time that a major ransomware group has settled on a currency other than Bitcoin. Like other businesses, criminal enterprises adopt strategies that have been proven to work and, accordingly, if this switch proves successful for REvil, we’d expect to see other groups begin to experiment with demands in currencies other than bitcoin.”