5 Cyber Criminal Ransomware Mistakes to Make You Smile

cutting the branch your sitting on picture id905697992

Even criminals have an off day. After all, human-led ransomware attacks are just that; human. Which means the criminals behind them can often make errors.

While ransomware adversaries can appear scary to defenders, with a lot of bravado to back up their threats, mistakes reveal that there are many examples of ransomware attacks that, unfortunately for the criminals, didn’t go according to plan.

Here are the top five ransomware adversary mishaps Sophos Rapid Response incident responders recently spotted during investigations.

  1.  Go Ahead, Make My Day

Sophos Rapid Response responders recently assisted with an attack in which Avaddon ransomware attackers had the tables turned on them by the victim. The attackers used a common threat – warning the victim they would publish the stolen data if the victim didn’t cooperate.

The victim, struggling to recover some of their stolen information, simply told the attackers to go ahead and leak their stolen data. The attackers made good on their threat – and leaked the data. As a result, the victim got back the information they wanted.

 2.  The Ransomware That Rung Twice

Several attackers target the same potential victim and, in a recent case involving a Maze ransomware attack, that scenario came into play and destroyed the attacker’s plans. In this example, the attackers exfiltrated a stack of victim files only to discover they were unreadable because they’d been encrypted by DoppelPaymer ransomware a week earlier. Better luck next time, hackers!

  3.  The Back Door That Doesn’t Open

The tools attackers use can come back to haunt them. In the case of a recent Conti ransomware attack, the criminals installed AnyDesk on an infected machine to provide remote access. Then they launched ransomware that encrypted everything on the machine, including AnyDesk. In other words, they encrypted their own newly installed backdoor, so it was useless to them too!

  4.   Lost in Translation

Criminals using Mount Locker ransomware tried and tried, with no success, to get a victim to pay up pay up after they leaked a sample of their information. But the victim refused. Why? Because the inadvertently published information belonged to another, unknown company. Attention to detail is apparently not a skill on this criminal’s resume.

  5.  The Not-So-Hidden Key

As victims know, ransomware attackers seize control of systems and files and make them unusable for organizations. While they are at it, they also exfiltrate the data and will often use it for future extortion attempts, demanding more ransom in exchange for not publishing sensitive, stolen information. But not in a recent case: attackers left behind the configuration files for the FTP server they were using for data exfiltration. The victim found it, logged in, and deleted all the stolen data.

Don’t let your defenses down

Sophos responders note that knowing that ransomware adversaries make mistakes doesn’t mean defenders should relax best practices. In some ways cybersecurity is even more critical because certain errors can increase risk. For example, poor encryption coding can lead to decryption keys that don’t work.

Sophos can help you defend and recover from a ransomware attack. Learn more at Sophos.com.


Copyright © 2022 IDG Communications, Inc.