Ransomware without Encryption

Traditionally, ransomware encrypts files and folders and demands payment in return for a decryption key – but cybercriminals are now skipping the encryption step.

Ransomware is malicious software that, at least traditionally, encrypts everything it can infect, rendering it useless without a unique decryption key. In order to obtain the decryption key, a ransom is demanded. Typically, ransomware will infect a system through a dodgy link in a phishing email, or illicitly downloaded software. But with better company education on the threat of ransomware, along with better data backup strategies being adopted, cybercriminals began to take a two-pronged approach a few years ago. Rather than simply encrypting the files in return for payment, they would steal a copy of the data too, and threaten to leak it. This puts added pressure on the victims of ransomware, who previously may have only had to worry about a day’s downtime and a few days’ lost work while their most recent backup was restored.

However, cybercriminals are increasingly bypassing the encryption stage altogether. Rather than encrypting – which requires time and effort – ransomware gangs are simply exfiltrating the data and demanding a ransom in return for it not being leaked. A new ransomware gang, Karakurt, demands massive ransoms of up to $13m. So far, none of the victims have had their data encrypted, and it has all still been fully accessible to them. However, the data has been stolen, with screenshots sent to the victims as proof, and threat of public release unless a ransom is paid.

This new and worrying development in the world of ransomware has been ongoing for some years, but it appears we may be entering an era where ransomware gangs decide it isn’t worth the effort to encrypt data, and will simply go down the extortion route. For companies that store confidential or sensitive data, it’s a difficult choice to make, especially as law enforcement agencies heavily advise against paying ransoms.