Report Finds Ransomware Crews Don't Leave After Being Paid

By Ben Kochman
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Aerospace & Defense newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (April 29, 2020, 7:18 PM EDT) -- Organized crews of cybercriminals that attacked health care organizations and other critical services with ransomware this month kept their access to victims' networks even after ransoms were paid, new research released by Microsoft Corp. says. 

In a blog post published Tuesday, Microsoft's Threat Protection Intelligence Team said it had identified "dozens" of ransomware attacks in the first two weeks of April targeting organizations critical to the world's response to the COVID-19 pandemic, including aid organizations, medical billing companies and educational software providers.

The company said it had identified at least 10 distinct "families" of ransomware, which each present their own unique risks to potential victims. Many of the attacks, however, shared key characteristics, including that attackers continued to keep a presence on victims' networks even after the victims paid ransoms or restored their systems — suggesting the possibility of future attacks, Microsoft's researchers said.

"On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to re-initiate malicious activity after ransom is paid or systems are rebuilt," the blog post reads.

The blog post also noted how ransomware gangs are increasingly taking the extra step of exfiltrating victims' data before freezing victims out of networks, a distinction that could trigger victims' obligations to alert clients and governments under data breach notification laws.

Some ransomware crews, such as a group that calls itself Maze, openly brag about stealing their victims' data and have in some cases posted confidential, sensitive data on publicly accessible websites. But even other ransomware groups that have not gone public about exfiltrating data are still taking that extra step, Microsoft's researchers said.

"While only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet," the threat intelligence team wrote in the blog post.

The dozens of attacks that Microsoft's researchers identified in the first two weeks of April represent a "slight uptick" in incidents, echoing concerns raised by cybersecurity attorneys that hackers are taking advantage of distracted workers and stretched-thin IT workers during the pandemic. But the ransomware crews, which Microsoft described as organized and well-funded, have in many cases actually been lurking on victims' networks for months, waiting for the most opportune time to strike, the blog post said.

"Attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain," the blog post reads.

Tuesday's research comes as victims of ransomware attacks continue to weigh whether to pay the hackers, with many victims caving to the criminals' demands despite the FBI's advice that doing so will embolden hackers to launch more attacks. 

Microsoft has taken a more active role in publicizing its response to the ransomware threat in recent weeks, and earlier in April said that it had reached out to dozens of hospitals it believes are particularly vulnerable to being held hostage by ransomware during the pandemic response.

--Editing by Jay Jackson Jr.

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!