Another Ransomware Will Now Publish Victims' Data If Not Paid
By Lawrence Abrams
Published: 2019-12-12 · Archived: 2026-04-05 14:55:22 UTC
The operators of the REvil Ransomware, otherwise known as Sodinokibi, have announced that they will use stolen files and
data as leverage to get victims to pay ransoms.
A new tactic by ransomware developers is to release a victim's data if they do not pay the ransom. While we have seen these
threats in the past, only recently have Ransomware operators, such as Maze, actually followed through.
In a new post to a Russian malware and hacker forum shared with us by security researcher Damian, the public-facing
representative of the REvil ransomware known as UNKN states that a new "division" has been created for large operations.
https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
Page 1 of 5

0:00
https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
Page 2 of 5

Visit Advertiser websiteGO TO PAGE
They claim that a recent operation from this group is the attack against the CyrusOne data center that was reported last
week. As part of this operation, UNKN claims that they have stolen files from the company before encrypting their network.
REvil goes on to say that if a company does not pay the ransom, the ransomware actors will publicly release the stolen data
or sell it to competitors. It is in their opinion that this would be more costly to the victim than paying the ransom.
Forum post by REvil operator
The original Russian text from the above post is below:
Если не отвечаем - значит не интересны. Либо мест нет.
Мы открыли отдельное подразделение, которое занимается крупными операциями. Неделю назад был осуществлен до
Очень странно, что cdhfund.com до сих пор молчат. Они также были подвержены атаке, все данные скопированы и за
The English translation via Google Translate can also be read below:
If we don’t answer, then it’s not interesting. Or there are no places.
We have opened a separate division, which is engaged in large operations. A week ago, access to CyrusOne was made. Judging
It is very strange that cdhfund.com is still silent. They were also susceptible to attack, all data was copied and encrypt
Ransomware attacks are now data breaches
For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data
would be publicly released.
While it has been a well-known secret that ransomware actors snoop through victim's data, and in many cases steal it before
the data is encrypted, they never actually carried out their threats of releasing it.
This all changed at the end of November when Maze Ransomware threatened Allied Universal that if they did not pay the
ransom, they would release their files. When they did not receive a payment, they released 700MB worth of data on a
hacking forum.
https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
Page 3 of 5

Public disclosure of Allied Universal data
During ransomware attacks, some threat actors have told companies that they are familiar with internal company secrets
after reading the company's files. Even though this should be considered a data breach, many ransomware victims simply
swept it under the rug in the hopes that nobody would ever find out.
Now that ransomware operators are releasing victim's data, this will need to change and companies will have to treat these
attacks like data breaches.
This is because employee medical records, personal information, termination letters, salaries, and much more can potentially
be disclosed. Furthermore, if any third-party information is stolen, which is highly likely, then that requires further
disclosure as well.
It is too soon to say whether these new tactics will push companies to treat ransomware attacks like data breaches, but as
more ransomware developers publish stolen documents, we can expect lawsuits and public concern to rise.
https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
Page 4 of 5

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
Page 5 of 5