It makes sense, for the reasons Jim points out. Your ability to collect ransom payments is diminished if the organization has backups they can simply rebuild with. So, if you can find a way to lock not just the live data, but also the backups, you stand to make more money.
What I wonder is if this will cause organizations to look at that old-school offline backup option? Keep a copy of your data physically away from your network, locked in a drawer or closet, etc.
But, is that even feasible any longer?
The breach of the WordPress credentials is bad, as is the sFTP credentials. Sure, if you are still using the same WordPress password that GoDaddy assigned to you when you started the account, you really need to step up your game.
WordPress is an inviting target, because getting admin access to a WordPress install, or really any other content management system, makes it super easy to lock out the original owner and inject anything you want into the site. Want a place to spread malware in drive-by injections? Nothing like an already existing, and maybe even trusted, WordPress site, eh?
I’ve been saying it for a little while now, but I think this really cements it for me, your data has already been breached somewhere. Whether you know your personal information was involved in a public breach, or you’ve somehow managed to avoid that thus far, there is still a whole bunch of ransomware and other breaches that we don’t know anything about:
I saw a few references to this KELA study of ransomware based on doing some digging around the dark web to see what people were looking for. I wasn’t necessarily surprised by what they found, because it seems relatively obvious, but I was a little surprised to see that it’s pretty well-thought-out. I guess I had been working on an assumption that folks using ransomware were just throwing out a wide net and catching whatever they could, but it seems like maybe they are thinking a bit more about what they are doing.