The use of data leak sites by ransomware actors is a well-established element of double extortion. We explore how different groups have utilised them to threaten and intimidate victims using a variety of techniques and, in some cases, to achieve different objectives. We share our recommendations on how to use leak sites during active ransomware incidents.
Threat actors frequently threaten to publish exfiltrated data to improve their chances of securing a ransom payment (a technique that is also referred to as “double extortion”). But while all ransomware groups share the same objective, they employ different tactics to achieve their goal. Victims are usually named on the attacker’s data leak site, but the nature and the volume of data that is presented varies considerably by threat group. Data can be published incrementally or in full. Some threat actors provide sample documents, others don’t. Some groups auction the data to the highest bidder, others only publish the data if the ransom isn’t paid.
Organisations that find themselves in the middle of a ransomware attack are under immense pressure to make the right decisions quickly based on limited information. Anyone considering negotiation with a ransomware actor should understand their modus operandi, and how they typically use their leak site to make higher ransom demands and increase the chances of payment. Organisations need to understand who they are dealing with, remain calm and composed, and ensure that they have the right information and monitoring at their disposal.
Intimidation tactics
Data leak sites are usually dedicated dark web pages that post victim names and details. They may publish portions of the data at the early stages of the attack to prove that they have breached the target’s system and stolen data, and ultimately may publish full data dumps of those refusing to pay the ransom. The Maze threat group were the first to employ the method in November 2019, by posting 10% of the data they had exfiltrated from Allied Universal and threatening to post more if their ransom demand (now 50% higher than the original) was not met. By mid-2020, Maze had created a dedicated shaming webpage. Other groups adopted the technique, increasing the pressure by providing a timeframe for the victims to pay up and showcasing a countdown along with screenshots proving the theft of data displayed on the “wall of shame”.
Publishing a target’s data on a leak site can pose a threat that is equivalent or even greater than encryption, because the data leak can trigger legal and financial consequences for the victim, as well as reputational damage and related business losses.
The wall of shame as a silencing tool
Double extortion is mainly used by ransomware groups as a means of maximising profits, an established practice of Maze, REvil, and Conti, and others. But it is not the only way this tactic has been used. The cybersecurity firm Mandiant found themselves on the LockBit 2.0 ‘wall of shame’ on the dark web on 6 June 2022. This followed the publication of a Mandiant article describing a shift in modus operandi for Evil Corp from using the FAKEUPDATES infection chain to adopting LockBit Ransomware-as-a-Service (RaaS). Mandiant suggested that the reason Evil Corp made this switch was to evade the Office of Foreign Assets Control (OFAC) sanctions that had been released in December 2019 and more generally to blend in with other affiliates and eliminate the cost tied to the development of new ransomware. This episode drew renewed attention to double extortion tactics because not only was a security vendor being targeted, it was an apparent attempt to silence a prominent name in the security industry.
Different group, different goals
Our experience with two threat groups, PLEASE_READ_ME and SunCrypt, highlight the different ways groups approach the extortion process and the choices they make around the publication of data. In both cases, we found that the threat group threatened to publish exfiltrated data, increasing the pressure over time to make the payment. We found stolen databases for sale on both of the threat actors’ dark web pages, which detailed the data volume and the organisation’s name. Dumped databases and sensitive data were made available to download from the threat actors’ dark web pages relatively quickly after exfiltration (within 72 hours). They were publicly available to anyone willing to pay for them
However, the groups differed in their responses to the ransom not being paid. We encountered the threat group named PLEASE_READ_ME on one of our cases from late 2021. They directed targeted organisations to a payment webpage on the Tor network (this page and related Onion domains were unavailable as of 1 August 2022) where the victims entered their unique token mapping them to their stolen database. The payment that was demanded doubled if the deadlines for payment were not met. If a ransom was not paid, the threat actor presented them as available for purchase (rather than publishing the exfiltrated documents freely). The ransom demanded by PLEASE_READ_ME was relatively small, at $520 per database in December 2021. This is significantly less than the average ransom payment of $228,125 in the second quarter of 2022 (a number that has risen significantly in the past two years).
SunCrypt adopted a different approach. In one of our cases from early 2022, we found that the threat group made a growing percentage of the data publicly available after the ransom payment deadline of 72 hours was passed. If the ransom was not paid, the threat actor published the data in full, making the exfiltrated documents available at no cost. SunCrypt was also more aggressive in its retaliation against companies that denied or withheld information about a breach: not only did they upload stolen data onto their victim blog, they also identified targeted organisations that did not comply on a Press Release section of their website.
As part of our investigation, we located SunCrypt’s posting policy on the press release section of their dark web page. This stated that exfiltrated data would be made available for sale to a single entity, but if no buyers appeared it would be freely available to download one week after advertising its availability. SunCrypt also stated that they had a 72-hour countdown for a target to start communicating with them, after which they claimed they would post 10% of the data. We found that they opted instead to upload half of that target’s data for free. In another example of escalatory techniques, SunCrypt explained that a target had stopped communicating for 48 hours mid-negotiation. The threat group posted 20% of the data for free, leaving the rest available for purchase.
Though all threat groups are motivated to maximise profit, SunCrypt and PLEASE_READ_ME adopted different techniques to achieve this. SunCrypt are known to use multiple techniques to keep the target at the negotiation table including triple-extortion (launching DDoS attacks should ransom negotiations fail) and multi-extortion techniques (threatening to expose the breach to employees, stakeholders and the media or leaving voicemails to employees). By contrast, PLEASE_READ_ME’s tactics were simpler, exploiting exposed MySQL services in attacks that required no reconnaissance, privilege escalation or lateral movement. If the target did not meet the payment deadline the ransom demand doubled, and the data was then sold to external parties for that same amount.
Our recommendations
A security team can find itself under tremendous pressure during a ransomware attack. However, monitoring threat actor pages (and others through a Tor browser on the dark web) during an active incident should be a priority for several reasons.
- Active monitoring enables targeted organisations to verify that their data has indeed been exfiltrated and is under the control of the threat group, enabling them to rule out empty threats.
- They can assess and verify the nature of the stolen data and its level of sensitivity. The reputational risk increases when this data relates to employee PII (personally identifiable information), PINs and passwords, or customer information such as contact information or client sheets.
- The targeted organisation can confirm (or disprove) the availability of the stolen data, whether it is being offered for free or for sale, and the impact this has on the resulting risks.
- For threat groups that are known to use Distributed Denial of Service (DDoS) attacks, the leak site can be useful as an advanced warning (as in the case of the SunCrypt threat group that was discussed earlier in this article).
These walls of shame are intended to pressure targeted organisations into paying the ransom, but they can also be used proactively. In the middle of a ransomware incident, cyber threat intelligence research on the threat group can provide valuable information for negotiations. Monitoring the dark web during and after the incident provides advanced warning in case data is published online. It also provides a level of reassurance if data has not been released, as well as an early warning of potential further attacks.
Find out more
Asceris' dark web monitoring and cyber threat intelligence services provide insight and reassurance during active cyber incidents and data breaches. Our dark web monitoring solution automatically detects nefarious activity and exfiltrated content on the deep and dark web. Our threat intelligence analysts review, assess, and report actionable intelligence. We carry out open source research, threat group analysis, cryptocurrency tracing and investigations, and we support incident response teams and SOCs with our cyber threat investigations capability.
If you are the target of an active ransomware attack, please request emergency assistance immediately.
To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.
About Asceris
Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.
Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.
Other recent insights