Cybercriminals are embracing data-theft extortion by creating darkish net marketplaces that exist solely to promote stolen knowledge.
Lengthy earlier than ransomware gangs began extorting victims by means of using stolen knowledge, different menace actors had already been utilizing this follow.
The Maze Ransomware group revolutionized ransomware operations in 2019 by adopting a double-extortion strategy. Utilizing ransomware data leak sites, Maze warned victims that they’d publicly leak stolen knowledge if victims didn’t pay a ransom.
Different gangs shortly adopted this extortion tactic.
Some menace actors have advised BleepingComputer that the follow of stealing knowledge and threatening to launch it typically generates extra ransom funds than the lack of encrypted information.
You’ll be able to see this shift in techniques with Babuk ransomware’s latest announcement that they’d now not encrypt units and are moving solely to data-theft extortion.
The rise of stolen knowledge marketplaces
With breaches occurring virtually on daily basis, and governments issuing heavy fines for the publicity of non-public data, menace actors at the moment are capitalizing on these fears through the use of devoted marketplaces that promote stolen knowledge.
Whereas darkish net marketplaces for illicit items are usually not new and have been used to promote stolen knowledge up to now, they weren’t designed solely for data-theft extortion.
Lately, BleepingComputer has recognized three new marketplaces known as Marketo, File Leaks, and Lorenz created to promote knowledge to different menace actors or again to the sufferer themselves. As well as, there may be one market known as ‘Darkish Leak Market’ that seems to have been created in 2019.
Darkish Leak Market
The oldest of those marketplaces is Darkish Leak Market who has been promoting stolen knowledge since 2019.
The info bought at this website ranges from $100 to $9,000 and has been gathered from ransomware gang’s knowledge leak websites and hacking boards, similar to RaidForums.
Utilizing KELA’s DarkBeast intelligence platform, BleepingComputer discovered a publish by REvil Ransomware’s Unknown confirming that the info is being resold from different knowledge leaks.
Final month, menace actors launched a brand new market known as Marketo, with the proprietor contacting journalists and safety researchers to advertise the location.
“We want to current the brand new market Marketo, quickly to be the very best place to search out, purchase and promote any details about any firm,” a menace actor behind Marketo emailed BleepingComputer.
After we requested if this knowledge was stolen as a part of their very own assaults or others, they acknowledged, “It’s a market for individuals who have data on the market, we do not hack firms.”
In addition they claimed to be in opposition to ransomware and are usually not affiliated with “those that block networks and extort funds.”
Whereas a lot of the knowledge discovered on the location doesn’t look like related to identified ransomware assaults, that doesn’t imply they don’t seem to be internet hosting knowledge from these sorts of assaults.
BleepingComputer was just lately alerted by somebody within the automotive cybersecurity trade who noticed knowledge on Marketo for a dealership identified to have just lately suffered from a ransomware assault.
The Lorenz market
The Lorenz market was additionally launched final month and presently lists the info for 11 victims. None of those victims are identified to be related to ransomware assaults or latest breaches.
As KELA famous to BleepingComputer, Lorenz stands out from the remaining as they don’t seem to be solely promoting stolen knowledge however what seems to be entry to sufferer’s inner networks.
This bought community entry might point out that the info is from the Lorenz operator’s personal hacking operations.
File Leaks market
The File Leaks market was launched in April 2021 and dumps the entire stolen knowledge without delay, telling victims to contact them to pay to take away it.
The File leaks market is the smallest of the websites, with two victims from Italy and one from India.
Paying the ransom is throwing cash away
As we reported in November, victims ought to by no means pay a ransom for stolen knowledge as there isn’t a assure that their knowledge might be deleted and never bought to different menace actors.
Ransomware negotiation agency Coveware advised BleepingComputer that cybercriminals are more and more failing to maintain their guarantees after a ransom was paid.
In some instances, victims who paid have been later extorted once more utilizing the identical knowledge, or the menace actors leaked the info anyway.
Moreover, as proven by the Darkish Leak Market, as soon as knowledge is leaked, there isn’t a approach to comprise it because it spreads between completely different hacking boards and websites frequented by menace actors.
With this in thoughts, Coveware tells victims all the time to count on the next in the event that they resolve to pay a ransomware gang to not leak knowledge:
The info is not going to be credibly deleted. Victims ought to assume it will likely be traded to different menace actors, bought, or held for a second/future extortion try
Stolen knowledge custody was held by a number of events and never secured. Even when the menace actor deletes a quantity of knowledge following a cost, different events that had entry to it might have made copies in order that they’ll extort the sufferer sooner or later
The info might get posted by mistake or on goal earlier than a sufferer may even reply to an extortion try
As an alternative, knowledge theft victims ought to all the time deal with an assault as an information breach and correctly disclose the breach to all clients, workers, and enterprise companions to forestall them from being harmed by the stolen knowledge.