Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Ransomware: No Decline in Victims Posted to Data Leak Sites

Count of Victims - Listed on Leak Sites or Not - Appears to Be Holding Steady
Ransomware: No Decline in Victims Posted to Data Leak Sites
Prolific Phobos ransomware (ransom note shown) doesn't list victims on a data leak site. (Source: Malwarebytes)

Not all ransomware-wielding attackers steal victims' data, or threaten to publicly name and shame them, as an inducement to pay a ransom. But one measure of the damage being done by crypto-locking malware continues to be counting how many victim organizations end up getting listed on ransomware operators' dedicated data leak sites, as part of so-called double extortion tactics.

See Also: OnDemand | The Cost of Underpreparedness to Your Business

Unfortunately, despite the White House declaring war on ransomware, including initiatives to improve the cyber resiliency of U.S. businesses, at least so far the number of victims being listed on such sites hasn't been declining, reports Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future.

"The number of victims posted to ransomware extortion sites remained near an all-time high in September," Liska tweets. "As always, remember that only a small fraction of ransomware victims make it to extortion sites so these numbers aren't representative of all attacks."

Per his caveats, the number of organizations that end up getting listed on data leak sites doesn't equal the number of organizations being targeted by attackers or the subset who suffer a successful ransomware outbreak. Many security experts estimate that only a fraction - perhaps 25% - of ransomware victims ever publicly come to light.

For example, some organizations will get hit, wipe and restore their systems and make no public declaration, and for whatever reason won't get listed on an attacker's data leak site - perhaps because attackers don't have one.

But as Liska notes, at least some victims are getting listed on such sites, and not always by well-known players.

Since Oct. 4, for example, Israeli threat intelligence firm Kela says these 12 ransomware groups have listed fresh victims on their data leak sites: AtomSilo, BlackByte, BlackMatter, Conti, Grief, Hive, LockBit, Pysa, REvil/Sodinokibi, Spook, Vice Society and Xing.

Last year, security firms Kaspersky and Emsisoft estimated that there were about 65,000 successful ransomware attacks. This year, Liska estimates that based on current trends, 5,000 victims in total will end up being listed on data leak sites. Of course, more attacks will also come to light when publicly disclosed by victims, perhaps to comply with data breach notification rules.

Victim Count Keeping Constant

Emsisoft says that despite the recent high mark for victim listings, overall the number of organizations getting listed on such sites seems to be holding steady.

"The number of global ransomware incidents has remained relatively stable for quite some time, so it's not surprising that the number of companies appearing on leak sites has remained relatively stable too," says Brett Callow, a threat analyst at Emsisoft. "The gap between the estimated number of incidents and the number of victims that end up on leak sites is simply due to the fact that not all ransomware operators use leak sites - and that includes some of the busier operators, as well as operators such as FIN12."

Just looking at FIN12, for example, the Ryuk-wielding, Russian-speaking group tends to avoid double extortion, instead seeking fast and higher ransom payouts, security firm Mandiant says (see: FIN12 Ransomware Attacks Aggressively Targeting Healthcare).

Based on 137,537 submissions to Emsisoft and the free ID Ransomware site, and excluding Stop/Djvu ransomware (Source: Emsisoft)

In the second quarter of this year, 137,537 strains of ransomware were submitted to Emsisoft and the free ID Ransomware site - created by Michael Gillespie, a security researcher at Emsisoft. The main strain, accounting for 70% of infections, was the consumer-focused Stop - aka Djvu - ransomware, which according to security firm Cyble "enters the systems of users when they download and execute malicious files masquerading as software cracks or keygens that allow users to use paid software for free by downloading from a torrent."

Excluding Stop/Djvu, the other top ransomware strains - including Phobos, REvil/Sodinokibi, QLocker, Makop and Dharma - are mostly business-focused. But of the Q2 top 10, only REvil/Sodinokibi and LockBit run data leak sites.

The Medium Is the Message

Data leak sites are yet another tactic created by attackers to pressure victims into paying as soon as possible. Many ransom notes left by attackers on systems they've crypto-locked, for example, will display a countdown timer, and warn a victim that - for example - they only have 48 hours to pay a ransom, or else the ransom demand will double. Experts say some victims pay purely as a reputational move, to try and keep the attack from becoming public.

For victims who don't quickly pay, many ransomware operations will next post the victim's name onto their dedicated data leak site, to try and name and shame them into paying, promising that if they send a ransom, their name will get removed, a decryptor furnished, and any data stolen by attackers deleted.

If that shakedown step fails to drive a victim to pay, then attackers will often start to leak stolen data, if they managed to obtain any during the attack. By doing so, they send a signal to future victims that if they choose to not pay, they'll suffer a similar fate.

Caveat Ransom Payer

Many of these shakedowns, however, are less than they appear to be. Numerous attackers, for example, will claim to have stolen data, but end up acquiring nothing of any value to be leaked. Others are simply lying altogether when they claim to have stolen data.

Another wrinkle: In some cases, decryptors won't work as advertised, leaving victims unable to use them to easily or quickly recover their data.

This is one reason why ransomware response experts recommend that an organization always work with a reputable ransomware incident response firm if they are considering paying a ransom. Such firms can guide a victim's response - based on intelligence about how a given set of attackers tends to negotiate and the likelihood that the victim will receive a working decryptor - or perhaps bring in a third-party service to rewrite the decryptor once the victim obtains the key.

Some ransomware operations have warned that any victim that attempts to work with police or a third-party response firm will be punished by having their stolen data get leaked or their decryption key deleted, thus preventing them from recovering any data. But security experts have cited such amateur threats as evidence that victims should do the opposite of what attackers might be demanding and help bring their attacks to light, not least to enable police to better track and disrupt them. For ransomware victims present and future, silence isn't golden.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.