Ransomware has gone through several game-changing milestones over the course of its decade-long evolution. In 2013, extortionists added encryption to their genre and started locking down victims' files instead of screens or web browsers. Two years later, a sketchy affiliate model called Ransomware-as-a-Service (RaaS) made its debut, thereby lowering the entry bar for wannabe threat actors. In 2019, crooks shifted their focus to enterprises and pioneered in stealing data in addition to encrypting it, which turned these raids into an explosive mix of blackmail and breaches.
Since 2021, a new unsettling trend has been underway that redefines online extortion as we know it, with the priority of file encryption in these schemes starting to fade away. The data theft tactic alone turned out so lucrative that ransomware operators could effectively abandon tedious software engineering and cryptography-based procedures and still rake in jaw-dropping profits.
The idea is to demand money for not leaking files stolen from an infected organization. In a dilemma like that, many businesses prefer a one-time financial loss over long-term reputational damage. The following paragraphs will dwell on the undercurrents of the new strategy and explain why succumbing to attackers' demands isn't necessarily the lesser of two evils.
Babuk ransomware gang was the first to take the sharp turn
In late April 2021, the authors of a RaaS platform called Babuk announced a departure from the classic ransomware deployment logic. According to a message published on their leak site, they decided to close the affiliate service and henceforth focus solely on data exfiltration from enterprise environments.
Essentially, it meant that the criminals would keep extorting victims in a similar way as before, except that they would no longer deposit and execute ransomware inside corporate networks. When an attack doesn't involve data encryption, it doesn't seem very impactful as companies can still access their files and continue their day-to-day activities. However, the relief is illusory.
Here is how the wicked plan works. Having extracted important data from a network, crooks will shortly contact the victim with an ultimatum: the information will be posted on a specially crafted "public shaming" site unless a ransom is paid. One more scenario is that the attackers may sell the pilfered files to an interested party such as a business rival or another cybercriminal group.
Babuk ransomware crew's track record didn't include many victims at that point, but it had already gained notoriety for raiding IT networks of high-profile organizations. For instance, the felons hit the D.C. Metropolitan Police Department and allegedly retrieved about 250 GB worth of sensitive data. According to some reports, they wanted $4 million for non-disclosure, but the department agreed to pay no more than $100,000.
When the ransom negotiation attempts failed, Babuk operators dumped a portion of confidential files relating to police officers. They threatened to post more if officials didn't rethink their proposal toward a raise. This incident, in and of itself, was quite disconcerting because it demonstrated that even law enforcement agencies are vulnerable to the emerging extortion model, not to mention regular companies.
"Encryption-less" extortion has since created ripples in the ransomware circles. Most malicious actors in this dirty business are stealing their victims' files anyway, so taking the new route makes things easier for them while potentially generating the same results.
Stolen data marketplaces are on the rise
To align the Dark Web ecosystem with breaches that are increasingly integrated into the fabric of cyber-extortion, criminals are setting up websites that present stolen data as a commodity anyone can purchase. For the record, this phenomenon isn't exactly new.
Remember the news-making story of a hacker group calling themselves The Dark Overlord? Back in 2017, these folks compromised Netflix and spilled 10 unreleased episodes of "Orange Is the New Black" TV series via a shady online marketplace after the production company refused to pay the ransom. They also held Disney for ransom over allegedly stolen materials relating to the "Pirates of the Caribbean" movie. These incidents had nothing to do with ransomware campaigns, but they trailblazed a new unnerving modus operandi for other bad actors.
The current trend is different. New data trading sites are most likely being spawned because ransomware operators are amassing huge amounts of information in extortion attacks and they need an extra monetization mechanism in case victims reject their demands. This vector goes beyond the "naming and shaming" principle.
One of these underground resources is called Marketo. It was launched in April 2021 as a place where crooks put up data stolen from organizations for sale and anyone interested could buy it on an auction basis. This kind of a service plays into the hands of unscrupulous competitors who can obtain sensitive records belonging to a company they want to sabotage. Other cybercriminals can also purchase and use data to orchestrate targeted phishing attacks against a specific business.
Marketo authors have since reached out to security analysts and the media to spread the word about their hugely controversial project. In this correspondence, they emphasize that they don't hack companies themselves and simply provide a one-stop monetization platform for people who own stolen information.
Their narrative additionally includes statements that they don't endorse ransomware distributors who block networks and perpetrate extortion. Frankly, this claim isn't too convincing. Even if it's true, this "almost ethical" approach isn't at odds with the Babuk case above.
One more marketplace for stolen data called File Leaks splashed onto the scene in early 2021, as well. At the time of launch, it already contained troves of files extracted from two victims—one based in Italy and the other in India. It's unclear whether this site is affiliated with any active ransomware gangs, but it straightforwardly instructs compromised companies to pay for not exposing their information.
Industrial Spy is the latest addition to this club of filthy entrepreneurship. It kicked off in March 2022 as a platform where companies can acquire competitors' customer databases, trade secrets, financial reports, and other confidential information. This marketplace took the disgusting moneymaking model to the next level by splitting data into three tiers (premium, general, and free) based on its potential worth and the organization it was stolen from.
A full batch of premium-rate records pilfered from a high-profile business can be traded on Industrial Spy for more than $1 million, whereas individual files extracted from some lesser-known companies are being offered for as little as $2. Information that falls under the "free" category can be given away as a lure for interested parties to join the hub.
An offbeat hallmark of this marketplace is that its operators are using adware and cracked variants of popular applications to advertise the project. When installed, one of these malicious programs drops an object named Readme.txt into each folder on the device. The text file encourages users to visit the site for Industrial Spy and check it for data dumps that are potentially of interest.
To maintain proper OPSEC, all these resources use the .onion domain service protected by The Onion Router (Tor) anonymity network. This is a common tactic for hosting malicious sites such as data leak blogs created by ransomware makers.
Paying ransoms continues to be a slippery slope
Companies that fall victim to ransomware should avoid paying ransoms for not leaking their files. There is no guarantee that the riff-raff will carry through with their promises and destroy all copies of the stolen data after receiving their Bitcoins. They may sell it via a data leak marketplace or reuse it to pull off another extortion attack against the same victim in the future.
A more reasonable approach is to say no to crooks and immediately notify all parties potentially affected by the breach, including staff members, partners, and customers—as well as law enforcement.
Preparedness for possible disclosure of sensitive data will help minimize the damage. For instance, victims can urgently change their passwords and other credentials that were retrieved during the attack.
Finally, an incredibly important aspect of the non-payment strategy is that it will drain criminals' resources and keep them from moving on with their abominable schemes.