Threat Actors Use Data Leak Marketplaces for Data-Theft Extortion
Attackers Have Taken A Different Approach from the Ransomware-as-a-Service Model, Turning to the Practice of Data-Theft Extortion.
Ransomware is old news. In fact, according to the FBI’s 2020 Internet Crime Report, the number of ransomware incidents continues to rise, with 2,474 incidents reported in 2020.
Nowadays, malicious actors stop thinking like virtual highwaymen and start acting like businessmen. It even has a name – Ransomware as a Service (RaaS). The term is used to describe a nascent industry, one that, by its very design, caters to the needs of cybercriminals.
It looks like the attackers have taken a different approach from the RaaS model. Long before ransomware gangs started extorting victims through the use of stolen data, other threat actors had already been using the practice of data-theft extortion.
According to an analysis conducted by BleepingComputer, more and more threat actors are turning to data-theft extortion by creating dark web marketplaces that only exist to sell the exfiltrated information.
The first known attacks of Maze ransomware took place in May 2019, when the hackers revolutionized ransomware operations by adopting a double-extortion strategy. The criminals initially distributed the ransomware via spam e-mail and exploit kits, but now they use a variety of tactics, techniques, and procedures.
Maze ransomware is an even more dangerous attack because the criminals behind the operation also have a public ransomware data leak website where they post the stolen data of the victims who refuse to pay the extortion fee.
Some threat actors revealed to BleepingComputer CEO Lawrence Abrams that stealing data and threatening to leak it online usually “generates more ransom payments than the loss of encrypted files”.
According to a message that the Babuk ransomware gang has posted on its leak site, the newly announced model remains almost the same, with the exception of the data encryption component. In short, the cybercriminals will start running an extortion-without-encryption business, and therefore demanding ransomware for information stolen from the compromised networks.
Accenture’s Ninth Annual Cost of Cybercrime Study conducted in 2019 in collaboration with the Ponemon Institute registered a 67% increase in data breaches over five years. Since breaches happen almost every day, and governments impose heavy fines for personal information exposure, attackers are now using dedicated marketplaces that sell stolen data.
Although dark web marketplaces are not a new thing, they were not designed for the purpose of data-theft extortion only.
Recently, BleepingComputer has identified two new marketplaces called Marketo and File Leaks created to sell data to other threat actors or back to the victim themselves. In addition, there is one marketplace called ‘Dark Leak Market’ that appears to have been created in 2019.
Dark Leak Market
Dark Leak Market has been selling stolen data since 2019, making it the oldest of these marketplaces. The data sold at this site ranges from $100 to $9,000.
Image Source: BleepingComputer
Marketo
There’s a new marketplace in town and it goes by the name Marketo. Last month, the owner contacting journalists and security researchers to promote the platform, claiming that it is a marketplace for people who have information for sale and that they don’t hack companies and don’t approve of ransomware attacks.
Image Source: BleepingComputer
File Leaks
The smallest of these marketplaces is File Leaks, with two victims from Italy and one from India. The platform was launched in April 2021 and leaks all of the stolen data at once, telling victims they have to pay to get it removed.
Image Source: BleepingComputer
Should you pay the ransom if all precautions fail and you become a victim of ransomware? Although this decision is entirely up to you, I would advise you not to do so. As the FBI explains,
In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key. Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.
Moreover, bear in mind that, even if you do pay the ransom, the security issues that allowed cybercriminals access to your company are still there and you still have to fix them. It’s better to adopt a prevention attitude from the start.
Victims of data thefts should always treat attacks like data breaches and properly disclose the breach to all customers, employees, business partners, and law enforcement to prevent them from being harmed by the stolen data.