Dati ransomware pubblicati in chiaro Piergiorgio Venuti

The data exfiltrated during a double extortion ransomware attack is not public. Let’s dispel a myth

Estimated reading time: 3 minutes

Introduction

Ransomware attacks are becoming more common and lucrative for cybercriminals. In particular, the “double extortion” variant involves not only encrypting the victim’s data, but also stealing and threatening to publish it online for ransom. It is commonly believed that stolen data is not actually disclosed publicly, but remains confined to the dark web. In reality, things are not like that.

What is the dark web

The dark web refers to that part of the internet whose contents are not indexed by standard search engines. To access the dark web you need to use specific browsers such as Tor, which make browsing anonymous by encrypting and routing traffic through multiple nodes. Thanks to the anonymity it guarantees, the dark web is often used for criminal activities, such as the sale of stolen data.

However, the dark web is not as dark and mysterious as it is believed. Software like Tor is free and easily accessible to everyone. As a result, even sensitive data of companies that have ended up on the dark web can easily be leaked, even publicly.

Cybergangs also often publish unencrypted

Contrary to common belief, many of the criminal organizations that manage ransomware attacks end up publishing the stolen data of the victims even publicly, as an additional tool to pressure to obtain the ransom payment.

The forums and sites used for these publications are often hosted on non-EU servers, where there are no legal consequences, and are easily accessible to anyone. For example, the Conti group, one of the most active in the ransomware world, regularly publishes exfiltrated data through its “Conti Leaks” site.

Even lesser-known ransomware groups end up posting stolen data samples on public forums, then posting the URL to the victim, to demonstrate that the threat of full disclosure is real.

These publications take place on sites accessible to anyone with an internet connection. It is not necessary to resort to the dark web to access the stolen data.

Because cybergangs publish data in the clear

There are mainly three reasons that drive ransomware operators to publish the stolen data also publicly, and not only on the dark web:

  • Increase pressure on the victim: Publishing a sample of sensitive data is a powerful coercion tool to pressure the victim into paying to avoid full disclosure.
  • Damage the image of the target: Cybergangs often aim to inflict as much damage as possible on the victims, as well as to obtain a ransom. The publication of the data damages the reputation of the affected organization.
  • Advertising for your services: Showing the leaked data serves as proof of the effective capabilities of the ransomware group, allowing you to attract more customers for future attacks.

A million dollar business

Selling stolen data has become an extremely lucrative business for cybercriminals, second only to ransomware. Recent reports estimate that revenues from the sale of stolen data alone in 2021 netted hackers over $2 billion.

Sensitive company data can be sold for tens of thousands of euros on the dark web. But free sample posting further increases the destructive impact of the attack.

Conclusion: prevention is better than cure

The possibility that the data stolen by a ransomware attack will be publicly disclosed, and not only on the dark web, is therefore concrete and should not be underestimated. The consequences of such a data breach can be extremely serious for a company, causing reputational damage, legal fines and loss of intellectual property.

It therefore becomes crucial to invest in prevention, adopting modern security solutions such as SOC (Security Operation Center) platforms that monitor the corporate network 24 hours a day to identify and block attacks before hackers can steal or encrypt sensitive data.

In addition, advanced threat intelligence services such as those provided by companies such as Secure Online Desktop allow you to monitor the dark web to identify any stolen company data that is being offered for sale, to take immediate action and limit the damage.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • [SYSS-2024-030]: C-MOR Video Surveillance - OS Command Injection (CWE-78) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-030 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure: 2024-09-04...
  • [SYSS-2024-029]: C-MOR Video Surveillance - Dependency on Vulnerable Third-Party Component (CWE-1395) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-029 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Dependency on Vulnerable Third-Party Component (CWE-1395) Use of Unmaintained Third Party Components (CWE-1104) Risk Level: High Solution Status: Fixed...
  • [SYSS-2024-028]: C-MOR Video Surveillance - Cleartext Storage of Sensitive Information (CWE-312) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-028 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: Cleartext Storage of Sensitive Information (CWE-312) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public...
  • [SYSS-2024-027]: C-MOR Video Surveillance - Improper Privilege Management (CWE-269) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-027 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure:...
  • [SYSS-2024-026]: C-MOR Video Surveillance - Unrestricted Upload of File with Dangerous Type (CWE-434) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-026 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure:...
  • [SYSS-2024-025]: C-MOR Video Surveillance - Relative Path Traversal (CWE-23) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-025 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Relative Path Traversal (CWE-23) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure: 2024-09-04 CVE...
  • Backdoor.Win32.Symmi.qua / Remote Stack Buffer Overflow (SEH) September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Symmi.qua Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" […]
  • HackTool.Win32.Freezer.br (WinSpy) / Insecure Credential Storage September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/2992129c565e025ebcb0bb6f80c77812.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: HackTool.Win32.Freezer.br (WinSpy) Vulnerability: Insecure Credential Storage Description: The malware listens on TCP ports 443, 80 and provides a web interface for remote access to victim information like screenshots etc.The […]
  • Backdoor.Win32.Optix.02.b / Weak Hardcoded Credentials September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Optix.02.b Vulnerability: Weak Hardcoded Credentials Description: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump […]
  • Backdoor.Win32.JustJoke.21 (BackDoor Pro) / Unauthenticated Remote Command Execution September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) Vulnerability: Unauthenticated Remote Command Execution Family: JustJoke Type: PE32 MD5: 4dc39c05bcc93e600dd8de16f2f7c599 SHA256:...

Customers

Newsletter

{subscription_form_1}