Dati ransomware pubblicati in chiaro Piergiorgio Venuti

The data exfiltrated during a double extortion ransomware attack is not public. Let’s dispel a myth

Estimated reading time: 3 minutes

Introduction

Ransomware attacks are becoming more common and lucrative for cybercriminals. In particular, the “double extortion” variant involves not only encrypting the victim’s data, but also stealing and threatening to publish it online for ransom. It is commonly believed that stolen data is not actually disclosed publicly, but remains confined to the dark web. In reality, things are not like that.

What is the dark web

The dark web refers to that part of the internet whose contents are not indexed by standard search engines. To access the dark web you need to use specific browsers such as Tor, which make browsing anonymous by encrypting and routing traffic through multiple nodes. Thanks to the anonymity it guarantees, the dark web is often used for criminal activities, such as the sale of stolen data.

However, the dark web is not as dark and mysterious as it is believed. Software like Tor is free and easily accessible to everyone. As a result, even sensitive data of companies that have ended up on the dark web can easily be leaked, even publicly.

Cybergangs also often publish unencrypted

Contrary to common belief, many of the criminal organizations that manage ransomware attacks end up publishing the stolen data of the victims even publicly, as an additional tool to pressure to obtain the ransom payment.

The forums and sites used for these publications are often hosted on non-EU servers, where there are no legal consequences, and are easily accessible to anyone. For example, the Conti group, one of the most active in the ransomware world, regularly publishes exfiltrated data through its “Conti Leaks” site.

Even lesser-known ransomware groups end up posting stolen data samples on public forums, then posting the URL to the victim, to demonstrate that the threat of full disclosure is real.

These publications take place on sites accessible to anyone with an internet connection. It is not necessary to resort to the dark web to access the stolen data.

Because cybergangs publish data in the clear

There are mainly three reasons that drive ransomware operators to publish the stolen data also publicly, and not only on the dark web:

  • Increase pressure on the victim: Publishing a sample of sensitive data is a powerful coercion tool to pressure the victim into paying to avoid full disclosure.
  • Damage the image of the target: Cybergangs often aim to inflict as much damage as possible on the victims, as well as to obtain a ransom. The publication of the data damages the reputation of the affected organization.
  • Advertising for your services: Showing the leaked data serves as proof of the effective capabilities of the ransomware group, allowing you to attract more customers for future attacks.

A million dollar business

Selling stolen data has become an extremely lucrative business for cybercriminals, second only to ransomware. Recent reports estimate that revenues from the sale of stolen data alone in 2021 netted hackers over $2 billion.

Sensitive company data can be sold for tens of thousands of euros on the dark web. But free sample posting further increases the destructive impact of the attack.

Conclusion: prevention is better than cure

The possibility that the data stolen by a ransomware attack will be publicly disclosed, and not only on the dark web, is therefore concrete and should not be underestimated. The consequences of such a data breach can be extremely serious for a company, causing reputational damage, legal fines and loss of intellectual property.

It therefore becomes crucial to invest in prevention, adopting modern security solutions such as SOC (Security Operation Center) platforms that monitor the corporate network 24 hours a day to identify and block attacks before hackers can steal or encrypt sensitive data.

In addition, advanced threat intelligence services such as those provided by companies such as Secure Online Desktop allow you to monitor the dark web to identify any stolen company data that is being offered for sale, to take immediate action and limit the damage.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS Unknown Feed

RSS Full Disclosure

  • iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5) July 1, 2025
    Posted by josephgoyd via Fulldisclosure on Jun 30Title: iOS Activation Flaw Enables Pre-User Device Compromise Reported to Apple: May 19, 2025 Reported to US-CERT: May 19, 2025 US-CERT Case #: VU#346053 Vendor Status: Silent Public Disclosure: June 26, 2025 ------------------------------------------------------------------------ Summary ------------------------------------------------------------------------ A critical vulnerability exists in Apple’s iOS activation pipeline that allows...
  • Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed <title> Tag June 26, 2025
    Posted by Brian Carpenter via Fulldisclosure on Jun 25Hey list, You can remotely crash httpx v1.7.0 (by ProjectDiscovery) by serving a malformed tag on your website. The bug is a classic out-of-bounds read in trimTitleTags() due to a missing bounds check when slicing the title string. It panics with: panic: runtime error: slice bounds out […]
  • CVE-2025-32978 - Quest KACE SMA Unauthenticated License Replacement June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated License Replacement Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April...
  • CVE-2025-32977 - Quest KACE Unauthenticated Backup Upload June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated Backup Upload Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025...
  • CVE-2025-32976 - Quest KACE SMA 2FA Bypass June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: 2FA Bypass Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025 Severity: HIGH...
  • CVE-2025-32975 - Quest KACE SMA Authentication Bypass June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Authentication Bypass Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025 Severity:...
  • RansomLord (NG v1.0) anti-ransomware exploit tool June 24, 2025
    Posted by malvuln on Jun 23First official NG versioned release with significant updates, fixes and new features https://github.com/malvuln/RansomLord/releases/tag/v1.0 RansomLord (NG) v1.0 Anti-Ransomware exploit tool. Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption. Lang: C SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A Deweaponize feature PoC video:...
  • Disclosure Yealink Cloud vulnerabilities June 24, 2025
    Posted by Jeroen Hermans via Fulldisclosure on Jun 23Dear all, ---Abstract--- Yealink RPS contains several vulnerabilities that can lead to leaking of PII and/or MITM attacks. Some vulnerabilities are unpatched even after disclosure to the manufacturer. ---/Abstract--- We are Stefan Gloor and Jeroen Hermans. We are independent computer security researchers working on a disclosure process […]
  • : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) June 18, 2025
    Posted by josephgoyd via Fulldisclosure on Jun 17"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885) Author: Joseph Goydish II Date: 06/10/2025 Release Type: Full Disclosure Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery) Delivery Vector: iMessage (default configuration) Impact: Remote Code Execution, Privilege Escalation, Keychain […]
  • SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) June 18, 2025
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 17SEC Consult Vulnerability Lab Security Advisory < 20250612-0 > ======================================================================= title: Reflected Cross-Site Scripting product: ONLYOFFICE Docs (DocumentServer) vulnerable version:

Customers

Newsletter

{subscription_form_1}