Unfortunately, for the victims of cybercrime, larger ransomware gangs have gotten into the habit of creating so-called “leak sites” where sensitive documents from companies who refuse to pay the ransomware decryption fee are leaked to the public. These “leak sites” are part of a new trend known as “double extortion.”
This “double extortion” scheme was executed in August of 2020 against the University of Utah. The university’s management would subsequently pay $457,000 to a ransomware gang, and in a statement posted on its website, the university attempted to justify the payment by stating that it was done to protect sensitive student data.
Leak Sites Are Growing in Popularity Among Ransomware Gangs
Although these incidents are growing in frequency, the good news is, not all ransomware gangs operate leak sites, but the number of known leak sites has been slowly growing since December 2019, when the hackers behind Maze ransomware launched the first-ever known leak site.
Ransomware gangs who we can confirm are operating leak sites include the Ako, Avaddon, CLOP, Darkside, DoppelPaymer, Maze, NetWalker, RagnarLocker, REvil, and Sekhmet.
Although some of these gangs may be small-time groups, many, like Maze, DoppelPaymer, REvil, and NetWalker, are some of the more prolific ransomware gangs operating today.
Like BitPaymer, WastedLocker, LockBit, ProLock, and Dharma, other major groups are yet to adopt leak sites. Some experts feel that this is done in an effort to not attract attention to their illegal activities as leak sites tend to draw attention from cyber-security firms, and law enforcement officials.
In 2020, Conti Ransomware Gang Launches a New Leak Site
In late summer 2020, another major ransomware group shifted towards the double-extortion model and launched a new leak site. The operators behind Conti ransomware, a relatively new ransomware strain, which experts believe is operated by the same group behind Ryuk ransomware, are operating 2 leak sites on both the public Internet and the dark web.
According to BreachKey, the sites already list 26 companies that have declined to pay the ransom demands. For each company publicly listed on the site, the Conti ransomware group has leaked documents stolen from their networks.
It seems that double-extortion is here to stay and that this new trend also means that companies need to continue to work towards increased vigilance against ransomware attacks. While previously, victims only had to recover files and get back to day-to-day operations; today, these malicious attacks almost always involve the theft of sensitive corporate data, employee or personal details about customers.
This means that ransomware events also require an in-depth response and additional network audits to discover any backdoors that could be used for future attacks.