As more and more ransomware gangs move to the “double extortion” model of stealing sensitive files and threatening to leak them to the public, criminals are seeking new ways to stand out. One approach that has emerged recently is increasing user-friendliness of data leak sites, adding search features that allow the inquisitive to pore through stolen information for particular names, strings of words or file extension types.
Could easy-to-search stolen data attract more attention to breaches?
While very sensitive data is regularly dumped by ransomware gangs, including financial information, the stolen data very often does not attract much in the way of casual attention. The “dual extortion” ransomware gangs generally dump the information in one or more giant files that are sometimes larger than the average phone’s storage capacity. It’s quite a bit of work (and bandwidth) to download these massive files and pore through them looking for interesting items, and unsurprisingly few people outside of the criminal underworld bother to do so.
Easy-to-use search functions could, at least in theory, draw more curious eyeballs to the data leak sites. This in turn could lead to the spread of sensitive and potentially damaging information, putting more pressure on the company to pay ransom demands. It could also create a surge in phishing attempts, as other criminals can more quickly put together targeted profiles on individuals they believe to be high-value.
Data leak sites become increasingly sophisticated tools for ransomware gangs
Ransomware gangs have increasingly incorporated elements of legitimate businesses, with some even having human resources departments to manage “employees” and customer service portals for victims to arrange payments through. The ability to search stolen data is along these general lines, but was only first observed in June of this year.
Different ransomware gangs are at different levels of sophistication with their data leak sites. For example, the BlackCat (aka ALPHV) group allows for search of particular text strings both in file names and within the contents of files. It has also drawn attention to this new “feature” in a savvy way, putting up a portal advertised to potential breach victims as allowing them to confirm what personal information might have been leaked by searching their own name.
Other ransomware gangs are less advanced. LockBit is usually at the forefront of ransomware developments, but their search feature only allows users to look for a particular name amidst a list of victims. Another of the data leak sites, belonging to fairly prominent group Karakurt, has a search tool that appears to be nonfunctional at present. If the pattern of adoption of “double extortion” practices holds with this development, the bigger ransomware gangs can be expected to begin applying it to their stolen data within a year or so.
The price of hiding stolen data appears to go up as ransomware gangs add these little features. With no end in sight to the ransomware epidemic, security analysts expect a string of new surprises of this nature in the near future.