Ransomware gangs are constantly adding twists and tweaks to their operations to stay ahead of the competition, and the latest trend appears to be adding the ability to search data leak sites for specific items belonging to victims that refused to pay. At least three groups are now allowing stolen data to be trawled in this way, including the notorious LockBit gang.
Ransomware gangs build search functions for data leak sites
The trend involves ransomware gangs that engage in “double extortion,” stealing victim data prior to locking it up with encryption. Victims that do not pay the ransom find their documents dumped to publicly viewable data leak sites, but the stolen data has generally been released in large disorganized clumps.
Since June, some ransomware gangs have begun incorporating search functions into these data leak sites. Visitors can more easily search for specific text strings, company names, and file extension types. Some of these allow for searching the contents of individual files in the stolen data for words or phrases.
The ALPHV/BlackCat ransomware gang has the most advanced of these search tools thus far, debuting it in early July. This group has been one of the most active ransomware gangs since early 2022, showing a penchant for going after known vulnerabilities in unpatched Microsoft Exchange Servers and hitting in the area of 100 organizations this year including critical infrastructure companies in Germany. The group’s activity prompted an FBI flash warning in April, and it has already innovated by deploying the first ransomware developed in the Rust programming language.
BlackCat also previously debuted a trial run of this stolen data search system of sorts, allowing information from one of its victims (a spa and hotel in Oregon) to be searched via its data leak site for a time in June. That tool was framed as a courtesy provided to potential victims, allowing guests of the property and employees to run a simple search to see if their personal information was among the stolen data.
Shortly after BlackCat introduced the current version of their search tool, LockBit debuted something similar on their data leak site. The ransomware gang has become a market leader as of late as its biggest rivals have disbanded or been forcibly broken up by law enforcement, and it also pours its ill-gotten gains into research and development of custom malware and ransomware tools. LockBit is behind the curve with its search tool, however, only allowing for combing through the stolen data for names of victims.
A third ransomware gang, Karakurt, also recently got in on this trend. However, tests by several media sources and security professionals indicate that it is not currently working. Karakurt is connected to the Conti ransomware gang, which recently broke up into numerous smaller organizations to dodge law enforcement attention, and has been active since at least late 2021.
Stolen data search functions may bring more attention to data breaches
Data leak sites make stolen data available to anyone willing to visit the dark web for it, but for the most part the ransomware gangs provide this in one large file that is generally at least dozens of gigabytes in size. While security analysts and other hackers are quick to explore this information, it’s generally too much of a hassle for the general public and mainstream journalists to investigate.
It’s possible that the search functions could draw less cybersecurity-inclined parties to the data leak sites, especially if the tools are framed as being intended for potential breach victims to look up personal information that may have been exposed. That could, in turn, lead to more mainstream media interest and scrutiny of stolen data.
Erich Kron, security awareness advocate at KnowBe4, believes that organizations should also be paying attention to this development: “The ability to structure and easily search for information makes it easier for other cybercriminals to use the stolen data to initiate other attacks, especially social engineering attacks such as email phishing. Bad actors involved in email phishing can make great use of the information found in many data dumps. This in turn could push victim organizations to pay, rather than simply hoping that the information will be lost in the obscurity of the attacker’s website. If organizations discover their information is searchable on one of these sites, they would be wise to train their users to spot and report phishing emails before the information is used against them, rather than afterward.”
The BlackCat breach of the Oregon hotel/spa provides an example of what future developments might look like. The stolen data was 112 GB in size, something that could take a full day or more to download on the average WiFi connection (and bust the available storage of a phone, tablet or Chromebook-style ultralight laptop). A good home or office internet connection and a proper computer is generally a prerequisite to rifle through the file dumps that data leak sites provide. The ransomware gang focused on providing search tools that get right at what specific visitors are looking for, such as Social Security numbers for employees worried about being caught up in the breach.
Ransomware has become a billion-dollar industry, and there are no signs that ransomware gangs will have their methods thwarted in the near future. These “innovations” are expected to continue, and new developments that catch on generally correspond with an increase in asking price for ransom demands. This appears to be the case for BlackCat, which has raised its average demand to $2 to $2.5 million since June; the overall average demand involving stolen data is now hovering around $1 million.
