Ransomware

Ransomware gang launch leak site for double extortion

By 24th September 2020No Comments

The Lockbit ransomware outfit has now established a dedicated site to leak stolen private data, enabling it to extort selected targets twice.

The insidious initiative is part of a new strategy to leverage ransoms by scaring victims with the threat of exposing sensitive information to the public eye.

Since the close of 2019, several cybercriminal groups have adopted a tactic featuring double extortion including the notorious Maze ransomware operators who have already hit multiple corporations this year.

The malicious attack format involves stealing confidential files that do not benefit from protective encryption before striking a network’s devices and encrypting them. The ransomware operators’ next move is to use the files they have stolen to threaten their victims with the exposure of data on sites that can be viewed by the public. In order for this scenario to not occur, targets are incited to pay the requested ransom and stop the release.

Lockbit’s dedicated site for data leaks uncovered

A computer security help site operated by Lawrence Abrams, BleepingComputer.com, reported that according to intelligence experts at cybersecurity firm Kela Group, Lockbit ransomware operators recently revealed their newly developed leak site online. On a Russian-speaking forum on the dark web frequented by hackers, the outfit posted a direct link to the appointed web address.

The new data leak site is now fully operational and already hosting exposed confidential information belonging to two separate victims of the Lockbit ransomware outfit. The first is a shipping firm and the second a company that specialises in manufacturing automation parts.

A history of ransomware activity

To date, this is not the first site Lockbit has established for leaked information. Previously, the cybercriminal group had launched a data leak website but removed it from active service when the ransomware operators became members of what is referred to as the “Maze Cartel.” At that point in time, Lockbit began using Maze’s own dedicated leak site for publicly presenting the files it appropriated from victims.

The newly unveiled data leak website may suggest that the Lockbit ransomware gang is making a move towards independence from the Maze family, however it could also mean that the group simply wishes to possess a dedicated leak site that it can maintain ownership and control over.

Every ransomware attack is technically a data breach as the threat actors who perform such assaults will not simply steal data files but examine the documents to ascertain their contents. Personal data may be exposed in such attacks, so it is the responsibility of any enterprises hit to be entirely transparent regarding the information taken. This allows clients, suppliers, employees, and any other data subjects involved to protect themselves from potential risks.

Lockbit’s data leak site adds to the growing number of such platforms designed to threaten and extort victims into paying ransoms or risk exposure of sensitive information. With the new site joining the list, there are now 17 dedicated leak sites for data taken by ransomware groups employing this method of double extortion.