[TheRecord] Some ransomware gangs lose interest in extortion sites

In late 2019, the ransomware group known as Maze pioneered a tactic that soon spread throughout the cybercrime underground: steal encrypted data and threaten to release it publicly unless a ransom is paid.

But according to data collected from the sites these groups operate, the practice that’s sometimes referred to as “double extortion” appears to be declining.

Data released on ransomware extortion sites rose somewhat steadily in 2020 and reached a peak of 521 victims in December of that year. But that number has shrunk almost every month in 2021, and dipped to just 129 victims in June—the lowest number since August 2020.

Allan Liska, a ransomware expert at Recorded Future who has been tracking leak sites operated by ransomware gangs, said these groups are likely realizing that threatening to post stolen data isn’t making them more money.

“Ransomware actors came up with this whole system that they thought would encourage people to pay, and us researchers and journalists lapped it up and said it made perfect sense,” he said. “But we’ve seen over time that companies don’t really suffer consequences if their data winds up on extortion sites. Ransomware actors aren’t always the psychological geniuses we think they are.”

In recent months, groups like Babuk have pulled away from posting victim data on leak sites, deciding to focus on traditional ransomware demands and other types of cybercrime, Liska said. “We saw them focus entirely on extortion, and two months later they’ve gone back to ransomware—it turns out that no one wants to pay to stop their data from being posted.”

Other major ransomware groups including Avaddon, REvil, and Clop have shut down or experienced extended disruptions in recent months. 

Another reason extortion sites might be in decline is that they are seen as a liability for the groups. The sites require the groups to publicly expose more of their infrastructure, which could make it easier for law enforcement to shut down their operations. Additionally, it could encourage victims to work with law enforcement because the tactic makes it impossible for companies to bury ransomware attacks under the rug.

To Liska, this last point potentially forced companies to give ransomware the attention it needs. “One of the things extortion sites did was expose how big our ransomware problem is,” he said. “Most ransomware attacks aren’t like Colonial Pipeline—nobody ever knows about them because the companies don’t want to make them public. Now ransomware is in the news constantly, because the attackers are making them public.”

The post Some ransomware gangs lose interest in extortion sites appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Bug Exposed Eufy Camera Private Feeds to Random Users

All posts, ThreatPost

Customers panic and question parent company Anker’s security and privacy practices after learning their home videos could be accessed and even controlled by strangers due to a server-upgrade glitch. Source: Read More (Threatpost)

Read More

[SecurityWeek] SCYTHE Banks $10M Investment for Adversary Simulation

All posts, Security Week

SCYTHE, a software company building technology for adversary simulation, on Monday announced it had secured $10 million in venture capital funding to speed up expansion plans. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SecurityWeek] Endpoint Security Provider ThreatLocker Raises $20 Million

All posts, Security Week

Endpoint security provider ThreatLocker this week announced that it secured $20 million in a Series B funding round that brings the total capital raised by the company to $24.5 million. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.