Fraud Management & Cybercrime
,
Ransomware
Mathew J. Schwartz
(euroinfosec)
Ransomware gangs are not reliable sources of information. Groups that run data leak blogs – and not all do – use them to pressure new and future victims into paying for the promise of either a decryptor or a pledge to delete stolen data.
The variety of victims that find yourself on a knowledge leak website is inherently incomplete. Victims who pay a ransom shortly don’t get posted; criminals don’t publish these numbers. As well as, “some groups post more of their nonpaying victims than others,” and it’s typically not clear why, stated Brett Callow, a risk analyst at Emsisoft.
In consequence, counting on knowledge leak blogs to construct an image of assault quantity can result in wildly inaccurate outcomes, not solely about sufferer rely however concerning the influence of any given assault. Sadly, some cybersecurity organizations, typically aided and abetted by us within the media, recurrently observe recent victims claimed by ransomware teams through their Tor-based knowledge leak blogs, aka “name and shame” websites.
“Relying on shame blogs is the last thing we should do while assessing a group threat,” stated Yelisey Bohuslavskiy, chief analysis officer at RedSense. “Blogs reflect how often extortion fails, and the victim decides to show the criminals a middle finger. Often, the fewer victims are on the blogs, the more successful the group is.”
Evaluate the BlackBasta and LockBit teams. “BlackBasta has 50% to 60% successful payments, which means only half of their hits go to the blog because they are phenomenally successful,” partly as a result of the group sometimes steals 1 or 2 terabytes of typically very vital knowledge from each sufferer, which provides stress on victims to pay, he stated.
By comparability, “we have LockBit, which steals very low-key third-party data in very small volumes, so no one pays them,” he stated. “But for years, we have LockBit as the ‘top ransomware group of the year’ and BlackBasta as number seven or something.”
Determined for Information
The underlying problem is that many victims by no means reveal they have been attacked, leaving an informational vacuum analysts fill with knowledge at hand. “They’re so thirsty for it they’ll crawl through the desert toward a mirage, and when they discover there’s no water, they’ll drink the sand,” stated Allan Liska, a risk intelligence analyst at Recorded Future, quoting the classic line spoken by actor Michael J. Fox within the 1995 movie “The American President.”
Leak websites aren’t providing the water. Anybody who treats them in any other case is principally simply repeating “something someone said on the internet,” Bohuslavskiy stated.
“Except here, this someone is a criminal, and a criminal in ransomware, which is a type of crime that is 90% dependent on the social aspect of information proliferation,” not least to stress victims into paying, he stated. In consequence, taking such knowledge at face worth not solely “is contrary to the very essence of cybersecurity, which presumes unique data and unique analysis and not open-source quotations,” however helps criminals by uncritically amplifying their message.
Not Simply Little Lies
Ransomware teams additionally recurrently lie typically to look greater and badder than they are surely – as if disrupting emergency drugs and pediatric hospital care isn’t sufficient.
“Ransomware groups are incentivized to inflate their numbers, so often the victims listed on the site are made up or recycled,” Liska stated. “We’re seeing this with LockBit now. No affiliate trusts them so they are forced to relist old victims as new in order to seem relevant” after regulation enforcement disrupts the operation (see: Ransomware Operation LockBit Relaunches Dark Web Leak Site).
The identical occurred after BlackCat – aka Alphv – was disrupted final December after which “claimed” to have 27 recent victims on its knowledge leak weblog. “Well, this ‘claim’ was 27 logos and no files of evidence,” Bohuslavskiy stated, which means it was pure fabrication. Too typically, he stated, press stories uncritically reported the group having 27 new victims.
What’s the reply? Different sources of details about ransomware attack volumeinfluence and the propensity of victims to pay a ransom stay out there, though they’re nonpublic and sometimes solely printed in collated type.
“While not perfect, data from incident response firms, blockchain analysis firms and insurers all provide a much better indicator of ransomware activity than leak site postings,” Callow stated (see: Record-Breaking Ransomware Profits Surpassed $1B in 2023).
Depend on this info as an alternative. Don’t make it any simpler for ransomware teams – or their potential nation-state backers – to disrupt society by committing crimes in opposition to humanity or to be much less held to account for these crimes.
Unique Put up url: https://www.databreachtoday.com/blogs/ransomware-groups-data-leak-blogs-lie-stop-trusting-them-p-3583
Author: CISO2CISO Editor 2
Date: 2024-03-17 03:59:16
