Starting last year, ransomware operators have escalated their extortion strategies by stealing files from victims before encrypting their data. These stolen files are then used as further leverage to force victims to pay.
Many ransomware operators have created data leak sites to publicly shame their victims and publish the files they stole.
As this is now a standard tactic for ransomware, all attacks must be treated as a data breaches.
Below is a list of ransomware operations that have create dedicated data leak sites to publish data stolen from their victims.
The list of ransomware data leak sites
AKO Ransomware (Rebranded as Ranzy below)
AKO ransomware began operating in January 2020 when they started to target corporate networks with exposed remote desktop services.
Unlike other ransomware, Ako requires larger companies with more valuable information to pay a ransom and an additional extortion demand to delete stolen data.
If payment is not made, the victim's data is published on their "Data Leak Blog" data leak site.
Avaddon Ransomware
Avaddon ransomware began operating in June 2020 when they launched in a spam campaign targeting users worldwide.
If payment is not made, the victim's data is published on their "Avaddon Info" site.
Babyk Ransomware
Babuk Locker is a new ransomware operation that launched at the beginning of 2021 and has since amassed a small list of victims worldwide.
CL0P Ransomware
CL0P started as a CryptoMix variant and soon became the ransomware of choice for an APT group known as TA505.
This group's ransomware activities gained media attention after encrypting 267 servers at Maastricht University.
In March 2020, CL0P released a data leak site called 'CL0P^-LEAKS', where they publish the victim's data.
Conti Ransomware
Conti Ransomware is the successor of the notorious Ryuk Ransomware and it now being distributed by the TrickBot trojan.
This ransomware started operating in Jutne 2020 and is distributed after a network is compromised by the TrickBot trojan.
Operated as a private Ransomware-as-a-Service (RaaS), Conti released a data leak site with twenty-six victims on August 25, 2020.
Cuba Ransomware
Cuba ransomware launched in December 2020 and utilizes the .cuba extension for encrypted files.
DarkSide Ransomware
DarkSide is a new human-operated ransomware that started operation in August 2020.
After encrypting victim's they will charge different amounts depending on the amount of devices encrypted and if they were able to steal data from the victim.
BleepingComputer has seen ransom demands as low as $200,000 for victims who did not have data stolen to a high of $2,000,000 for victim whose data was stolen.
DoppelPaymer Ransomware
In July 2019, a new ransomware appeared that looked and acted just like another ransomware called BitPaymer.
Named DoppelPaymer by Crowdstrike researchers, it is thought that a member of the BitPaymer group split off and created this ransomware as a new operation.
Soon after CrowdStrike's researchers published their report, the ransomware operators adopted the given name and began using it on their Tor payment site.
DoppelPaymer targets its victims through remote desktop hacks and access given by the Dridex trojan.
High profile victims of DoppelPaymer include Bretagne Télécom and the City of Torrance in Los Angeles county.
In February 2020, DoppelPaymer launched a dedicated leak site that they call "Dopple Leaks" and have threatened to sell data on the dark web if a victim does not pay.
Egregor Ransomware
Egregor began operating in the middle of September, just as Maze started shutting down their operation.
BleepingComputer was told that Maze affiliates moved to the Egregor operation, which coincides with an increased activity by the ransomware group.
For a new ransomware, it has been involved in some fairly large attacks that targeted Crytek, Ubisoft, and Barnes and Noble.
Everest (Everbe) ransomware
The Everest Ransomware is a rebranded operation previously known as Everbe. This group predominantly targets victims in Canada.
LockBit Ransomware
Started in September 2019, LockBit is a Ransomware-as-a-Service (RaaS) where the developers are in charge of the payment site and development and 'affiliates' sign up to distribute the ransomware.
Originally part of the Maze Ransomware cartel, LockBit was publishing the data of their stolen victims on Maze's data leak site.
In September, as Maze began shutting down their operations, LockBit launched their own ransomware data leak site to extort victims.
Maze Ransomware
Maze ransomware is single-handedly to blame for the new tactic of stealing files and using them as leverage to get a victim to pay.
First spotted in May 2019, Maze quickly escalated their attacks through exploit kits, spam, and network breaches.
In November 2019, Maze published the stolen data of Allied Universal for not paying the ransom.
Since then, they started publishing the data for numerous victims through posts on hacker forums and eventually a dedicated leak site. Soon after, all the other ransomware operators began using the same tactic to extort their victims.
Maze shut down their ransomware operation in November 2020.
Maze is responsible for numerous high profile attacks, including ones against cyber insurer Chubb, the City of Pensacola, Bouygues Construction, and Banco BCR.
MountLocker
Starting in July 2020, the Mount Locker ransomware operation became active as they started to breach corporate networks and deploy their ransomware. From ransom notes seen by BleepingComputer, the Mount Locker gang is demanding multi-million dollar ransom payments in some cases.
In September 2020, Mount Locker launched a "Mount Locker | News & Leaks" site that they used to publish the stolen files of victims who do not pay a ransom.
Nemty Ransomware
Originally launched in January 2019 as a Ransomware-as-a-Service (RaaS) called JSWorm, the ransomware rebranded as Nemty in August 2019.
As affiliates distribute this ransomware, it also uses a wide range of attacks, including exploit kits, spam, RDP hacks, and trojans.
In March, Nemty created a data leak site to publish the victim's data. This site is not accessible at this time.
Nephilim Ransomware
On March 30th, the Nemty ransomware operator began building a new team of affiliates for a private Ransomware-as-a-Service called Nephilim.
Unlike Nemty, a free-for-all RaaS that allowed anyone to join, Nephilim was built from the ground up by recruiting only experienced malware distributors and hackers.
Soon after, they created a site called 'Corporate Leaks' that they use to publish the stolen data of victims who refuse to pay a ransom.
Netwalker Ransomware
Starting as the Mailto ransomware in October 2019, the ransomware rebranded as Netwalker in February 2020.
Best known for its attack against the Australian transportation company Toll Group, Netwalker targets corporate networks through remote desktop hacks and spam.
In May 2020, Newalker started to recruit affiliates with the lure of huge payouts and an auto-publishing data leak site that uses a countdown to try and scare victims into paying.
Law enforcement seized the Netwalker data leak and payment sites in January 2021.
Pay2Key ransomware
Pay2Key is a new ransomware operation that launched in November 2020 that predominantly targets Israeli organizations.
It is not believed that this ransomware gang is performing the attacks to create chaos for Israel businesses and interests.
Pysa Ransomware (Mespinoza)
Pysa first appeared in October 2019 when companies began reporting that a new ransomware had encrypted their servers.
When first starting, the ransomware used the .locked extension for encrypted files and switched to the .pysa extension in November 2019.
With ransom notes starting with "Hi Company" and victims reporting remote desktop hacks, this ransomware targets corporate networks.
For those interesting in reading more about this ransomware, CERT-FR has a great report on their TTPs.
The ransomware operators have created a data leak site called 'Pysa Homepage' where they publish the stolen files of their "partners" if a ransom is not paid.
Ragnar Locker Ransomware
First seen in February 2020, Ragnar Locker was the first to heavily target and terminate processes used by Managed Service Providers (MSP).
This tactic showed that they were targeting corporate networks and terminating these processes to evade detection by an MSP and make it harder for an ongoing attack to be stopped.
Ragnar Locker gained media attention after encrypting the Portuguese energy giant Energias de Portugal (EDP) and asked for a 1,580 BTC ransom.
RagnarLocker has created a web site called 'Ragnar Leaks News' where they publish the stolen data of victims who do not pay a ransom.
RansomExx/Defray 777
RansomExx ransomware is a rebranded version of the Defray777 ransomware and has seen increased activity since June 2020.
Some of their victims include Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, Tyler Technologies, and SoftServe.
Ranzy Locker
ThunderX is a ransomware operation that was launched at the end of August 2020. Soon after launching, weaknesses were found in the ransomware that allowed a free decryptor to be released.
The ransomware operators quickly fixed their bugs and released a new version of the ransomware under the name Ranzy Locker.
In October, the ransomware operation released a data leak site called "Ranzy Leak," which was strangely using the same Tor onion URL as the AKO Ransomware.
The AKO ransomware gang told BleepingComputer that ThunderX was a development version of their ransomware and that AKO rebranded as Razy Locker.
REvil / Sodinokibi Ransomware
Sodinokibi burst into operation in April 2019 and is believed to be the successor of GandCrab, who shut down their ransomware operation in 2019.
Also known as REvil, Sodinokibi has been a scourge on corporate networks after recruiting an all-star team of affiliates who focus on high-level attacks utilizing exploits, hacked MSPs, and spam.
Known victims of the REvil ransomware include Grubman Shire Meiselas & Sacks (GSMLaw), SeaChange, Travelex, Kenneth Cole, and GEDIA Automotive Group.
After Maze began publishing stolen files, Sodinokibi followed suit by first publishing stolen data on a hacker forum and then launching a dedicated "Happy Blog" data leak site
Sekhmet Ransomware
Sekhmet appeared in March 2020 when it began targeting corporate networks.
"Your company network has been hacked and breached. We downloaded confidential and private data. In case of not contacting us in 3 business days this data will be published on a special website available for public view," states Sekhmet's ransom note.
The Sekhmet operators have created a web site titled 'Leaks leaks and leaks' where they publish data stolen from their victims.
Snatch Ransomware
In operation since the end of 2018, Snatch was one of the first ransomware infections to steal data and threaten to publish it.
They previously had a leak site created at multiple TOR addresses, but they have since been shut down. It is not known if they are continuing to steal data.
(Source: Zerofox)
SunCrypt
SunCrypt is a ransomware that has been operating since the end of 2019, but have recently become more active after joining the 'Maze Cartel.'
SunCrypt launched a data leak site in August 2020, where they publish the stolen data for victims who do not pay a ransom.
Ransomware who leak data without dedicated sites
Instead of creating dedicated "leak" sites, the ransomware operations below leak stolen files on hacker forums or by sending emails to the media.
CryLock Ransomware
Operating since 2014/2015, the ransomware known as Cryakl rebranded this year as CryLock.
As part of the rebrand, they also began stealing data from companies before encrypting their files and leaking them if not paid.
ProLock Ransomware
The ProLock Ransomware started out as PwndLcker in 2019 when they started targeting corporate networks with ransom demands ranging between $175,000 to over $660,000.
After a weakness allowed a decryptor to be made, the ransomware operators fixed the bug and rebranded as the ProLock ransomware.
Snake Ransomware
Snake ransomware began operating at the beginning of January 2020 when they started to target businesses in network-wide attacks.
Most recently, Snake released the patient data for the French hospital operator Fresenius Medical Care.
This list will be updated as other ransomware infections begin to leak data.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now