Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them

Don't Let the Quest for Data Lead You to Amplify What Criminals Might Be Claiming
Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them
Ransomware leak sites are not reliable sources of data. (Shutterstock)

Ransomware gangs are not reliable sources of information. Groups that run data leak blogs - and not all do - use them to pressure new and future victims into paying for the promise of either a decryptor or a pledge to delete stolen data.

See Also: 5 Requirements for Modern DLP

The number of victims that end up on a data leak site is inherently incomplete. Victims who pay a ransom quickly don't get posted; criminals don't publish these numbers. In addition, "some groups post more of their nonpaying victims than others," and it's often not clear why, said Brett Callow, a threat analyst at Emsisoft.

As a result, relying on data leak blogs to build a picture of attack volume can lead to wildly inaccurate results, not only about victim count but about the impact of any given attack. Unfortunately, some cybersecurity organizations, often aided and abetted by us in the media, regularly track fresh victims claimed by ransomware groups via their Tor-based data leak blogs, aka "name and shame" sites.

"Relying on shame blogs is the last thing we should do while assessing a group threat," said Yelisey Bohuslavskiy, chief research officer at RedSense. "Blogs reflect how often extortion fails, and the victim decides to show the criminals a middle finger. Often, the fewer victims are on the blogs, the more successful the group is."

Compare the Black Basta and LockBit groups. "Black Basta has 50% to 60% successful payments, which means only half of their hits go to the blog because they are phenomenally successful," in part because the group typically steals 1 or 2 terabytes of often very critical data from every victim, which adds pressure on victims to pay, he said.

By comparison, "we have LockBit, which steals very low-key third-party data in very small volumes, so no one pays them," he said. "But for years, we have LockBit as the 'top ransomware group of the year' and Black Basta as number seven or something."

Desperate for Data

The underlying challenge is that many victims never reveal they were attacked, leaving an informational vacuum analysts fill with data at hand. "They're so thirsty for it they'll crawl through the desert toward a mirage, and when they discover there's no water, they'll drink the sand," said Allan Liska, a threat intelligence analyst at Recorded Future, quoting the classic line spoken by actor Michael J. Fox in the 1995 film "The American President."

Leak sites aren't offering the water. Anyone who treats them otherwise is basically just repeating "something someone said on the internet," Bohuslavskiy said.

"Except here, this someone is a criminal, and a criminal in ransomware, which is a type of crime that is 90% dependent on the social aspect of information proliferation," not least to pressure victims into paying, he said. As a result, taking such data at face value not only "is contrary to the very essence of cybersecurity, which presumes unique data and unique analysis and not open-source quotations," but helps criminals by uncritically amplifying their message.

Not Just Little Lies

Ransomware groups also regularly lie often to seem bigger and badder than they really are - as if disrupting emergency medicine and pediatric hospital care isn't enough.

"Ransomware groups are incentivized to inflate their numbers, so often the victims listed on the site are made up or recycled," Liska said. "We're seeing this with LockBit now. No affiliate trusts them so they are forced to relist old victims as new in order to seem relevant" after law enforcement disrupts the operation (see: Ransomware Operation LockBit Relaunches Dark Web Leak Site).

The same happened after BlackCat - aka Alphv - was disrupted last December and then "claimed" to have 27 fresh victims on its data leak blog. "Well, this 'claim' was 27 logos and no files of evidence," Bohuslavskiy said, meaning it was pure fabrication. Too often, he said, press reports uncritically reported the group having 27 new victims.

What's the answer? Other sources of information about ransomware attack volume, impact and the propensity of victims to pay a ransom remain available, although they're nonpublic and typically only published in collated form.

"While not perfect, data from incident response firms, blockchain analysis firms and insurers all provide a much better indicator of ransomware activity than leak site postings," Callow said (see: Record-Breaking Ransomware Profits Surpassed $1B in 2023).

Rely on this information instead. Don't make it any easier for ransomware groups - or their potential nation-state backers - to disrupt society by committing crimes against humanity or to be less held to account for those crimes.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.