Ever since ransomware actors took to stealing and leaking data rather than merely encrypting it, they’ve have had to overcome the problem of how to exploit their success in a way that scales efficiently.
If you leak data from a few victims, the answer is fairly simple: Post sample data on a dark web site and give the victim organization the secret address so they can verify that you’re not bluffing.
Now, imagine that hundreds or even thousands of victims are breached in a single incident. Managing and leaking stolen data on this scale is suddenly a much more complex and time-consuming operation that requires criminals to innovate.
Until recently, the problem was largely hypothetical. In June, the Clop (or Cl0p) ransomware group changed this by pulling off an epic data breach affecting an unknown but potentially very large number of organizations vulnerable to a flaw in the MOVEit file transfer platform.
“Epic” is not an adjective used lightly to describe this attack—estimates of the number of companies that might have lost data as a result of the attack now run to over 1,000—with anti-malware vendor Emsisoft putting the confirmed total at 513 (as of July 18).
According to Emsisoft’s analysis of breach notifications and company filings, that could include 109 schools in the United States alone from a total of 34 million people across the whole breach. And it could get worse:
“Some of the organizations impacted provide services to multiple other organizations, and so the numbers above are likely to increase significantly as those organizations start to file notifications.”
In short, it could potentially be the single-biggest data breach cyberattack ever made public.
There’s a Website for That
From the start, Clop said it would leak data as a way of pressuring victims to pay up. What’s intriguing is how the group has gone about this.
Normally, data is leaked on dark websites accessible using the Tor network, which by its nature is much harder for governments and police to take down. The downside of Tor is that data rates are much lower than for a conventional website and leak sites can be difficult for the average Internet user to find.
However, for criminals, allowing non-experts to find leak sites is becoming more important. The thinking is that if employees and customers who’ve had their data stolen during a breach can see it for themselves this might put more pressure on organizations to pay ransoms.
According to a recent report in Bleeping Computer, the answer in Clop’s case is simple: post links to the data on a conventional website. This makes leak sites easy to take down but not before, the criminals calculate, the sites will have been viewed by many of the people affected.
Clop is already said to have posted a cache of stolen data during the MOVEit breach on websites individually dedicated to some of the companies involved. As Bleeping Computer notes, the site is an unsophisticated data dump in .zip archive form, but this could change in time. The state of the art right now is the BlackCat (ALPHV) group which last year set up websites that allowed victims to search for their own data.
It seems likely that this innovation will spread in time, fueled at first by the occasional larger data breach incident but eventually becoming a standard ransomware tactic.
With evidence emerging that the percentage of victims paying ransoms is now declining, the criminals are being forced to innovate. The larger question is whether the defenders can match this evolution with new ideas of their own.