Who’s Disrupting Ransomware Groups’ Stolen Data Leak Sites?
Fraud Management & Cybercrime , Ransomware
Major Drama in the Online Underworld Mathew J. Schwartz (euroinfosec) • September 9, 2022 Unavailable: LockBit’s Tor-based victim naming and data leaking site
Someone is disrupting ransomware operations’ data leak sites by targeting them with distributed denial-of-service attacks.
See Also: Webinar | Prevent, Detect & Restore: Data Security Backup Systems Made Easy
No one has yet claimed credit for the ongoing disruptions and slowdowns. The best-known ransomware-as-a-service group to be affected so far is LockBit. Late last month, administrator “LockBitSupp” cried “DDoS attack” after its data leak site went offline.
But LockBit is hardly the only operation to be targeted. In recent weeks, Cisco Talos reports that the leak site of Alphv – aka BlackCat – appears to have been disrupted, as has BianLian, Everest, Hive, Lorenz, LV, Quantum, Ragnar Locker, Snatch and Yanluowang, as well as potentially Vice Society.
Getting disrupted by DDoS attacks is bad for criminals’ profits, obviously, but also for their brands. What does it mean if these supposed cybercrime masterminds’ infrastructure is so rickety that it can be overwhelmed by junk internet traffic hired from inexpensive stresser/booter services?
Ransomware Bro Saga Continues
It’s unclear if these disruptions might be the work of law enforcement or intelligence agencies. One theory is that rival operators are targeting each other.
Given that most operators don’t back away from trying to smack down rivals with language worthy of an adolescent soap opera, this seems like a plausible explanation. Since a teenaged Austin Thompson, aka “DerpTrolling,” popularized the practice of disrupting online gaming sites during Christmas 2013 “for the lulz,” the same demographic has regularly engaged in similar efforts.
Indeed, why shouldn’t ransomware rivals hell-bent on trashposting and adolescent boasts tap DDoS as a further means of expression?
Unfortunately for anyone who’s fed up with ransomware, this “concerted effort” to disrupt data leak sites doesn’t seem to be shutting down attackers’ operations, say Cisco Talos researchers Azim Khodjibaev, Colin Grady and Paul Eubanks.
In a recent cybercrime forum post, LockBitSupp says victims will receive the cryptocurrency wallet address they need to pay a bitcoin ransom. Likewise, the group’s affiliates, who access the crypto-locking malware via a portal and use it to infect victims, allegedly still have the ability to grab copies of the ransomware because the administrator panels aren’t being disrupted.
This seems to be the case with all groups being targeted. “This activity is only affecting the data leak sites and not the ability to conduct ransomware operations, as it is hindering the ability for these ransomware affiliates and operators to post new victim information publicly,” the Cisco Talos researchers say in a blog post.
Affected groups appear to be trying to get ahead of the problem, with varying degrees of success. For example, the researchers say that Quantum has been taking a somewhat “amateur” approach by redirecting traffic back to the system that made the request, but in a manner that still leaves its site unable to serve traffic.
It should come as no surprise that LockBit’s response has been more sophisticated, at least technically speaking (see: Keys to LockBit’s Success: Self-Promotion, Technical Acumen).
LockBitSupp said in a recent forum post that the group has been “modernizing” its approach in part by standing up mirrors, as well as generating a unique URL for each victim for conducting negotiations. To regain the ability to publicize victims, he promised to put stolen data into torrent files and then circulate them to whoever is interested.
He’s also threatened to make DDoS attacks a part of LockBit’s regular operations, which is known as triple extortion. Again, however, this could just be an attempt to try and seize the narrative, given the egg on his operation’s face.
So far, the overall volume of data leak site announcements remains markedly lower than in weeks past. In the past two weeks, BianLian, Hive, LockBit, Quantum and Vice Society have collectively announced just a handful of fresh victims, threat intelligence firm Kela reports.
As of Friday, multiple groups’ Tor-based leak sites remained inaccessible, including the one run by LockBit. But although they might try to spin this as an opportunity, clearly, for some ransomware groups, the tables have been turned. Cybercriminals: Feel the pain.