Increased activity of ransomware groups observed on the dark web
Ransomware is a special malware variant in which users or companies are confronted with a ransom demand to release encrypted data. If one does not pay the ransom and has no backup, the data is usually lost forever. Sometimes, however, the data ends up on the dark web and the affected companies are exposed. Thus, it is not the loss of the data that is the angle with which the hackers build up pressure, but the reputation damage caused by the lost data. This damage can be much greater than the value of the individual data. For example, who wants to do business with a bank that can’t even protect itself? Every potential customer will not weigh his own money in security and go to a competitor.
In the darknet, some hacker collectives operate websites where the attacked companies are exposed at a “hall of shame”. This is where the complete data sets are published for everyone to see. By using free download links, all data can then also be downloaded immediately. Often, these data sets contain personal information about employees. Such a violation of privacy due to insufficient protection can lead to high penalties due to legal requirements such as GDPR. But unfortunately, the data leaks also often affect customers and partners of the involved organization, depending on the position of the employee who was hacked.
The hackers are of course aware of the explosive nature of such revelations and have no scruples about making their threats come true. The Kaduu research team (https://www.kaduu.io) has recently noticed an accumulation of such activity on the dark web. A recent example was the Cl0p ransomware group. After ceasing all operations for several months between November 21 and February 22, the Cl0p ransomware is now active again. The increase in activity was noticed after the ransomware group added 21 new victims to its data leak site in a single month in April. Cl0p has become very active compared to the past. Comparison with other ransomware groups in AprAil: Lockbit 2.0 published 103 victims and Conti – 45 victims, CL0P’s victims have increased massively, from 1 to 21. The industrial sector was Clop’s main target: 45% of Clop ransomware attacks affected industrial companies and 27% targeted technology companies. Companies that know which sectors the ransomware group attacks most often should consider the possibility of being the next target of this gang and prepare accordingly.
The list of companies whose servers have been hacked by Cl0p in the past includes energy giant Shell, cybersecurity company Qualys, supermarket giant Kroger, and several universities around the world (the University of Colorado, the University of Miami, Stanford Medicine, the University of Maryland Baltimore (UMB), and the University of California).
The victims of such security breaches naturally learn before the public does. Suppliers and partners, however, usually remain in the dark. Therefore, it is important to monitor the Dark Web and all common ransomware groups. The most important business relationships should be included in the monitoring plan, and the focus should not only be on the company’s own organization. Kaduu offers a range of unique dark web ad ransomware monitoring services to mitigate those risks.