The Difficulties and Dubiousness of Darkweb Data Leaks Sites

Curated Intel investigates the challenges surrounding darkweb data leak sites in response to the industry's heavy reliance on bad data supplied by threat actors to make assessments about ransomware groups

Written by @BushidoToken

Ransomware attacks are supremely costly and highly disruptive events for organizations globally. They have since also transcended into a national security risk that threatens civilian critical infrastructure, such as hospitals and schools, around the world. One of the main difficulties in combating this threat is that governments and policy makers struggle to fully understand the scale of ransomware attacks. There is a significant problem with trying to calculate the bona fide number of ransomware attacks that actually happen. This blog will highlight why darkweb data leak sites should not be treated as a prime source of information for this type of research.

The Curated Intel community consists of CTI analysts, DFIR professionals, detection engineers, adversary emulation specialists, who all closely track ransomware campaigns. As CTI analysts, we are often asked by stakeholders to make a judgement call whether the total number of ransomware attacks are increasing or decreasing overall. This is really hard to calculate. The truth is, if an organization do not have data and telemetry of their own (such as DFIR engagements or security product detections), it is very difficult to make these kinds of high-level judgments. This is because they are often based on OSINT news reports, posts to darkweb data leak sites, and other types of data, such as monitoring public sandboxes for ransom notes and samples or network traffic analysis to ransom payment portals. 

The key thing to remember about darkweb data leak sites operated by ransomware groups is that they include victims who failed to pay the ransom, most of the time. Data can be stolen and never leaked if the victim pays the ransom. But that doesn't mean it will for certain be deleted by the ransomware threat actors who often exploit the data themselves and/or sell it privately to other underground communities. 

Another interesting aspect is that sometimes the ransomware groups are bluffing and did not actually manage to steal the data. DFIR investigators in Curated Intel have noted that on several occasions there was no evidence of data being stolen but the threat actors insisted it had. They would post screenshots of systems they had access to as proof; however, when no ransom was paid no data was ever leaked. Some theorize that even if the ransomware threat actors did steal data, if it was exfiltrated to a cloud file-sharing application it may have been suspended by the service provider. Therefore, if no offline backup copies of the stolen data were made, it will be lost by the threat actor.

Alternative Sources
To prove that darkweb data leak sites are a vague indicator of how active a ransomware group actually is, Curated Intel researchers have put together a list of evaluated sources that can also be leveraged to track ransomware group activities and build a clearer picture. The list of potential sources are as follows:

  • Engagements by Incident Response firms
    • Naturally, incident response firms can only learn while on engagements with clients. Unless these organizations share data with partners, government or law enforcement, it is restricted to what they see is what they get.
    • It is also worth noting that some incident response firms are contractually obliged to support the victims to pay a ransom and prevent the news of an attack leaking out to the public through non-disclosure agreements (NDAs).
  • Ransomware Negotiation firms
    • Similar to incident response firms, ransomware negotiation firms can only know which ransomware groups are active while on engagements with clients.
  • Malware submissions sites
    • Malware submission sites like VirusTotal can be used to identify ransomware samples and ransom notes, this can be used to track the activity of groups by the number of new and unique samples uploaded by victims, as well as from where and when.
  • ID-Ransomware
    • ID-Ransomware is a unique site that also receives ransom notes and encrypted files from victims who are trying to identify which ransomware family their system was encrypted with; this can also be used to track the volume of submissions related to each threat actor as well as from where and when
  • National CERTs and NCSCs
    • National cybersecurity agencies often respond to large ransomware attacks, especially ones at public sector entities
    • They also can only know what they are informed about and sometimes victims worry about regulators and will avoid reporting ransomware attacks
  • Law enforcement
    • Similar to CERTs and NCSCs, law enforcement often responds to ransomware attacks but again can only know what they are informed about 
  • Regulators
    • Data protection legislation like the European General Data Protection Regulation (GDPR) require victim organizations to report data breaches. 
    • Data-theft-extortion hybrid ransomware attacks are currently one of the most prevalent forms of intrusion and organizations that face non-compliance fines (up to €20 million for severe violations or 4% of their global turnover, whichever is greater) for allowing data to be exposed are prime targets.
    • As a result, GDPR has paradoxically become a tool for financially motivated threat groups who demand a ransom less than a GDPR fine and promise to keep quiet to avoid having to inform regulators.
  • Technology giants
    • Technology giants such as Microsoft has a global telemetry of billions of Windows endpoints and has one of the largest security teams in the world to analyze the data and respond to incidents. This gives Microsoft what researchers like to call a "god mode" view of what happens anywhere on the internet.
  • Cyber Insurance firms
    • Cyber insurance firms also often have similar data to incident response firms, but potentially can have some unique insights from organizations that respond to incidents themselves but require financial assistance to mitigate the issue and, in some cases, pay the ransom.
  • Blockchain Analytics
    • Blockchain analytics firms have some of the most interesting data when it comes to tracking ransomware threat actors. They can monitor transactions between victims and ransomware operators. 
    • Connected cryptocurrency wallet addresses can also be used to identify how the ransomware operators launder their funds and spend it on services such as hosting infrastructure or transactions on forums.

Case Studies

Avaddon Ransomware: In June 2021, the operators of Avaddon ransomware sent Bleeping Computer 2,934 decryption keys, where each key reportedly corresponds to a specific victim. Security firm Emsisoft was able to subsequently release a decryption tool that all victims can use to recover their files for free. Active since June 2020, the Avaddon ransomware group was a highly active campaign. According to Coveware, Avaddon's average ransom demand was around 600,000 USD. Before it shut down its darkweb data leak site, there were 182 victims who had their data published in total since launching in August 2020. It is not clear why Avaddon shut down, some cite increased pressure by law enforcement and governments worldwide. The vast difference between the number of data leaks versus the number of decryption keys underscores, by over a factor of 15, how disconnected the number of leaks is from the reality of how active any particular ransomware group is.

REvil Ransomware: In November 2021, Europol issued a press release surrounding the arrests of seven suspects linked to the REvil and GandCrab ransomware families. Europol stated that these seven are suspected of attacking about 7,000 victims in total. Decryption tools released by BitDefender reportedly helped more than 1,400 companies decrypt their networks, saving them an estimated €475 million in potential losses. These victim counts are also wildly different to the 288 victims listed on REvil's "Happy Blog" darkweb data leak site before it shut down and following arrests by the Russian FSB.

LockBit Ransomware: In May 2022, VX-Underground researchers published a screenshot of a PHPMyAdmin system allegedly belonging to the LockBit administrator. According to statistics on the site, LockBit ransomware had been deployed (with varying degrees of success) at 12,125 companies at the time of writing. The also contrasts starkly from the number of victims who had data published on the LockBit darkweb data leak site, which was around 800 according to a DarkTracer tweet in June 2022.

Key Takeways

  • Analysts that fixate on a single data source or overvalue the meaning of one source are victim to cognitive biases, particularly anchoring and confirmation bias.
  • Analysts should hunt down any information, both supporting and contradicting, to make sound judgements and should acknowledge that their assessments are affected by not having the full picture.