- Engagements by Incident Response firms
- Naturally, incident response firms can only learn while on engagements with clients. Unless these organizations share data with partners, government or law enforcement, it is restricted to what they see is what they get.
- It is also worth noting that some incident response firms are contractually obliged to support the victims to pay a ransom and prevent the news of an attack leaking out to the public through non-disclosure agreements (NDAs).
- Ransomware Negotiation firms
- Similar to incident response firms, ransomware negotiation firms can only know which ransomware groups are active while on engagements with clients.
- Malware submissions sites
- Malware submission sites like VirusTotal can be used to identify ransomware samples and ransom notes, this can be used to track the activity of groups by the number of new and unique samples uploaded by victims, as well as from where and when.
- ID-Ransomware is a unique site that also receives ransom notes and encrypted files from victims who are trying to identify which ransomware family their system was encrypted with; this can also be used to track the volume of submissions related to each threat actor as well as from where and when
- National CERTs and NCSCs
- National cybersecurity agencies often respond to large ransomware attacks, especially ones at public sector entities
- They also can only know what they are informed about and sometimes victims worry about regulators and will avoid reporting ransomware attacks
- Law enforcement
- Similar to CERTs and NCSCs, law enforcement often responds to ransomware attacks but again can only know what they are informed about
- Data protection legislation like the European General Data Protection Regulation (GDPR) require victim organizations to report data breaches.
- Data-theft-extortion hybrid ransomware attacks are currently one of the most prevalent forms of intrusion and organizations that face non-compliance fines (up to €20 million for severe violations or 4% of their global turnover, whichever is greater) for allowing data to be exposed are prime targets.
- As a result, GDPR has paradoxically become a tool for financially motivated threat groups who demand a ransom less than a GDPR fine and promise to keep quiet to avoid having to inform regulators.
- Technology giants
- Technology giants such as Microsoft has a global telemetry of billions of Windows endpoints and has one of the largest security teams in the world to analyze the data and respond to incidents. This gives Microsoft what researchers like to call a "god mode" view of what happens anywhere on the internet.
- Cyber Insurance firms
- Cyber insurance firms also often have similar data to incident response firms, but potentially can have some unique insights from organizations that respond to incidents themselves but require financial assistance to mitigate the issue and, in some cases, pay the ransom.
- Blockchain Analytics
- Blockchain analytics firms have some of the most interesting data when it comes to tracking ransomware threat actors. They can monitor transactions between victims and ransomware operators.
- Connected cryptocurrency wallet addresses can also be used to identify how the ransomware operators launder their funds and spend it on services such as hosting infrastructure or transactions on forums.
Avaddon Ransomware: In June 2021, the operators of Avaddon ransomware sent Bleeping Computer 2,934 decryption keys, where each key reportedly corresponds to a specific victim. Security firm Emsisoft was able to subsequently release a decryption tool that all victims can use to recover their files for free. Active since June 2020, the Avaddon ransomware group was a highly active campaign. According to Coveware, Avaddon's average ransom demand was around 600,000 USD. Before it shut down its darkweb data leak site, there were 182 victims who had their data published in total since launching in August 2020. It is not clear why Avaddon shut down, some cite increased pressure by law enforcement and governments worldwide. The vast difference between the number of data leaks versus the number of decryption keys underscores, by over a factor of 15, how disconnected the number of leaks is from the reality of how active any particular ransomware group is.
REvil Ransomware: In November 2021, Europol issued a press release surrounding the arrests of seven suspects linked to the REvil and GandCrab ransomware families. Europol stated that these seven are suspected of attacking about 7,000 victims in total. Decryption tools released by BitDefender reportedly helped more than 1,400 companies decrypt their networks, saving them an estimated €475 million in potential losses. These victim counts are also wildly different to the 288 victims listed on REvil's "Happy Blog" darkweb data leak site before it shut down and following arrests by the Russian FSB.
LockBit Ransomware: In May 2022, VX-Underground researchers published a screenshot of a PHPMyAdmin system allegedly belonging to the LockBit administrator. According to statistics on the site, LockBit ransomware had been deployed (with varying degrees of success) at 12,125 companies at the time of writing. The also contrasts starkly from the number of victims who had data published on the LockBit darkweb data leak site, which was around 800 according to a DarkTracer tweet in June 2022.
- Analysts that fixate on a single data source or overvalue the meaning of one source are victim to cognitive biases, particularly anchoring and confirmation bias.
- Analysts should hunt down any information, both supporting and contradicting, to make sound judgements and should acknowledge that their assessments are affected by not having the full picture.