The Clop ransomware gang is copying an ALPHV ransomware gang extortion tactic by creating Web-accessible web sites devoted to particular victims, making it simpler to leak stolen information and additional pressuring victims into paying a ransom.
When a ransomware gang assaults a company goal, they first steal information from the community after which encrypt information. This stolen information is used as leverage in double-extortion assaults, warning victims that the information will probably be leaked if a ransom isn’t paid.
Ransomware information leak websites are often positioned on the Tor community because it makes it tougher for the web site to be taken down or for legislation enforcement to grab their infrastructure.
Nonetheless, this internet hosting methodology comes with its personal points for the ransomware operators, as a specialised Tor browser is required to entry the websites, engines like google don’t index the leaked information, and the obtain speeds are usually very sluggish.
To beat these obstacles, final yr, the ALPHV ransomware operation, often known as BlackCat, launched a brand new extortion tactic of creating clearweb web sites to leak stolen information that have been promoted as a means for workers to test if their information was leaked.
A clearweb web site is hosted straight on the Web quite than on nameless networks like Tor, which require particular software program to entry.
This new methodology makes it simpler to entry the information and can doubtless trigger it to be listed by engines like google, additional increasing the unfold of the leaked data.
Clop ransomware gang adopts tactic
Final Tuesday, safety researcher Dominic Alvieri informed BleepingComputer that the Clop ransomware gang had began to create clearweb web sites to leak information stolen through the latest and widespread MOVEit Switch information theft assaults.
The primary website created by the risk actors was for enterprise consulting agency PWC, creating a web site that leaked the corporate’s stolen information in 4 spanned ZIP archives.
Quickly after Alvieri informed BleepingComputer, the risk actors additionally created web sites for Aon, EY (Ernst & Younger), Kirkland, and TD Ameritrade.
None of Clop’s websites are as subtle as those created by ALPHV final yr, as they merely listing hyperlinks to obtain the information quite than having a searchable database like BlackCat’s websites.
Supply: BleepingComputer
A waste of time?
These websites purpose to scare staff, executives, and enterprise companions who might have been impacted by the stolen information, hoping it causes them to exert additional strain on an organization to pay the ransom.
Nonetheless, whereas there could also be some advantages to leaking information on this means, additionally they include their very own issues, as placing them on the Web, quite than Tor, makes them much more simply taken down.
Presently, the entire recognized Clop clearweb extortion websites have been taken offline.
It’s unclear if these websites are down attributable to legislation enforcement seizures, DDoS assaults by cybersecurity companies, or internet hosting suppliers and registrars shutting down the websites.
Because of the ease with which they are often shut down, it’s uncertain that this extortion tactic is definitely worth the effort.
