What is a Dedicated Leak Site (DLS)?
The confidentiality of the data is compromised by threat actors to incentivize the obtained information and extort money from businesses.
These sites can contain sensitive information such as login credentials, intellectual property, personal, and financial data, etc, that puts an organization at risk of security breaches, identity theft, financial fraud, reputational damage, and legal consequences.
The first DLS detected: Maze
In December 2019, the founders of Maze ransomware created their own dedicated leak site with the intention of publishing their victims’ data as a means of exploitation for financial gains. They used their DLS to extort the victims who refused to pay the ransom.
Since its inception, the number of DLSs are ever-increasing. Get more information on modern Hi-Tech Cybercrime Trends in this white paper.
The gang Maze was one of the first to use the double extortion technique as well, which involves encrypting the victim’s data and publishing it on the DLS. Today, ransomware operators usually first publish a small amount of data to show the scope of the attack and promise to delete the data after the ransom is paid. However, there have been cases where the links that lead to compromised files on the servers used by other hackers remain available, even after the demand is met.
Ransomware*: A type of malicious software, which is used by cybercriminals. When a device is infected with ransomware malware it can block access to the system and encrypt data. It’s performed to hold the victim’s information at ransom until the intruder gets his trophy, or will be caught. The ransom threat is steadily growing and generates billions of dollars in cybercriminals’ profits.
The recent surge in Dedicated Leak Sites (DLSs)
A growing number of new DLSs: The decreased number of affiliate programs* did not prevent DLSs from increasing. That means that the ransomware operators continued to be active without Ransomware-as-a-Service (RaaS)*.
Affiliate programs*: The affiliates, hired by ransomware groups, identify targets and deploy readymade malicious software on a victim, often earning a percentage ransom share.
Ransomware-as-a-Service (RaaS)*: In the contemporary world, almost any action can be transformed into a service. This also happened to ransomware. Now attackers don’t need to write their own code for the malware, it can be ordered entirely.
Every day, data belonging to at least eight companies worldwide appears on DLSs, which accounts for only 10% of all ransomware victims. The number of DLSs where threat actors publish stolen data grew by 83%. In H2 2021 – H1 2022, data belonging to 2,886 victim organizations was published. Lockbit, Conti, and Hive have been the most active ransomware group, as these three accounted for more than 50% of all data published.
New platform for selling data: in cases where the victims refuse to pay the ransom and do not hold contact with the attacker, the groups may initiate a process of selling stolen data through the dedicated leak sites. Such cases have already occurred, but have not yet become a trend.
Additional pressure: for the victims, the exploit becomes an added pressure as their confidential data is published on a DLS. In most cases, it’s the final straw to pay the ransom.
Repositories leaks: open code repositories are one of the resources that adversaries use when planning an attack on a company. By searching through the repositories, intruders can possibly find a leak that will later serve as a base for them to get access to the victim’s infrastructure.
Personal data: DLSs often exhibit personal data (confidential information about the person) that can be weaponized by attackers to initiate secondary attacks.
What are the types of data found on a DLS?
In addition to different methods of obtaining information, it is worth mentioning the types of data for which the theft is usually committed. All the data types below can be stolen and placed on the DLS page for victims’ extortion.
Credentials: attackers can do a lot of damage with credentials, as they can gain access to systems, data, and resources that they are not authorized to access. Offenders can penetrate deeper into a company’s infrastructure with the help of stolen data and, cause irreparable damage, or even manage to withdraw business-owned information or funds.
Payment methods: this cyber risk usually concerns the banking sector. Payment method information can be a valuable target for attackers, as it can be used for financial gain. When obtaining the bank customers’ card data, the attackers may demand a ransom and, if it’s not paid, put all the data on his DLS for public access.
Accesses: even if all the attention is concentrated on keeping the data secure, there is always a chance that the attacker will use third-party vendors connected to targeted infrastructure to gain access. Needless to say, once attackers gain access to your infrastructure, they can carry out a wide range of malicious activities that can cause significant damage to your organization.
What is the compromised data used for?
Not all the data accessed by attackers are necessarily used for cyber attacks.
Data breaches have two main types of occurring:
Accidental: here we can mention the cases when somebody is getting access to the device with sensitive data with no intention to steal it for ransom. But instances like such can become the reason for data breaches and the creation of additional attack vectors. They indicate a low level of information security. Even if the data accessed is not used for a cyber attack, it still represents a significant security risk.
Malicious: these cases indicate that even the high information security level didn’t work and intruders were planning their attack in detail. The way of stealing data was considered from different points and the attack proceeded in several stages.
Most used methods: How do attackers gain illegitimate access to the data?
There are several methods that attackers use to gain access to the target such as:
Phishing: this method involves attacks that are based on the gullibility of human conversations. In most cases, attackers put on a mask of an organization/individual that the victim is familiar with so that they don’t suspect forgery.
Malware: in this case, everything happens on the operating system, hardware, or network layer. The malware penetrates into the victim’s infrastructure and executes a malicious process which leads to a data breach and can help attackers gain access to critical data.
Physical access: this method is the least popular and the most straining one. For implementing such type of an attack, the intruder needs to get to the place where all the hardware is stored and physically gain access to the infrastructure.
Which entities are most affected by a data breach?
An attack, if successfully implemented, can have grave consequences. It impacts the:
Government: data leaks, in this case, run the risk of disclosing highly confidential information to foreign parties, such as:
- Military operations details,
- Political dealings conditions,
- Essential national infrastructure particulars and even accesses,
- Critical information infrastructure, etc.
Gaining access to such data gives can put both the regional authorities and their citizens at high-risk.
Business: for businesses, data leaks can have a ripple effect in terms of the continuing damage to reputation, business integrity as well as finances. Mostly, companies lose their reputation because of the attackers who managed to get their customer’s confidential data. And this fact deals with not only current but also future customers.
Individuals: for individuals, data leaks can mean that confidential information was obtained without their agreement. In such cases most common data stolen is:
- personal identification data,
- address,
- billing details,
- different types of media, that involves victims’ participation.
Such leaks can lead to ethical and material damage.
How to prevent data breaches?
There are several tips that can help in preventing data breaches. By following them, damage to personal and corporate data can be avoided.
Update and upgrade: as soon as new patches for current information security solutions are available, an immediate update is required. It is equally important to follow new trends in information protection and use only high-quality solutions. For corporate needs, solutions that have all the necessary functionality to promptly detect threats and respond to them are required.
Educate your employees: quite often, the cause of corporate data leaks is the lack of employees’ awareness of basic information security rules. That is why employee education is one of the most important investments for any company today.
Enable high-grade email protection: according to Group-IB research, in 80% of cases, the attackers gain initial access to the IT infrastructure via corporate email. That’s why email protection is essential for appropriate information defense, in-depth analysis of emails’ content, and prompt response to potential and real threats.
Follow the trends: to organize proper protection and to be aware of the latest attacks and leaked data, leverage a Cyber Threat Intelligence Platform.
Enable real-time data protection with Group-IB
Group-IB’s Digital Risk Protection, combined with our proprietary Threat Intelligence
helps detect illegitimate use of your business data in real time. This includes monitoring a range of open, dark web sources to uncover code repositories and other private information belonging to your organization.
Our team works round-the-clock to identify threats, enable quick intimation and takedowns in case of a potential data leak, and even work closely with the law enforcement authorities to provide underlying information on motives, attack vectors, and malicious infrastructure of the attackers that helps further investigations and takedown operations.
Learn more about how Group-IB Digital Risk Protection and Threat Intelligence can help enable robust data protection for your business.