What is a Dedicated Leak Site (DLS)?
The confidentiality of the data is compromised by threat actors to incentivize the obtained information and extort money from businesses.
These sites can contain sensitive information such as login credentials, intellectual property, personal, and financial data, etc, that puts an organization at risk of security breaches, identity theft, financial fraud, reputational damage, and legal consequences.
The first DLS detected: Maze
In December 2019, the founders of Maze ransomware created their own dedicated leak site with the intention of publishing their victims’ data as a means of exploitation for financial gain. They used their DLS to extort the victims who refused to pay the ransom.
Since its inception, the number of DLSs has been ever-increasing. Get more information on modern Hi-Tech Cybercrime Trends in this white paper.
The gang Maze was one of the first to use the double-extortion technique, which involves encrypting the victim’s data and publishing it on the DLS. Today, ransomware operators usually first publish a small amount of data to show the scope of the attack and promise to delete the data after the ransom is paid. However, there have been cases where links to compromised files on servers used by other hackers remain available even after the demand is met.
Ransomware*: A type of malicious software, which is used by cybercriminals. When a device is infected with ransomware malware, it can block access to the system and encrypt data. It’s performed to hold the victim’s information at ransom until the intruder gets his trophy, or is caught. The ransom threat is steadily growing and generates billions of dollars in cybercriminals’ profits.
The recent surge in Dedicated Leak Sites (DLSs)
A growing number of new DLSs: The decrease in affiliate programs* did not prevent DLSs from increasing. That means the ransomware operators remained active without Ransomware-as-a-Service (RaaS)*.
Affiliate programs*: Affiliates, hired by ransomware groups, identify targets and deploy ready-made malicious software on a victim, often earning a percentage of the ransom.
Ransomware-as-a-Service (RaaS)*: In the contemporary world, almost any action can be transformed into a service. This also happened to ransomware. Now attackers don’t need to write their own malware code; it can be ordered entirely.
Every day, data belonging to at least eight companies worldwide appears on DLSs, which accounts for only 10% of all ransomware victims. The number of DLSs where threat actors publish stolen data grew by 83%. In H2 2021 – H1 2022, data belonging to 2,886 victim organizations were published. Lockbit, Conti, and Hive have been the most active ransomware groups, as these three accounted for more than 50% of all data published.
New platform for selling data: In cases where victims refuse to pay the ransom and do not contact the attacker, the groups may initiate the sale of stolen data through dedicated leak sites. Such cases have already occurred, but have not yet become a trend.
Additional pressure: For the victims, the exploit becomes an added pressure as their confidential data is published on a DLS. In most cases, it’s the final straw to pay the ransom.
Repository leaks: Open code repositories are among the resources adversaries use when planning an attack on a company. By searching through the repositories, intruders may find a leak that later serves as a basis for gaining access to the victim’s infrastructure.
Personal data: DLSs often contain personal data (confidential information about the person) that attackers can weaponize to launch secondary attacks.
What are the types of data found on a DLS?
In addition to different methods of obtaining information, it is worth noting the types of data that are usually targeted in theft. All the data types listed below can be stolen and posted on the DLS page to extort victims.
Credentials: Attackers can cause significant damage with credentials, gaining access to systems, data, and resources they are not authorized to use. Offenders can penetrate deeper into a company’s infrastructure using stolen data, causing irreparable damage or even withdrawing business-owned information or funds.
Payment methods: This cyber risk usually concerns the banking sector. Payment method information can be a valuable target for attackers, as it can be used for financial gain. When obtaining the bank customers’ card data, the attackers may demand a ransom and, if it’s not paid, put all the data on their DLS for public access.
Access: Even if all attention is focused on keeping the data secure, there is always a chance that an attacker will use third-party vendors connected to the targeted infrastructure to gain access. Needless to say, once attackers gain access to your infrastructure, they can carry out a wide range of malicious activities that can cause significant damage to your organization.
What is the compromised data used for?
Not all data accessed by attackers is necessarily used for cyberattacks.
Data breaches have two main types of occurrence:
Accidental: here we can mention cases where someone gains access to a device containing sensitive data without intending to steal it for ransom. But instances like this can lead to data breaches and the creation of additional attack vectors. They indicate a low level of information security. Even if the accessed data is not used in a cyberattack, it still poses a significant security risk.
Malicious: These cases indicate that even a high level of information security didn’t deter intruders, who planned their attacks in detail. The data-stealing approach was considered from multiple perspectives, and the attack proceeded in several stages.
Most-used methods: How do attackers gain unauthorized access to the data?
There are several methods that attackers use to gain access to the target, such as:
Phishing: this method involves attacks that exploit the gullibility of human communication. In most cases, attackers adopt the mask of an organization or individual the victim is familiar with, so the victim doesn’t suspect forgery.
Malware: In this case, everything happens on the operating system, hardware, or network layer. The malware penetrates the victim’s infrastructure and executes a malicious process, leading to a data breach and enabling attackers to access critical data.
Physical access: this method is the least popular and the most straining one. To implement such an attack, the intruder needs to reach the location where all the hardware is stored and physically access the infrastructure.
Which entities are most affected by a data breach?
An attack, if successfully implemented, can have grave consequences. It impacts the:
Government: Data leaks, in this case, run the risk of disclosing highly confidential information to foreign parties, such as:
- Military operations details
- Political dealings conditions
- Essential national infrastructure particulars and even access
- Critical information infrastructure, etc.
Gaining access to such data can put both the regional authorities and their citizens at high risk.
Businesses: For businesses, data leaks can have a ripple effect in terms of the continuing damage to reputation, business integrity, and finances. Most of the time, companies lose their reputation because attackers manage to obtain their customers’ confidential data. And this fact applies not only to current but also to future customers.
Individuals: Data leaks can mean that confidential information was obtained without their consent. In such cases, the most common data stolen is:
- Personal identification data
- Address
- Billing details
- Different types of media that involve victims’ participation
Such leaks can lead to ethical and material damage.
How to prevent data breaches?
There are several tips that can help in preventing data breaches. By following them, damage to personal and corporate data can be avoided.
Update and upgrade: As soon as new patches for current information security solutions are available, an immediate update is required. It is equally important to follow new trends in information protection and use only high-quality solutions. For corporate needs, solutions with all necessary functionality to promptly detect and respond to threats are required.
Educate your employees: Often, corporate data leaks stem from a lack of employee awareness of basic information security rules. That is why employee education is one of the most important investments for any company today.
Enable high-grade email protection: According to Group-IB research, in 80% of cases, the attackers gain initial access to the IT infrastructure via corporate email. That’s why email protection is essential for effective information defense, in-depth analysis of email content, and prompt responses to potential and real threats.
Follow the trends: To ensure proper protection and stay aware of the latest attacks and data leaks, leverage a Cyber Threat Intelligence Platform.
Enable real-time data protection with Group-IB
Group-IB’s Digital Risk Protection, combined with our proprietary Threat Intelligence, helps detect illegitimate use of your business data in real time. This includes monitoring a range of open, dark web sources to uncover code repositories and other private information belonging to your organization.
Our team works round-the-clock to identify threats, enable quick intimation and takedowns in case of a potential data leak, and even works closely with the law enforcement authorities to provide underlying information on motives, attack vectors, and malicious infrastructure of the attackers that helps further investigations and takedown operations.
Learn more about how Group-IB Digital Risk Protection and Threat Intelligence can help enable robust data protection for your business.