The Clop ransomware gang is copying an ALPHV ransomware gang extortion tactic by creating Web-accessible web sites devoted to particular victims, making it simpler to leak stolen information and additional pressuring victims into paying a ransom.
When a ransomware gang assaults a company goal, they first steal information from the community after which encrypt information. This stolen information is used as leverage in double-extortion assaults, warning victims that the info might be leaked if a ransom isn’t paid.
Ransomware information leak websites are normally positioned on the Tor community because it makes it tougher for the web site to be taken down or for regulation enforcement to grab their infrastructure.
Nevertheless, this internet hosting methodology comes with its personal points for the ransomware operators, as a specialised Tor browser is required to entry the websites, search engines like google and yahoo don’t index the leaked information, and the obtain speeds are usually very gradual.
To beat these obstacles, final yr, the ALPHV ransomware operation, also referred to as BlackCat, launched a brand new extortion tactic of creating clearweb web sites to leak stolen information that have been promoted as a manner for workers to verify if their information was leaked.
A clearweb web site is hosted straight on the Web relatively than on nameless networks like Tor, which require particular software program to entry.
This new methodology makes it simpler to entry the info and can possible trigger it to be listed by search engines like google and yahoo, additional increasing the unfold of the leaked data.
Clop ransomware gang adopts tactic
Final Tuesday, safety researcher Dominic Alvieri instructed BleepingComputer that the Clop ransomware gang had began to create clearweb web sites to leak information stolen throughout the latest and widespread MOVEit Switch information theft assaults.
The primary website created by the menace actors was for enterprise consulting agency PWC, creating an internet site that leaked the corporate’s stolen information in 4 spanned ZIP archives.
Quickly after Alvieri instructed BleepingComputer, the menace actors additionally created web sites for Aon, EY (Ernst & Younger), Kirkland, and TD Ameritrade.
None of Clop’s websites are as refined as those created by ALPHV final yr, as they merely record hyperlinks to obtain the info relatively than having a searchable database like BlackCat’s websites.
Supply: BleepingComputer
A waste of time?
These websites intention to scare staff, executives, and enterprise companions who could have been impacted by the stolen information, hoping it causes them to exert additional strain on an organization to pay the ransom.
Nevertheless, whereas there could also be some advantages to leaking information on this manner, additionally they include their very own issues, as placing them on the Web, relatively than Tor, makes them way more simply taken down.
Right now, the entire identified Clop clearweb extortion websites have been taken offline.
It’s unclear if these websites are down on account of regulation enforcement seizures, DDoS assaults by cybersecurity companies, or internet hosting suppliers and registrars shutting down the websites.
Because of the ease with which they are often shut down, it’s uncertain that this extortion tactic is well worth the effort.
