Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

Who's Disrupting Ransomware Groups' Stolen Data Leak Sites?

Major Drama in the Online Underworld
Who's Disrupting Ransomware Groups' Stolen Data Leak Sites?
Unavailable: LockBit's Tor-based victim naming and data leaking site

Someone is disrupting ransomware operations' data leak sites by targeting them with distributed denial-of-service attacks.

See Also: 5 Requirements for Modern DLP

No one has yet claimed credit for the ongoing disruptions and slowdowns. The best-known ransomware-as-a-service group to be affected so far is LockBit. Late last month, administrator "LockBitSupp" cried "DDoS attack" after its data leak site went offline.

But LockBit is hardly the only operation to be targeted. In recent weeks, Cisco Talos reports that the leak site of Alphv - aka BlackCat - appears to have been disrupted, as has BianLian, Everest, Hive, Lorenz, LV, Quantum, Ragnar Locker, Snatch and Yanluowang, as well as potentially Vice Society.

Getting disrupted by DDoS attacks is bad for criminals' profits, obviously, but also for their brands. What does it mean if these supposed cybercrime masterminds' infrastructure is so rickety that it can be overwhelmed by junk internet traffic hired from inexpensive stresser/booter services?

Ransomware Bro Saga Continues

It's unclear if these disruptions might be the work of law enforcement or intelligence agencies. One theory is that rival operators are targeting each other.

Given that most operators don't back away from trying to smack down rivals with language worthy of an adolescent soap opera, this seems like a plausible explanation. Since a teenaged Austin Thompson, aka "DerpTrolling," popularized the practice of disrupting online gaming sites during Christmas 2013 "for the lulz," the same demographic has regularly engaged in similar efforts.

Indeed, why shouldn't ransomware rivals hell-bent on trashposting and adolescent boasts tap DDoS as a further means of expression?

Limited Impact

Unfortunately for anyone who's fed up with ransomware, this "concerted effort" to disrupt data leak sites doesn't seem to be shutting down attackers' operations, say Cisco Talos researchers Azim Khodjibaev, Colin Grady and Paul Eubanks.

In a recent cybercrime forum post, LockBitSupp says victims will continue to receive the cryptocurrency wallet address they need to pay a bitcoin ransom. Likewise, the group's affiliates, who access the crypto-locking malware via a portal and use it to infect victims, allegedly still have the ability to grab copies of the ransomware because the administrator panels aren't being disrupted.

This seems to be the case with all groups being targeted. "This activity is only affecting the data leak sites and not the ability to conduct ransomware operations, as it is hindering the ability for these ransomware affiliates and operators to post new victim information publicly," the Cisco Talos researchers say in a blog post.

Affected groups appear to be trying to get ahead of the problem, with varying degrees of success. For example, the researchers say that Quantum has been taking a somewhat "amateur" approach by redirecting traffic back to the system that made the request, but in a manner that still leaves its site unable to serve traffic.

Opportunity Knocks

It should come as no surprise that LockBit's response has been more sophisticated, at least technically speaking (see: Keys to LockBit's Success: Self-Promotion, Technical Acumen).

LockBitSupp said in a recent forum post that the group has been "modernizing" its approach in part by standing up mirrors, as well as generating a unique URL for each victim for conducting negotiations. To regain the ability to publicize victims, he promised to put stolen data into torrent files and then circulate them to whoever is interested.

He's also threatened to make DDoS attacks a part of LockBit's regular operations, which is known as triple extortion. Again, however, this could just be an attempt to try and seize the narrative, given the egg on his operation's face.

So far, the overall volume of data leak site announcements remains markedly lower than in weeks past. In the past two weeks, BianLian, Hive, LockBit, Quantum and Vice Society have collectively announced just a handful of fresh victims, threat intelligence firm Kela reports.

As of Friday, multiple groups' Tor-based leak sites remained inaccessible, including the one run by LockBit. But although they might try to spin this as an opportunity, clearly, for some ransomware groups, the tables have been turned. Cybercriminals: Feel the pain.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.