Ransomware, Data Disclosure, and Malware-as-a-Service on the dark web 1/2

Following the Covid-19 health crisis, cybersecurity has become the cornerstone of our society. Cybersecurity systems must guarantee the resilience of government and health information systems and ensure that people can continue working remotely.  

2020, a year of increased attacks.

This resilience has been severely tested by successive attacks in different sectors. Cyberattacks have taken advantage of the unprecedented health crisis, growing exponentially in the form of social engineering, phishing, business asset compromise, and a resurgence of malware and ransomware.

Hackers are capitalising on the confusion and fear resulting from the pandemic to maximise their chances of reaching their targets. Phishing attacks have increased by about 665% since the beginning of the pandemic. As a result, even more public and private entities are being destabilised and paralysed. Some examples in France include the medical sector, with the cyberattack on the CHSF hospital in Corbeil-Essonnes in August 2022[1]; the private sector, with an attack on mobile phone operator La Poste Mobile in July 2022[2]; and local authorities with the attack on the Indre-et-Loire department in July 2022[3].

[1]      https://www.leparisien.fr/high-tech/cyberattaque-contre-un-hopital-de-lessonne-les-hackers-ont-diffuse-des-donnees-piratees-25-09-2022-NKKMW4XNJFCRNPTAADYT327UVQ.php

[2]      https://www.generation-nt.com/poste-mobile-piratage-rancongiciel-actualite-2003070.html

[3]      https://www.francebleu.fr/infos/faits-divers-justice/le-departement-d-indre-et-loire-victime-d-une-cyberattaque-1657554147

Press release about Covid-19 on the dark web by the hackers responsible for the Maze malware

What is a Ransomware attack?

Ransomware attacks on companies or institutions initially require payment for victims to recover access to encrypted data. The original intent is not to render the attack public, as communications between the victim and attacker can remain completely private. However, attacks are frequently publicised in certain channels, especially when the victim refuses to pay the ransom.

Ransomware actors then switch to the more traditional method of threatening to release the victim’s data publicly. This is the next step in the extortion attempt. The threat is communicated through a website managed directly by the team of hackers. It is usually in the deep web with a mirror* in the dark web to counter attempts to block the domain name.


Screenshots threatening to release the victim’s data.

If the victim still refuses to pay, the hackers then launch the retaliation phase: partial publication of the data.

Excerpt of a list of encrypted files shared by a team of hackers

What happens if the victim refuses?

If the victim still refuses to pay, the hackers then launch the retaliation phase: partial publication of the data. We haven’t identified a typical practice regarding which data is disclosed first; the data published can be more or less strategic and sensitive, depending on the situation.

Publication of the first batch of data belonging to an Egregor group victim

If this partial publication does not prompt the victim to pay, other files are then released until the data is leaked in full. In this regard, the process perfectly mimics typical data blackmail. The main difference in this kind of ransomware attack is the encryption of the target’s data, which already presents a major difficulty for the victim.

Standard data blackmail, without using ransomware

Data is most often released in the form of archives of varying sizes, depending on the amount of data hackers have collected. Certain data leaks may measure several hundred gigabytes in total. Hackers sometimes offer downloads of each separate file in an unsorted list. Some may also offer access to the victim’s data by replicating their directory tree.

Unsorted data leak

Copy of the victim’s directory tree

What is the profile of the victims? How do hackers work? What are the recommendations?

The answers will be in the next article: “Ransomware, data disclosure and malware as a service in the Dark Web, Part 2/2.”