National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

Ransomware gangs have leaked stolen data of 2000 companies so far

10 Μαΐου 2021

Since 2019, ransomware gangs have leaked the stolen data for 2,103 companies on dark web data leaks sites. When modern ransomware operations began in 2013, the attacker’s goal was to encrypt as many companies as possible and then demand a ransom payment for a decryptor.

Since the beginning of 2020, ransomware operations began conducting a new tactic called double-extortion. Double-extortion is when ransomware operations steal unencrypted files before encrypting a network. The attackers then threaten to publicly release the stolen files on dark web data leak sites if a ransom is not paid.

Between the threat of not recovering their encrypted files and the additional concerns of data breaches, government fines, and lawsuits, threat actors are banking on the idea that this would force victims to more readily pay a ransom.

34 ransomware gangs leak data on the dark web

A dark web security researcher known as DarkTracer has been keeping track of the data leak sites for thirty-four ransomware gangs that they have now leaked the data for 2,103 organizations.

The 34 ransomware gangs followed by DarkTracer are Team Snatch, MAZE, Conti, NetWalker, DoppelPaymer, NEMTY, Nefilim, Sekhmet, Pysa, AKO, Sodinokibi (REvil), Ragnar_Locker, Suncrypt, DarkSide, CL0P, Avaddon, LockBit, Mount Locker, Egregor, Ranzy Locker, Pay2Key, Cuba, RansomEXX, Everest, Ragnarok, BABUK LOCKER, Astro Team, LV, File Leaks, Marketo, N3tw0rm, Lorenz, Noname, and XING LOCKER.

Of these thirty-four operations, the top five active operations are Conti (338 leaks), Sodinokibi/REvil (222 leaks), DoppelPaymer (200 leaks), Avaddon (123 leaks), and Pysa (103 leaks).

Three groups that are no longer active and have more leaks than some of those in the top five are Maze (266 leaks) and Egregor (206 leaks).

The data for all the ransomware gang’s data leak sites are represented in the chart below created by DarkTracer from May 4th, 2021.


Some of the listed ransomware gangs are no longer in operation, such as NetWalker, Sekhmet, Egregor, Maze, Team Snatch, or rebranded to a new name, such as NEMTY and AKO.

The data-extortion industry has become a significant money-maker for ransomware gangs that victims worry more about their data being leaked than the loss of encrypted files.

Other threat actors are seeing this trend and have begun launching new data leak marketplaces over the past couple of months that exist solely to sell stolen data.

While it may seem better to pay a ransom to prevent a data leak, there is no guarantee that the data won’t be released or sold to other threat actors.

Therefore, if your data is stolen, you are better off treating it as a data breach and being transparent about it to those who are affected.

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.


ENISA: Cyber threats require heightened defences

#CyberSecMonth 2017 - Cyber Security in the Home