Two ransomware gangs and a data extortion group have adopted a new strategy to force victim companies to pay threat actors to not leak stolen data.
The new tactic consists in adding a search function on the leak site to make it easier to find victims or even specific details.
At least two ransomware operations and a data extortion gang have adopted the strategy recently and more threat actors are likely to do the same.
Easy finding victim data
Last week, the ALPHV/BlackCat ransomware operation announced that they created a searchable database with leaks from non-paying victims.
The hackers made it clear that the repositories have been indexed and the search works when looking for information by filename or by content available in documents and images.
The results are pulled from the “Collections” part of BlackCat’s leak site and may not have the best accuracy but it is still an evolution of the cybercriminal’s extortion strategy.
BlackCat ransomware operators claim that they do this to make it easier for other cybercriminals to find passwords or confidential information about companies.
The gang already tried this strategy in mid-June, when they created a searchable site with data allegedly stolen in an attack at a hotel and spa in Oregon.
The site allowed guests at the spa locations and employees to check if their personal information had been stolen during the ransomware attack.
This is a step forward in the extortion business as it puts pressure on the victim to pay the ransom and have the data removed from the web and avoid the potential risk of class action lawsuits.
Towards the end of last week, BleepingComputer noticed that LockBit offered a redesigned version of their data leak site that allowed searching for listed victim companies.
LockBit’s search is not as advanced as the variant touted by BlackCat, and it is limited to only finding victims by name.
However, even in this basic form, the gang’s implementation of the search function still makes it easier to locate on their leak site data from specific companies.
Another leak site that has implemented a search function is the one published by the Karakurt data extortion gang. BleepingComputer’s attempts to use the option showed that it did not work properly, though.
Data extortionists are just starting to explore the search feature. It is unclear if making stolen data searchable is a successful tactic but with multiple extortionist gangs adopting it, the option seems to be an attractive one.