An Analyse of Leak Sites and a Trip to the Dark Site

Sites de fuite de données News

Gone are those days when ransomware attackers were content to encrypt files on-site, and then discreetly charge their victims for decryption keys. What we commonly find now is encryption with the additional threat of leaking stolen data, generally called Double-Extortion (or, as we like to call it: Cyber Extortion or Cy-X). This is a unique form of cybercrime in that we can observe and analyze some of the criminal action via ‘victim shaming’ leak sites.

Since January 2020, we have applied ourselves to identifying as many of these sites as possible to record and document the victims who feature on them. Adding our own research, analyzing, and enriching data scraped from the various Cy-X operators and market sites, we can provide direct insights into the victimology from this specific perspective.

We must be clear that what we are analyzing is a limited perspective on the crime. However, it is extremely informative to see the information gleaned through an analysis of leak-threats.

We’ll call listing a CyX-X compromised organization on a CyX leak site a leak threat’. The numbers you’ll see in most of the charts below refer to counts of such individual threats on the onion sites of the Cy-X groups we’ve been able to identify and track over the last two years.

A boom in leak threats

Despite all the environmental variables, we can use the number of leaks to determine the crime’s scale and general trends. We observed an almost six-fold increase in leak-threats from the first quarter of 2020 to the third quarter of 2021.

Data Leak Sites
Source: Orange Cyberdefense Security Navigator 2022

Striking where the money is: Leak threats by country

Let’s take a look at the countries the victims operate in.

Data Leak Sites
Source: Orange Cyberdefense Security Navigator 2022

In the chart above we show the 2020 and 2021 leak threat counts per country, for the top 10 countries featured in our data set. We also show the estimated Gross Domestic Product (GDP) for the 12 wealthiest countries[1].

The top victims countries have remained fairly constant throughout our data set. As a general rule of thumb, the ranking of a country in our data set tracks the relative GDP of that country. A country’s economy will have more victims if it has a larger population. Indeed, eight of the top ten Cy-X victim countries are among the top 10 economies in the world.

The conclusion we draw from this, is that the relative number of victims in a country is simply a function of the number of online businesses in that country. However, this does not mean that Cy-X actors don’t sometimes deliberately target specific regions or countries. It’s also not to say that a business in a high-GDP country is more likely to be attacked than a victim in a low-GDP country (since, with more businesses exposed within that country, the probabilities even out).

In our opinion, this data shows that almost all businesses are being compromised or extorted. Logically speaking, we’ll see more victims if a country has more businesses.

Exceptions to the rule

Having said that, we’ve taken the liberty of including India, Japan, China and Russia in the chart above, as counterexamples of large-GDP countries that rank low on our Cy-X victims list.

India, with a projected 2021 GDP of $ 2. 72 trillion, and China with $ 13. 4 trillion, appear underrepresented, which might be due to several reasons. India, for example, has a huge population and correspondingly large GDP, but the GDP per capita is lower, and the economy generally appears less modernized and digital, meaning fewer online businesses to target. It could be that criminals doubt that Indian businesses could or would pay their dollar-based ransoms. Language might play an important role as well. Businesses that can’t speak English make it more difficult for them to find, understand, navigate and negotiate. Users who don’t use commoditized social-engineering tools to extract their services are also harder to get.

Japan, as another obvious exception to our rule, has a highly modernized economy, but will present criminals with the same language and culture barriers as China and India, thus possibly accounting for the low prevalence in our victim data.

The conclusion is that CyX is slowly moving away from English-speaking economies to non-English ones. This is probably the logical result of the growing demand for victims fueled by new actors, but it might also be the consequence of increased political signaling from the USA, which may be making actors more cautious about who they and their affiliates exploit.

Regardless of their reasons, it is clear that victims can be found in nearly every country. Countries that have been relatively unscathed cannot expect this to continue.

One size fits all: No evidence of ‘big game hunting’

In the chart below we show the number of victims by business size in our data set mapped to the top 5 actors. We define organization sizes as small (1000 or less employees), medium (1000-10,000) and large (10,000+).

Data Leak Sites
Source: Orange Cyberdefense Security Navigator 2022

As shown, businesses with less than 1,000 employees are compromised and threatened most often, with almost 75% of all leaks originating from them. This pattern has been consistent in leak-threats data for the past two years. It is broken down by country and industry.

The most likely explanation is that crime has increased in number and that more small businesses are operating worldwide. It is also possible that small businesses have less technical and skilled resources to protect themselves from attack or to recover after an attack.

This suggests again that any and every business can expect to be targeted, and that the primary deciding factor of becoming a leak site victim is the ability of the business to withstand attack and recover from compromise.

It’s worth also noting that, since the crime we’re investigating here is extortion, and not theft, it is the value of the impacted digital asset to the victim that concerns us, not the value of the data to the criminal.

Any business with digital assets can be considered a victim. It is unlikely that a small business or the perception of ‘irrelevance’ in data will provide significant protection.

This is just an excerpt of the analysis. More details like the threat actors identified or the industries targeted most (as well as a ton of other interesting research topics) can be found in the Security Navigator. You can download it from the Orange Cyberdefense website. It’s worth it!

Note — This article was written and contributed by Carl Morris, lead security researcher, and Charl van der Walt, head of security research, of Orange Cyberdefense.

Rate author