Understanding the Ransomware Extortion Types, DLSs, Resources

Ransomware attacks are a major threat today, constantly evolving to keep victims under pressure.

Types of Ransomware Extortion

1. Data Encryption: The most common form of ransomware attack involves encrypting the victim's data. This means the data and services are inaccessible until a ransom is paid.

2. Data Extortion: Made popular by the MAZE Team, this method involves stealing (exfiltrating) data from the victim. The attackers then threaten to release this data publicly if the ransom isn't paid. This led to the creation of Data Leak Sites (DLSs) where stolen data is published.

3. Multi-Extortion: This advanced method combines several forms of pressure. Attackers may contact the victim's suppliers, partners, regulatory bodies, or VIPs. They might also launch Distributed Denial of Service (DDoS) attacks, making it even harder for the victim to recover.

4. Double Extortion: This is a combination of data encryption and data extortion. Attackers not only lock the victim's data but also steal it, threatening to release it if the ransom isn't paid. The MAZE Team popularized this method in 2019.

Data Leak Sites (DLSs)

DLSs, also known as "shaming sites," are used by ransomware groups to advertise their breaches. These sites list the stolen data and threaten to release it publicly. Organizations fear these sites because they can lead to significant business and reputational damage.

1. The Ransom Watch site provides a group index, recent DLS posts, group profiles, and statistic/graph pages:

https://ransomwatch.telemetry.ltd/#/README

2. The Ransom Look site provides a group index, forum and market links, a listing of data leaks, telegram messages, and statistic/graph pages. The team also maintains a GitHub repo that you can review:

https://www.ransomlook.io/

https://github.com/RansomLook/RansomLook

3. The Ransom.Wiki site focuses more on allowing users to search for recent victims and/or ransomware groups by name:

https://ransom.wiki/

4. Dark Feed provides several resources for identifying ransomware DLS and blog information:

https://darkfeed.io/ransomwiki/

https://darkfeed.io/ransomgroups/

5. Fastfire’s deepdarkCTI GitHub repo provides and maintains a list of ransomware group sites called “ransomware_gang.md”:

https://github.com/fastfire/deepdarkCTI/blob/main/ransomware_gang.md

6. The “Ransomware Group Sites” Wiki is a .onion site and must be accessed via Tor. This site provides links to various data leak and victim portal sites:

http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd[.]onion/

Conclusion

Always stay updated with the latest developments in ransomware tactics to safeguard your data and services.

Akash Patel