Behind the scenes of criminal black markets and the proliferation of data extortion
The rapid evolution of cyberattack methods in recent years has shifted the focus to “big-game hunting”, targeting high-value victims with profitable ransom potential who - for fear of reputational, liability, and operational harm - are deemed more likely to pay.
The proliferation of ransomware-as-a-service (RaaS) marked a change in old attack vectors designed to cast wide nets. Drive-by download attacks orchestrated to spread malware and other pure network disruption tactics are replaced by big game hunting, with countless notable incidents hitting the press each day. Infosecurity Magazine recently reported on the pressure faced by global security operations, after findings demonstrated they’re inundated with an average of 51 incidents per day.
STORM Guidance response teams echo these concerns. Yet, while attending to a number of diverse cyber incidents in the last year or two, we’ve noted an overwhelming rise in the extortion of data as the primary leverage against victims.
Data extortion attacks are carried out using various malware or phishing methods, extracting sensitive information that is then sold to cyber criminals’ black-market websites. Illegal trading sites such as Industrial Spy Market, now have an expanse of data that is bought and sold at a profit, exploiting stolen personal information for tremendous financial gain. Access to breached databases is supporting a wealth of criminality, with lucrative information such as account credentials, credit card details, passports, medical records, NI numbers, driver’s licences, and more.
Using a ransomware-style extortion process, breached data is made available to buyers in an auction-style bidding war, and victims are given the details of where they can subscribe, and with any luck, outbid other players. However, the threat of data extortion is not limited to businesses and individual victims. Dark web marketplaces are now a breeding ground for government intelligence, detailed voter databases, and critical infrastructure networks, igniting geopolitical concerns in what is now one of the greatest threats to the global economy.
Industrial spy marketplace
STORM investigators began seeing a gradual change in the pattern of criminal activity some time ago, and in predicting the shift to data ransom and extortion, initiated research into the dark web breached data trading sites.
The phenomenal speed at which the black market accelerated gives testament to the fact that data extortion should now be considered the number one cyber threat to all businesses. To corroborate this claim, we will demonstrate evidence taken from underground networks during our research, exposing screenshots of boundless data, the gravity of its sensitivity, and the enormity of its worth.
Exploring the criminal activity in these underground networks, we paid particular focus to the Industrial Spy marketplace which advertised that it sold data such as “public schemes, drawings, technologies, political and military secrets, accounting reports and client’s databases” to buy or download for free. The site claims to provide data “gathered from the largest worldwide companies, conglomerates and concerns with every activity”. The market's homepage can be seen in the image below, reflecting sales tactics and the availability of social media networking.
Categorised into three sections, the Industrial Spy marketplace offers ‘PREMIUM’, ‘GENERAL’, and ‘FREE’, listing options, each with its own rules.
Victims of data extortion are told that their information is available within the ‘Premium’ marketplace, where they will have 7 days to buy their data if they are not outbid. If it is bought within the 7-day period, once it is downloaded by the buyer, Industrial Spy claims that it will be completely deleted from their servers. However, if the time is lapsed, the listing will move into the ‘General’ marketplace, where it will be available at a much-reduced premium, to “multiple clients”, and it will never be deleted from their servers. In time, this data will then move into the ‘Free’ marketplace where it will be accessible to all.
Trade secrets, manufacturing diagrams, and political and military secrets are amongst the stock: some data is sold in the millions. With listings such as “$150,000 blackmail method ++ new ++ 2022 clone”, this is the place to go for criminals looking to breach systems themselves, and it seems, where little technical skill is needed.
An example attack method listing that demonstrated the easy gains offered by a career in cybercrime claimed, “the method is straight up, to the point, not much experience is needed, just a basic sense of emails and usage of the software such as ghostmailer (spoofs emails) and massive mailer (mass email sender)”. The images below illustrate the extent of the information available for sale, the gravity of some of this information, and an idea of listing prices. Some information has been concealed for victim anonymity.
While investigating, we found huge volumes of “Fullz” data available to the next bidder.
Fullz is the name used by cybercriminals for ‘full’ data packages containing information such as a person’s name, address, NI number, driver’s license, bank account credentials, and medical records, among other details: In other words, their “full information”. Fraudsters use this information to impersonate the victim, using their financial reputation for identity theft and fraud.
The data is normally obtained through corporate and institutional data breaches, with the insurance, commercial, and financial sectors the most common targets due to the sensitivity of the data they hold. The impact of these breaches affects not only the financial reputations and bank balances of the victims, but also the resultant reputational harm, lost revenue, and legal damages caused to the breached organisation.
Will paying ransoms protect stolen data from re-entering dark web markets?
When it comes to the payment of data extortion ransoms, we suspect threat actors are not always honouring their assurances of deleting the data after it is returned to its victim.
The ease of data re-packaging makes it extremely unlikely that listed data can be traced back to its original breach. With the opportunity of substantial further gains, surely it would be naïve to believe that criminals wouldn’t seek to continue to profit from the results of their activities. Evidence to substantiate such a theory would destroy the reputation of the whole data extortion market, but with such anonymity, why wouldn’t they trade the data, or a subset of it, in situations where it can't be originated?
We do, however, have widely publicized reports of threat actors targeting former victims who paid their ransoms. An article by ZDNet unravelled the bitter truths behind the scenes of a ransomware attack, with reports demonstrating that only 54% of victims regained access to data and systems after paying ransom demands, and another third were stung with additional payment demands before they received the decryption key.
Unknowingly, subjects of a breach will go about their business as usual, oblivious to the fact an attacker has compromised their systems. Threat actors will lurk inside a network for weeks or months before their attack, gaining all the necessary controls and permissions should they wish to return and initiate future attacks. And with no real assurance that payment will give relief, the threat to business reputation and survival is vast, as demonstrated in a further article by ZDNet, where the target gave in to extortion demands, but the BlackMatter group still leaked the data a few weeks later.
In the Coveware Q3 2020 ransomware report, some ransomware groups were found to leak stolen data after ransoms were paid. In these instances, victims were given fake data as proof of deletion, and others were offered no false pretences when they were re-extorted using the very data they’d paid not to be released. Example cases include:
Sodinokibi: Victims paid and were re-extorted weeks later with the same data set
Netwalker: Victims paid but the data was posted anyway
Mespinoza: Victims paid but the data was still leaked
Conti: Victims were shown fake files as proof of deletion
The biggest risk is not external threat, but complacency from within
In recent news, the UK Information Commissioner’s Office (ICO) issued a £4.4m fine to Interserve Group Ltd, a Berkshire-based construction company, after they failed to keep their staff’s personal information secure.
The stark warning highlights the importance of data protection and demonstrates the implications of failing to apply appropriate cybersecurity measures. In this example, the personal data of up to 113,000 current and former employees was encrypted and rendered unavailable through a phishing email, exposing personal information such as contact details, national insurance numbers, and bank account details. Neglecting their responsibility to apply critical security controls left staff vulnerable to the possibility of identity theft and financial fraud, a complacency that didn’t go unnoticed in this massive infringement of data protection law. Investigations found that Interserve failed to inspect when alerted to suspicious activity, used outdated software systems and protocols, lacked in adequate staff training, and fell short of sufficiently assessing risk.
UK Information Commissioner, John Edwards, said:
“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
What can organisations do to address data extortion risk?
There’s no doubt that the data stolen from Interserve will be found circulating on the dark web, and it’s important for businesses and organisations to understand that they are not immune to incidents involving a data breach.
Basic measures can be taken to improve defences, such as applying Multi-Factor Authorisation (MFA), setting up network segmentation, disabling macros so that they’re not exploited in phishing emails, and ensuring backups are stored offline. And in our continuous efforts to remain one step ahead of cybercriminals, STORM has been working towards solutions to the shift in threat actor behaviour. Our research into the dark web and these illegal trading sites gave us a true insight into the extent of the issue, and this knowledge led to the development of a new dataset analysis tool, providing an additional layer to operational security protocol. There was a clear urgency for a solution to the imminent reality of a data extortion epidemic, and with little out there to support the economy in addressing this threat, innovation was crucial.
The creation of ‘CyberDiscover’ transforms the cybersecurity market, bringing a cutting-edge development in organisational security controls. Integrating the service as part of a baseline data security toolset, allows businesses to be proactive in their approach to data privacy and protection, safeguarding sensitive information, and limiting the possibility of litigation. Minimising the need for human intervention, CyberDiscover allows you to find sensitive information contained within large datasets, e.g., filesystems, mailboxes, and other repositories, using an integrated process of data analysis and AI. With the addition of a dedicated PII team, automated results are supported with in-depth manual analysis, using specialist skills to dig deeper where needed. Sensitive data is rapidly identified before it falls into the wrong hands, and with findings catalogued into filterable results, the tool assists in painlessly improving the process of data management and protection. Due to regulatory requirements, businesses must report cyber incidents to the ICO and affected data subjects within 72 hours, and assisting in this process, CyberDiscover can be utilized to act fast in notifying victims. In the unfortunate event of a breach, it rapidly extracts PII from stolen datasets and incorporates a fully integrated notification tool that enables customized emails to send in bulk. Given the current cyber threat landscape, this new solution may well become indispensable.
And, as Industrial Spy quite rightly quoted: "He who owns the information, owns the world". Nathan Mayer Rothschild was indeed ahead of his time.