Ransomware Evolution How Cheated Affiliates Are Recycling Victim Data for Profit
pThreat actors consistently alter and develop their schemes in order to further escalate their payoffs In a new trend ransomware affiliates are actively remonetizing stolen data outside of their original RaaS agreements especially as financial squabbles between threat actors emerge in the ransomware economy The affiliates in such instances are starting to work with thirdparties or external data leak services in order to reextort victims who have already paid the ransom to the original attackersppThis blog post examines how affiliate attackers are embracing this new thirdparty extortion method illustrated most recently by the ostensibly backtoback cyberattacks on Change Healthcare and the emergence of services like RansomHub and DispossessorppppIn February 2024 a subsidiary of healthcare giant UnitedHealth Group UHG was forced to take down its IT systems and various services The root of the disruption was a cyberattack by a BlackCat aka ALPHV affiliate on Change Healthcare a healthcare technology platform used by the subsidiaryppPostattack ALPHV ransomware operators reportedly took down their data leak blog servers and operation negotiation sites and failed to pay the affiliate their agreed share of the ransomppPurportedly Change Healthcare paid out the 22 million ransom demand only to be targeted a second time just weeks after recovering from the initial attack This time around the ransomware attack was claimed by a threat actor working in conjunction with RansomHub a new extortion group claiming to hold 4 terabytes of the victims sensitive data including personally identifiable information PII of active US military personnel patient records and payment informationppIt is believed that after ALPHV reneged on their payment the affiliate partnered with RansomHub and reused the data stolen from the initial attack in order to secure a pay off At the time of writing Change Healthcare has been removed from RansomHubs DLS on April 20 2024 presumably due to payment and cooperation with the threat actorsppRansomHub emerged in early February 2024 with a simple data leak site DLS Their focus mirrors other historically wellknown operations such as REvil ALPHV and Play with regards to their core values and overall mission statementsppRansomHub operates as a ransomwareasaservice RaaS partnering with affiliates that work with a variety of ransomware families including ALPHV and LockBit Notably RansomHub works with other threat actors and groups to republish and rebroadcast the availability of victim data There are multiple revolving Telegram groups dedicated to amplifying the reach of RansomHubs leaks An example of this is the R3dd1sh34E4gl3D4t4l34ks channel aka Reddish Eagle DataleaksppThis development means that the data leak sites DLSs usually associated with a particular threat actor are no longer the only avenue of exposure for ransomware victims Downstream amplification of these leaks is now common and generally open to all nonprivate Telegram or Discord groupsppInterestingly according to RansomHubs own rules it does not allowppHowever given the current situation faced by Change Healthcare the second bullet in the list above appears to be a gray area especially if reextorting ransomware victims constitutes an attackppOur research indicates that multiple affiliates are now partnering with RansomHub in an effort to regain profitability following the apparent collapse of ALPHVppDispossessor emerged in February of 2024 advertising the availability of previouslyleaked data for download and potential sale These announcements were placed across multiple forums and markets including BreachForums and XSSppThe X account ransomfeednews recently posted regarding this new group presenting their findings that indicated how Dispossessor is not ransomware but a group of scoundrels trying to monetize on nothing using the claims of other groups The group is also active in Telegram posting similar announcements across welltrafficked Telegram channelsppDispossessor initially announced the renewed availability of the data from some 330 LockBit victims This was claimed to be reposted data from previously available LockBit victims now hosted on Dispossessors network and thus not subject to LockBits availability restrictionsppDispossessor appears to be reposting data previously associated with other operations with examples ranging from Cl0p Hunters International and 8base We are aware of at least a dozen victims listed on Dispossessor that have also been previously listed by other groupsppIn addition there are apparent links to other aggregatestyle operators like SnatchppIn many cases the Dispossessor page links to the DispossessorCloud repository One victim was originally on CL0Ps data leak site in early 2023 Dispossessors data is identical to that hosted in the original CL0P magnet links for this and other victimsppA third emerging service with potential to contribute to the expansion of monetization of previously leaked victim data is Rabbit Hole DLS first observed on March 13 2024 In an English translation of the sites About Page Rabbit Hole is described as a leaks blog for small and mediumsized teams that do not have their own website The site is currently promoted in forums and dark marketsppOriginal Postings RU
блог для малых и средних команд у которых нет своего сайтаppкроличья нора не является рансом группой это общий блог для малых и средних команд данный блог создан в целях оказания давления на корпорации за счет большого количества публикаций разных команд кроличья нора предлагает вам пристанище где вы можете опубликовать любую утечку гос учреждения и больницы являются исключениемppOriginal Postings EN
blog for small and mediumsized teams that do not have their own websitepprabbit hole is not a ransom group it is a general blog for small to medium sized teams this blog was created in order to put pressure on corporations due to the large number of publications from different teams the rabbit hole offers you a haven where you can publish any leak government institutions and hospitals are an exception
ppOnce a threat actor creates a Rabbit Hole account victim leaks can be added updated and managed through its web portal Each account manages their leaks through what is referred to as a cabinet within the Rabbit Hole blog interfaceppWhen posting leak data the user is able to supply information including who they are and who the victim is such as the name of the company URL company description publish datedeadline any associated images and additional text to be included with the public leak description upon publication The download URL for associated leaked data is also supplied via this interfaceppOnce all details have been provided they are submitted to higher level owners and managers of the Rabbit Hole blog Moderators are then responsible for the ultimate public posting of the leak The Rabbit Hole platform ideal for emerging cybercriminals with little to no infrastructure or resources could easily accommodate multiple smalltime actors looking to monetize the same data leaks We continue to monitor how this site developsppAs larger established threat groups fold or rebrand we can expect to see many affiliates cut out of pending payments Since threat actors will hold onto exfiltrated data the likelihood of that data being used to reextort the victims is high and will continue to grow While it may seem like common sense not to trust threat actors to hold up their end of a deal the infosec community may continue to witness the fallout that happens when infighting and disagreements happen between cybercriminals as well as threat service providers and their affiliatesppThe trust model upon which these RaaS agreements are created does not scale well as most recently highlighted by security researchers monitoring the relationships between threat actors and affiliates in the ecosystemppAdditionally we saw a continuation of longtailed data exfiltration defaults by threat actors in Q1 ie posting of information on a leak site after payment or hostage trading with other groups or individuals which adds further evidence to the file on the lack of benefits to pay for suppressing a data leak or any confidence in a criminal actor keeping their wordppAs the ransomware and extortion landscape evolves criminals will do what they need to do to protect their investments and paydays Since affiliates carrying out a ransomware attack hold the actual data they have the option to go elsewhere to monetize the data to collect payment Organizations continue to be discouraged by global law enforcement agencies from paying ransoms when dealing with a cyberattack and to file a report with the IC3 contributing to greater cyber resilience to potential attacksppz5jixbfejdu5wtxd2baliu6hwzgcitlspnttr7c2eopl5ccfcjrhkqidonion
ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qdonion
h6tejafqdkdltppzj7q34enltmfnpxaf7cseslv6djgiukiii573xtidonionppdispossessorcom
dispossessorcloudcom
205209102218pptoxCE742906B254399832E4ED6EC1DDA50D7942F9A4F3F0FE46C19E1737FF29EF67DDAF3AB87B44
tox36712626ED19B307ECB3E971AFDFAA449607100383DBE4C064CCD5909355D908AECCF6180CDAppactorDISPOSSESSOR
actorplzdbmagain1037
actorViDoK
pp
Like this article Follow us on LinkedIn
Twitter
YouTube or Facebook to see the content we post
pp
Get a demo pp
Defeat every attack at every stage of the threat lifecycle with SentinelOne ppBook a demo and see the worlds most advanced cybersecurity platform in action pp
SentinelLabs pp
SentinelLabs Threat Intel Malware Analysis ppWe are hunters reversers exploit developers tinkerers shedding light on the vast world of malware exploits APTs cybercrime across all platformspp
Wizard Spider and Sandworm pp
MITRE Engenuity ATTCK Evaluation Results ppSentinelOne leads in the latest Evaluation with 100 prevention Leading analytic coverage Leading visibility Zero detection delaysppKeep up to date with our weekly digest of articlesppThanks Keep an eye out for new contentpp
444 Castro Street
Suite 400
Mountain View CA 94041
pp18558683733ppemail protectedp
блог для малых и средних команд у которых нет своего сайтаppкроличья нора не является рансом группой это общий блог для малых и средних команд данный блог создан в целях оказания давления на корпорации за счет большого количества публикаций разных команд кроличья нора предлагает вам пристанище где вы можете опубликовать любую утечку гос учреждения и больницы являются исключениемppOriginal Postings EN
blog for small and mediumsized teams that do not have their own websitepprabbit hole is not a ransom group it is a general blog for small to medium sized teams this blog was created in order to put pressure on corporations due to the large number of publications from different teams the rabbit hole offers you a haven where you can publish any leak government institutions and hospitals are an exception
ppOnce a threat actor creates a Rabbit Hole account victim leaks can be added updated and managed through its web portal Each account manages their leaks through what is referred to as a cabinet within the Rabbit Hole blog interfaceppWhen posting leak data the user is able to supply information including who they are and who the victim is such as the name of the company URL company description publish datedeadline any associated images and additional text to be included with the public leak description upon publication The download URL for associated leaked data is also supplied via this interfaceppOnce all details have been provided they are submitted to higher level owners and managers of the Rabbit Hole blog Moderators are then responsible for the ultimate public posting of the leak The Rabbit Hole platform ideal for emerging cybercriminals with little to no infrastructure or resources could easily accommodate multiple smalltime actors looking to monetize the same data leaks We continue to monitor how this site developsppAs larger established threat groups fold or rebrand we can expect to see many affiliates cut out of pending payments Since threat actors will hold onto exfiltrated data the likelihood of that data being used to reextort the victims is high and will continue to grow While it may seem like common sense not to trust threat actors to hold up their end of a deal the infosec community may continue to witness the fallout that happens when infighting and disagreements happen between cybercriminals as well as threat service providers and their affiliatesppThe trust model upon which these RaaS agreements are created does not scale well as most recently highlighted by security researchers monitoring the relationships between threat actors and affiliates in the ecosystemppAdditionally we saw a continuation of longtailed data exfiltration defaults by threat actors in Q1 ie posting of information on a leak site after payment or hostage trading with other groups or individuals which adds further evidence to the file on the lack of benefits to pay for suppressing a data leak or any confidence in a criminal actor keeping their wordppAs the ransomware and extortion landscape evolves criminals will do what they need to do to protect their investments and paydays Since affiliates carrying out a ransomware attack hold the actual data they have the option to go elsewhere to monetize the data to collect payment Organizations continue to be discouraged by global law enforcement agencies from paying ransoms when dealing with a cyberattack and to file a report with the IC3 contributing to greater cyber resilience to potential attacksppz5jixbfejdu5wtxd2baliu6hwzgcitlspnttr7c2eopl5ccfcjrhkqidonion
ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qdonion
h6tejafqdkdltppzj7q34enltmfnpxaf7cseslv6djgiukiii573xtidonionppdispossessorcom
dispossessorcloudcom
205209102218pptoxCE742906B254399832E4ED6EC1DDA50D7942F9A4F3F0FE46C19E1737FF29EF67DDAF3AB87B44
tox36712626ED19B307ECB3E971AFDFAA449607100383DBE4C064CCD5909355D908AECCF6180CDAppactorDISPOSSESSOR
actorplzdbmagain1037
actorViDoK
pp
Like this article Follow us on LinkedIn
YouTube or Facebook to see the content we post
pp
Get a demo pp
Defeat every attack at every stage of the threat lifecycle with SentinelOne ppBook a demo and see the worlds most advanced cybersecurity platform in action pp
SentinelLabs pp
SentinelLabs Threat Intel Malware Analysis ppWe are hunters reversers exploit developers tinkerers shedding light on the vast world of malware exploits APTs cybercrime across all platformspp
Wizard Spider and Sandworm pp
MITRE Engenuity ATTCK Evaluation Results ppSentinelOne leads in the latest Evaluation with 100 prevention Leading analytic coverage Leading visibility Zero detection delaysppKeep up to date with our weekly digest of articlesppThanks Keep an eye out for new contentpp
444 Castro Street
Suite 400
Mountain View CA 94041
pp18558683733ppemail protectedp
