www.bleepingcomputer.com
Open in
urlscan Pro
104.20.59.209
Public Scan
URL:
https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/
Submission: On July 07 via api from TR — Scanned from DE
Submission: On July 07 via api from TR — Scanned from DE
Form analysis
4 forms found in the DOMhttps://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>
https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>
POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/
<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" spellcheck="false" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" spellcheck="false" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form>
<form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>
Text Content
WE VALUE YOUR PRIVACY We and our partners store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning. You may click to consent to our and our partners’ processing as described above. Alternatively you may access more detailed information and change your preferences before consenting or to refuse consenting. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. Your preferences will apply to this website only. You can change your preferences at any time by returning to this site or visit our privacy policy. MORE OPTIONSAGREE * * * * * * * * * News * Featured * Latest * Microsoft fixes bug behind Windows LSA protection warnings, again * 300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug * Police arrest suspect linked to notorius OPERA1ER cybercrime gang * New StackRot Linux kernel flaw allows privilege escalation * Apps with 1.5M installs on Google Play send your data to China * Make Linux work for you with this training certification bundle deal * CISA: Netwrix Auditor RCE bug exploited in Truebot malware attacks * Nickelodeon investigates breach after leak of 'decades old’ data * Downloads * Latest * Most Downloaded * Qualys BrowserCheck * STOPDecrypter * AuroraDecrypter * FilesLockerDecrypter * AdwCleaner * ComboFix * RKill * Junkware Removal Tool * VPNs * Popular * Best VPNs * How to change IP address * Access the dark web safely * Best VPN for YouTube * Virus Removal Guides * Latest * Most Viewed * Ransomware * Remove the Theonlinesearch.com Search Redirect * Remove the Smartwebfinder.com Search Redirect * How to remove the PBlock+ adware browser extension * Remove the Toksearches.xyz Search Redirect * Remove Security Tool and SecurityTool (Uninstall Guide) * How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo * How to remove Antivirus 2009 (Uninstall Instructions) * How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller * Locky Ransomware Information, Help Guide, and FAQ * CryptoLocker Ransomware Information Guide and FAQ * CryptorBit and HowDecrypt Information Guide and FAQ * CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Tutorials * Latest * Popular * How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 * How to use the Windows Registry Editor * How to backup and restore the Windows Registry * How to open a Windows 11 Command Prompt as Administrator * How to start Windows in Safe Mode * How to remove a Trojan, Virus, Worm, or other Malware * How to show hidden files in Windows 7 * How to see hidden files in Windows * Deals * Categories * eLearning * IT Certification Courses * Gear + Gadgets * Security * Forums * More * Startup Database * Uninstall Database * Glossary * Chat on Discord * Send us a Tip! * Welcome Guide * Home * News * Security * Ransomware Affiliates, Triple Extortion, and the Dark Web Ecosystem * * RANSOMWARE AFFILIATES, TRIPLE EXTORTION, AND THE DARK WEB ECOSYSTEM Sponsored by FLARE * July 6, 2023 * 10:00 AM * 0 Many people associate only the dark web with drugs, crime, and leaked credentials, but in recent years a complex and interdependent cybercrime ecosystem has emerged across Tor and illicit channels on Telegram. This trend can be exemplified by examining ransomware groups, affiliates, and the increasingly complex methods they are using to extort companies. Ransomware has been an acute concern for organizations for more than a decade, but one of the more recent trends we see is that groups are now setting up infrastructure, but outsourcing actual infection (and in some cases negotiation) to “affiliates” who effectively act as contractors to the Ransomware as a Service (RaaS) group and split the profits at the end of a successful attacks. Ransomware Group Lockbit’s Affiliate Rules Page This enables role specialization and leveraging the economics principle of “economies of scale.” This “commodification of cybercrime” allows for more infections, more victims, and higher payouts. At the same time we have seen groups resorting to increasingly sophisticated extortion tactics. A group only encrypting a company's data is now a rarity (single extortion), with some groups entirely foregoing encryption and instead focusing on data exfiltration and employee blackmail. DIFFERENT TYPES OF RANSOMWARE EXTORTION So what are single, double, and triple extortion attacks? SINGLE EXTORTION This is your “traditional” ransomware attack in which a group encrypts a company's data and requires payment for release of the data. DOUBLE EXTORTION A ransomware group encrypts a company’s data, but first exfiltrates data, which is posted on ransomware blogs on a certain date if the victim doesn’t pay. Ransomware Group Lockbit’s Ransomware Blog Page TRIPLE EXTORTION The group not only encrypts and exfiltrates data, but also additionally attempts to: * Target specific employees * Conduct a DDoS attack on the company * Notify third-parties of the company or otherwise attempts to create additional leverage to force the victim to pay. HOW BIG IS THE THREAT OF RANSOMWARE ATTACKS? In 2022 we saw 2,947 companies' data leaked on ransomware blogs. Undoubtedly hundreds or thousands more companies were victims and paid the ransom to avoid data disclosure. In 2023, we’ve already seen more than 2,000 data leaks on ransomware blogs in the first six months of the year, making it likely 2023 will be a record year for ransomware data disclosure. HOW TRIPLE EXTORTION RANSOMWARE LEVERAGES THE CYBERCRIME ECOSYSTEM The rise of triple extortion ransomware also directly coincides with another significant change in the threat landscape: the rise of infostealer malware. Infostealer variants such as Vidar, Redline, and Raccoon infect individual computers and exfiltrate the browser fingerprint, host data, and most importantly, all of the saved credentials in the browser. Telegram Channel that Sells Stealer Logs Ransomware affiliates can easily shop for ransomware via specialized forums, then look for initial access via infected device logs posted to public Telegram channels or listed for sale on Russian or Genesis Markets. WHAT’S IN A STEALER LOG? An individual log can contain credentials for: * VPNs and business applications * Online banks * Retirement accounts * Email addresses * and more. We estimate that there are a minimum of 20 million infected devices for sale across the dark web and Telegram, with a single digit percentage containing credentials to corporate environments. TRIPLE EXTORTION ATTACKS AND STEALER LOGS Ransomware groups can also use stealer logs as part of triple extortion attacks. We’ve seen affiliates using logs for initial access to corporate IT environments, as well as identifying already listed logs after a successful attack related to specific employees that can be exploited as a way to further pressure the organization. RANSOMWARE AND INITIAL ACCESS BROKERS Another interesting convergence we’ve seen is the rapid increase in “initial access brokers” who operate on dedicated dark web forums and specialize in establishing initial access to a company, which is then sold in auction style format to include a “buy it now price.” Initial Access Broker Post Selling Access to a Healthcare Organization in the Middle East Initial access brokers further commoditize the process of infection, making it easy for threat actors to purchase access to targets prior to ransomware distribution and enabling them to do a certain amount of “shopping” for the right target. WHAT DOES THIS MEAN FOR SECURITY TEAMS? The increasing complexity of the cybercrime ecosystem is enabling an increasing number of even unsophisticated threat actors to launch sophisticated attacks against corporate environments. At Flare, we believe that building a continuous threat exposure monitoring process (CTEM) is the key to effective cybersecurity. Gartner estimates that companies that leverage processes around CTEM will reduce the risk of a data breach by 66% in 2026. All cyberattacks require an initial vector of access. This can be gained through traditional methods such as phishing emails and vulnerability exploits, but it can also come from developers leaking credentials onto public GitHub repositories, infostealer malware infecting employee computers, or credential stuffing attacks. PROTECT AGAINST RANSOMWARE ATTACKS WITH FLARE Flare automatically detects company-specific threats across the clear & dark web and illicit Telegram channels, integrates into your security program in 30 minutes, and provides advanced notice of potential high-risk exposure in a single, easy-to-use SaaS platform. We identify high-risk vectors that could enable threat actors to access your environment and provide continuous monitoring for infected devices, ransomware exposure, public GitHub secrets leaks, leaked credentials, and more. Sign up for a free trial to learn more about protecting your organization. Sponsored and written by Flare RELATED ARTICLES: Inside Threat Actors: Dark Web Forums vs. Illicit Telegram Communities The Great Exodus to Telegram: A Tour of the New Cybercrime Underground TSMC denies LockBit hack as ransomware gang demands $70 million University of Manchester confirms data theft in recent cyberattack Hackers warn University of Manchester students of imminent data leak * Cybersecurity * Dark Web * Extortion * Flare * Initial Access Broker * Ransomware * * * * * * Previous Article * Next Article POST A COMMENT COMMUNITY RULES YOU NEED TO LOGIN IN ORDER TO POST A COMMENT Not a member yet? Register Now Popular Stories * New tool exploits Microsoft Teams bug to send malware to users * Japan’s largest port stops operations after ransomware attack FOLLOW US: * * * * * MAIN SECTIONS * News * VPN Buyer Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary COMMUNITY * Forums * Forum Rules * Chat USEFUL RESOURCES * Welcome Guide * Sitemap COMPANY * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2023 Bleeping Computer® LLC - All Rights Reserved LOGIN Username Password Remember Me Sign in anonymously Sign in with Twitter -------------------------------------------------------------------------------- Not a member yet? Register Now REPORTER HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT? * Spam * Abusive or Harmful * Inappropriate content * Strong language * Other * Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT