urlscan.io logo urlscan.io
SecurityTrails logo

www.bleepingcomputer.com Open in urlscan Pro
104.20.59.209  Public Scan

Back to summary
URL: https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/
Submission: On July 07 via api from TR — Scanned from DE

Form analysis 4 forms found in the DOM

https://www.bleepingcomputer.com/search/

<form title="Search site" action="https://www.bleepingcomputer.com/search/">
  <input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
  <input type="hidden" name="cof" value="FORID:10">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>

https://www.bleepingcomputer.com/search/

<form action="https://www.bleepingcomputer.com/search/">
  <input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
  <input type="hidden" name="cof" value="FORID:10">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>

POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/

<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&amp;module=global&amp;section=login&amp;do=process&amp;return=https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/"
  method="post">
  <div class="bc_form_feild">
    <label for="ips_username">Username</label>
    <input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" spellcheck="false" autocomplete="username">
  </div>
  <div class="bc_form_feild">
    <label for="ips_password">Password</label>
    <input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" spellcheck="false" autocomplete="current-password">
  </div>
  <div class="bc_form_feild">
    <div class="bc_remember">
      <input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
      <label for="remember">Remember Me</label>
    </div>
    <div class="bc_anon">
      <input id="anonymous" type="checkbox" name="anonymous" value="1">
      <label for="anonymous">Sign in anonymously</label>
    </div>
  </div>
  <div class="bc_btn_wrap">
    <input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
    <input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
    <a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&amp;module=global&amp;section=login&amp;serviceClick=twitter&amp;return=https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
    <hr>
    <p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&amp;module=global&amp;section=register">Register Now</a></p>
  </div>
</form>

<form>
  <input type="hidden" id="comment-id-report" value="0">
  <ul>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Other">Other</label>
    </li>
    <li id="comment-report-other-reason-wrap" style="display:none;">
      <textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
    </li>
  </ul>
  <p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>

Text Content

WE VALUE YOUR PRIVACY

We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products.

With your permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may access more
detailed information and change your preferences before consenting or to refuse
consenting. Please note that some processing of your personal data may not
require your consent, but you have a right to object to such processing. Your
preferences will apply to this website only. You can change your preferences at
any time by returning to this site or visit our privacy policy.

MORE OPTIONSAGREE
 * 
 * 
 * 
 * 



 * 
 * 
 * 
 * 



 * News
    * Featured
    * Latest
   
    * Microsoft fixes bug behind Windows LSA protection warnings, again
   
    * 300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug
   
    * Police arrest suspect linked to notorius OPERA1ER cybercrime gang
   
    * New StackRot Linux kernel flaw allows privilege escalation
   
    * Apps with 1.5M installs on Google Play send your data to China
   
    * Make Linux work for you with this training certification bundle deal
   
    * CISA: Netwrix Auditor RCE bug exploited in Truebot malware attacks
   
    * Nickelodeon investigates breach after leak of 'decades old’ data

 * Downloads
    * Latest
    * Most Downloaded
   
    * Qualys BrowserCheck
   
    * STOPDecrypter
   
    * AuroraDecrypter
   
    * FilesLockerDecrypter
   
    * AdwCleaner
   
    * ComboFix
   
    * RKill
   
    * Junkware Removal Tool

 * VPNs
    * Popular
   
    * Best VPNs
   
    * How to change IP address
   
    * Access the dark web safely
   
    * Best VPN for YouTube

 * Virus Removal Guides
    * Latest
    * Most Viewed
    * Ransomware
   
    * Remove the Theonlinesearch.com Search Redirect
   
    * Remove the Smartwebfinder.com Search Redirect
   
    * How to remove the PBlock+ adware browser extension
   
    * Remove the Toksearches.xyz Search Redirect
   
    * Remove Security Tool and SecurityTool (Uninstall Guide)
   
    * How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
   
    * How to remove Antivirus 2009 (Uninstall Instructions)
   
    * How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
      TDSSKiller
   
    * Locky Ransomware Information, Help Guide, and FAQ
   
    * CryptoLocker Ransomware Information Guide and FAQ
   
    * CryptorBit and HowDecrypt Information Guide and FAQ
   
    * CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

 * Tutorials
    * Latest
    * Popular
   
    * How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11
   
    * How to use the Windows Registry Editor
   
    * How to backup and restore the Windows Registry
   
    * How to open a Windows 11 Command Prompt as Administrator
   
    * How to start Windows in Safe Mode
   
    * How to remove a Trojan, Virus, Worm, or other Malware
   
    * How to show hidden files in Windows 7
   
    * How to see hidden files in Windows

 * Deals
    * Categories
   
    * eLearning
   
    * IT Certification Courses
   
    * Gear + Gadgets
   
    * Security

 * Forums
 * More
   * Startup Database
   * Uninstall Database
   * Glossary
   * Chat on Discord
   * Send us a Tip!
   * Welcome Guide

 * Home
 * News
 * Security
 * Ransomware Affiliates, Triple Extortion, and the Dark Web Ecosystem

 * 
 *  


RANSOMWARE AFFILIATES, TRIPLE EXTORTION, AND THE DARK WEB ECOSYSTEM

Sponsored by

FLARE

 * July 6, 2023
 * 10:00 AM
 * 0

Many people associate only the dark web with drugs, crime, and leaked
credentials, but in recent years a complex and interdependent cybercrime
ecosystem has emerged across Tor and illicit channels on Telegram.

This trend can be exemplified by examining ransomware groups, affiliates, and
the increasingly complex methods they are using to extort companies.

Ransomware has been an acute concern for organizations for more than a decade,
but one of the more recent trends we see is that groups are now setting up
infrastructure, but outsourcing actual infection (and in some cases negotiation)
to “affiliates” who effectively act as contractors to the Ransomware as a
Service (RaaS) group and split the profits at the end of a successful attacks.

Ransomware Group Lockbit’s Affiliate Rules Page

This enables role specialization and leveraging the economics principle of
“economies of scale.” This “commodification of cybercrime” allows for more
infections, more victims, and higher payouts.

At the same time we have seen groups resorting to increasingly sophisticated
extortion tactics. A group only encrypting a company's data is now a rarity
(single extortion), with some groups entirely foregoing encryption and instead
focusing on data exfiltration and employee blackmail.


DIFFERENT TYPES OF RANSOMWARE EXTORTION

So what are single, double, and triple extortion attacks?


SINGLE EXTORTION

This is your “traditional” ransomware attack in which a group encrypts a
company's data and requires payment for release of the data.


DOUBLE EXTORTION

A ransomware group encrypts a company’s data, but first exfiltrates data, which
is posted on ransomware blogs on a certain date if the victim doesn’t pay.

Ransomware Group Lockbit’s Ransomware Blog Page


TRIPLE EXTORTION

The group not only encrypts and exfiltrates data, but also additionally attempts
to:

 * Target specific employees
 * Conduct a DDoS attack on the company
 * Notify third-parties of the company

or otherwise attempts to create additional leverage to force the victim to pay.


HOW BIG IS THE THREAT OF RANSOMWARE ATTACKS?

In 2022 we saw 2,947 companies' data leaked on ransomware blogs. Undoubtedly
hundreds or thousands more companies were victims and paid the ransom to avoid
data disclosure.

In 2023, we’ve already seen more than 2,000 data leaks on ransomware blogs in
the first six months of the year, making it likely 2023 will be a record year
for ransomware data disclosure.


HOW TRIPLE EXTORTION RANSOMWARE LEVERAGES THE CYBERCRIME ECOSYSTEM

The rise of triple extortion ransomware also directly coincides with another
significant change in the threat landscape: the rise of infostealer malware.

Infostealer variants such as Vidar, Redline, and Raccoon infect individual
computers and exfiltrate the browser fingerprint, host data, and most
importantly, all of the saved credentials in the browser.

Telegram Channel that Sells Stealer Logs

Ransomware affiliates can easily shop for ransomware via specialized forums,
then look for initial access via infected device logs posted to public Telegram
channels or listed for sale on Russian or Genesis Markets.


WHAT’S IN A STEALER LOG?

An individual log can contain credentials for:

 * VPNs and business applications
 * Online banks
 * Retirement accounts
 * Email addresses
 * and more.

We estimate that there are a minimum of 20 million infected devices for sale
across the dark web and Telegram, with a single digit percentage containing
credentials to corporate environments.


TRIPLE EXTORTION ATTACKS AND STEALER LOGS

Ransomware groups can also use stealer logs as part of triple extortion attacks.

We’ve seen affiliates using logs for initial access to corporate IT
environments, as well as identifying already listed logs after a successful
attack related to specific employees that can be exploited as a way to further
pressure the organization.


RANSOMWARE AND INITIAL ACCESS BROKERS

Another interesting convergence we’ve seen is the rapid increase in “initial
access brokers” who operate on dedicated dark web forums and specialize in
establishing initial access to a company, which is then sold in auction style
format to include a “buy it now price.”

Initial Access Broker Post Selling Access to a Healthcare Organization in the
Middle East

Initial access brokers further commoditize the process of infection, making it
easy for threat actors to purchase access to targets prior to ransomware
distribution and enabling them to do a certain amount of “shopping” for the
right target.


WHAT DOES THIS MEAN FOR SECURITY TEAMS?

The increasing complexity of the cybercrime ecosystem is enabling an increasing
number of even unsophisticated threat actors to launch sophisticated attacks
against corporate environments. At Flare, we believe that building a continuous
threat exposure monitoring process (CTEM) is the key to effective cybersecurity.

Gartner estimates that companies that leverage processes around CTEM will reduce
the risk of a data breach by 66% in 2026.

All cyberattacks require an initial vector of access. This can be gained through
traditional methods such as phishing emails and vulnerability exploits, but it
can also come from developers leaking credentials onto public GitHub
repositories, infostealer malware infecting employee computers, or credential
stuffing attacks.


PROTECT AGAINST RANSOMWARE ATTACKS WITH FLARE

Flare automatically detects company-specific threats across the clear & dark web
and illicit Telegram channels, integrates into your security program in 30
minutes, and provides advanced notice of potential high-risk exposure in a
single, easy-to-use SaaS platform.

We identify high-risk vectors that could enable threat actors to access your
environment and provide continuous monitoring for infected devices, ransomware
exposure, public GitHub secrets leaks, leaked credentials, and more.

Sign up for a free trial to learn more about protecting your organization.

Sponsored and written by Flare


RELATED ARTICLES:

Inside Threat Actors: Dark Web Forums vs. Illicit Telegram Communities

The Great Exodus to Telegram: A Tour of the New Cybercrime Underground

TSMC denies LockBit hack as ransomware gang demands $70 million

University of Manchester confirms data theft in recent cyberattack

Hackers warn University of Manchester students of imminent data leak

 * Cybersecurity
 * Dark Web
 * Extortion
 * Flare
 * Initial Access Broker
 * Ransomware

 * 
 * 
 * 

 * 
 * 

 * Previous Article
 * Next Article

POST A COMMENT COMMUNITY RULES

YOU NEED TO LOGIN IN ORDER TO POST A COMMENT

Not a member yet? Register Now

Popular Stories

 * New tool exploits Microsoft Teams bug to send malware to users

 * Japan’s largest port stops operations after ransomware attack



FOLLOW US:

 * 
 * 
 * 
 * 
 * 

MAIN SECTIONS

 * News
 * VPN Buyer Guides
 * Downloads
 * Virus Removal Guides
 * Tutorials
 * Startup Database
 * Uninstall Database
 * Glossary

COMMUNITY

 * Forums
 * Forum Rules
 * Chat

USEFUL RESOURCES

 * Welcome Guide
 * Sitemap

COMPANY

 * About BleepingComputer
 * Contact Us
 * Send us a Tip!
 * Advertising
 * Write for BleepingComputer
 * Social & Feeds
 * Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2023 Bleeping Computer® LLC - All Rights Reserved



LOGIN

Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter

--------------------------------------------------------------------------------

Not a member yet? Register Now

REPORTER

HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?

 * Spam
 * Abusive or Harmful
 * Inappropriate content
 * Strong language
 * Other
 * 

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT