How cybercriminals are weaponizing leaked ransomware data for follow-up attacks

BEC (business email compromise) is a growing cyber threat due to the availability of sensitive corporate information on the dark internet. This is problematic as BEC and its derivatives, such as vendor and invoice compromise (VEC), are the most destructive forms of malicious activity in terms of monetary losses . According to FBI estimates, victims suffered $2.4 billion in losses from BEC scams in 2021. This is more than a third of cybercrime losses ($6.9 billion).

Ransomware and data disclosures, sometimes referred to as double extortion, have made sensitive corporate data easily accessible on the criminal underground.

Such data can be obtained for free or for a fee by any threat actor. Criminals can use the data to create secondary BEC attacks using this rich source of information. This is particularly relevant as underground services and markets like Genesis allow malicious users to buy credentials for as low as $10 to gain access to legitimate corporate email accounts. This allows attackers to launch a BEC attack using an internal, legitimate email address rather than a spoofed one. Businesses and consumers will find it more difficult to tell the difference between legitimate business operations and malicious activity when they use genuine email addresses. Best Cyber Security Provider

Data disclosures

(ACTI), the team analysed ransomware-related data and compared it with external sources. ACTI analysed the top 20 active dark web name and shame sites or dedicated leak sites between July 2021 to July 2022. This was done by comparing the number of featured victims with their own research (Exhibit 1). ACTI saw an estimated 4,026 victims, including corporate, non-governmental, and governmental entities, on ransomware groups' dedicated leak site sites.

Data leak victims at dedicated leak sites

A total of 91% of the 4,026 victims of dedicated leak sites experienced data disclosures. The remaining victims have not been affected by a data leak. Double-extortion is a common technique used by ransomware groups of any size. This means that large numbers of malicious actors can disclose large amounts of data and make that data accessible to everyone.

ACTI found that financial data is the most common leak site. This is followed by client and employee personally identifiable information and documentation. These findings are consistent with other researchers' observations. ACTI found that if an exfiltrated batch contains at least one of these categories, the exfiltrator group consistently highlights that data type on their dedicated leak site. This boasting demonstrates the perceived high-value of such data as well as the propensity to disclose such data. RedAlert's dedicated leak website provides an example of such promotion in the highlighted section of Exhibit 2.

Exfiltrated data types RedAlert has noted on its dedicated leak website

Data indexing improves malicious usability

Leaked data can increase a BEC actor’s ability to attack an organisation. It strengthens the BEC attack chains and undermines traditional defences. ACTI believes that the ability to interact with large amounts of poorly stored data has limited the utility of leak site data. This has made it difficult, time-consuming and expensive for actors to interact with large amounts of poorly stored data. It also created a natural barrier to widespread abuse of the data. ACTI discovered that many groups are moving away from Tor domains to make their leak site data more easily accessible. Sites like ALPHV or Industrial Spy provide searchable indexed data. This includes sensitive financial data such as the Exhibit 3 red-colored data. This searchability makes it easy and faster for malicious actors to access data to launch secondary attacks.

Industrial Spy was established as a marketplace for data-selling in April 2022. It allows users to access some data and can sell individual files for as low as $1.00. To make it easy to find specific files, the operators organise and name folders using labels that reflect their contents. Exhibit 3 Folder 4 (highlighted in Exhibit 3 to show data indexing and obfuscated for potential victims) shows an example of this.

Sensitive data revealed on the Industrial Spy market

The Industrial Spy marketplace also has a functioning search function. ACTI tests showed that threat actors could search for specific files, such as invoices, scans and contracts, legal documents, emails, and other information. This search function allows actors to search for data from specific countries and industries, such as US-based insurance or engineering companies.

The ALPHV ransomware group also created an indexable and searchable database of leaks (Exhibit 4 again obfuscated for potential victims). Anyone can search the ALPHV database to find terms such as employee names, contract data and leadership. This allows for the easy search of data needed to enrich a social engineering scheme. ACTI discovered "about 10,000" results in indexed disclosures when searching for invoice. There were also 6,000 results for CFO, 10,000 results for accounting and 10,000 results for email. This demonstrates the vast amount of information that is available.

Searchable, indexable data hosted at ALPHV's dedicated leaked site

ACTI believes that indexed and searchable databases such as these are more efficient than downloading bulk data and trying to find the desired information.

Augmenting the BEC attack chains and defeating defences

While all cybercriminals could benefit from sensitive corporate data, it is particularly beneficial for attackers based on social engineering. ACTI believes that it is more difficult for victims' employees to detect fake communications and prevent such attacks. This is because attackers can use legitimate documents from the victim company as a basis for their attacks.

ACTI discovered that the most commonly disclosed data types overlap with those most useful in conducting BEC or VEC attacks: communication, financial, and employee data. Marketing and training materials are examples of the "other" category. Cybercriminals will find the different data types more valuable than those listed above.

The degree of overlap between the available disclosed data, and such data's utility for VEC and BEC attacks

ACTI believes that double-extortion leaks are the main factor behind an increase in BEC and VEC attacks. These data are most valuable during reconnaissance and social engineering, especially when it comes to false invoices.

Malicious actors could study and exploit the huge amounts of sensitive company data that are available to them during the reconnaissance phase. These rich resources can be used for social engineering. These include insurance data, salary information and bank reconciliations. 

The Industrial Spy Data Exortion Marketplace has internal data

Social engineering is the most crucial and most difficult phase of a BEC attack. It also benefits the most from leak site data. BEC attacks are largely based on social engineering and have few technical obstacles. Good social engineering is the most critical factor in a successful BEC attack. Threat actors are more likely to succeed if their social engineering strategies are high-quality, well-crafted and precisely scoped. This data can provide valuable information about the day-to-day operations of a target company.

Threat actors can increase the probability that a social engineering scam will succeed by knowing the target's internal language. This allows threat actors to avoid using non-standard language in their company, which is a sign of fraud. A dedicated leak site data helps actors adhere to the internal organizational paths and reduces the chance of a target finding a social engineering scam. It facilitates the following of expected communication channels and command chains.

Malicious actors may also use these data to increase the attack's timing. Social engineering can be used to target individuals and organizations when they are most vulnerable. This could include when vendors renew contracts or acquire new ones. VEC attacks have even greater impact due to the high volume of sensitive dumped data shared between primary targets and their vendors. Particularly, contracts, financial agreements, payments schedules, orders and purchase histories can all be found on designated leak sites. This allows actors to imitate vendors more closely than usual.

A BEC or VEC attack usually ends with a fake invoice being sent to the victim or victim's supplier. Many times, data from dedicated leak sites includes authentic invoices that can be easily altered by actors for their use in attacks. Exhibit 7 is an example of a real invoice ACTI that was found on the Industrial Spy data extortion website. It has been obfuscated in order to protect potential victims. An actor could modify the invoice's accounting details (marked by a blue arrow), and then send it to the target.

Genuine invoice discovered by ACTI on a leak site

ACTI discovered similar invoices in almost all dumps at various leak sites. ACTI also found similar invoices in almost all dumps across various leak sites. This demonstrates the huge amount of data that is available.

This type of data allows a threat actor the ability to carry out a more sophisticated attack and bypasses traditional social engineering attack defences.

Conclusion

Ransomware attacks have led to a flood of sensitive data being leaked from corporate networks. This has made it easy for anyone to view and get the data. Data availability can have synergistic effects. Operators can use the data to enhance and enrich entire VEC attack chains. The data can also be used to circumvent industry defences against social engineering attacks.

Access to internal data increases the likelihood of secondary attacks, even if they are not related to initial ransomware incidents. This risk extends to organisations who do business with the victim, or operate within the victim’s supply chain.