This report investigates the trend, pioneered by the Maze ransomware group, of double extortion. In particular, we examine the contents of initial data disclosures intended to coerce victims to pay ransoms.
Rapid7 analysts investigated 161 separate data disclosures between April 2020 and February 2022 and identified a number of trends in the data.
FINDINGS
Among the findings: There are general trends in data leaked that vary only slightly, but three sectors display unique patterns: Financial Services, Healthcare, and Pharmaceuticals.
- 12% of leaks were of intellectual property, which is rare in general, except in pharmaceuticals, where it was included in 43% of the disclosures investigated.
- Targets in Financial Services are more likely to have customer information disclosed than other types of data.
- 63% of data leaked was financial, the most commonly leaked data in general, followed by customer/patient data 48%.
- The collapse of the Maze ransomware group in November 2020 led to the emergence of several smaller groups that recaptured the lost market share.
- Leaked data varied by threat actor group. While Conti leaked financial information in 81% of the incidents included, Cl0p included financial information in only 30% of included incidents, generally preferring to leak employee information 70% of included incidents.
INTRODUCTION AND METHODS
This paper sheds new light on ransomware attacks, particularly the initial data disclosure layer of “double extortion.” Rapid7 analysts reviewed a data sample consisting of all ransomware data disclosure incidents that were reported to customers via industry-specific alerts in our Threat Command threat intelligence platform (TIP). Rapid7 analysts also drew upon both threat intelligence coverage and institutional knowledge of cybercriminal communities, particularly Russian-speaking ones, for context and background. Unless otherwise noted, this knowledge base and the sample of data disclosure incidents are the sources for this paper.
This sample is not exhaustive but serves as a selection of incidents that analysts deemed significant and credible enough to report to customers not directly impacted by them. The time frame for these incidents was from April 2020 to February 2022. Data disclosure became more common during this period, following the Maze ransomware group’s pioneering of the technique.