Dati ransomware pubblicati in chiaro Piergiorgio Venuti

The data exfiltrated during a double extortion ransomware attack is not public. Let’s dispel a myth

Estimated reading time: 3 minutes

Introduction

Ransomware attacks are becoming more common and lucrative for cybercriminals. In particular, the “double extortion” variant involves not only encrypting the victim’s data, but also stealing and threatening to publish it online for ransom. It is commonly believed that stolen data is not actually disclosed publicly, but remains confined to the dark web. In reality, things are not like that.

What is the dark web

The dark web refers to that part of the internet whose contents are not indexed by standard search engines. To access the dark web you need to use specific browsers such as Tor, which make browsing anonymous by encrypting and routing traffic through multiple nodes. Thanks to the anonymity it guarantees, the dark web is often used for criminal activities, such as the sale of stolen data.

However, the dark web is not as dark and mysterious as it is believed. Software like Tor is free and easily accessible to everyone. As a result, even sensitive data of companies that have ended up on the dark web can easily be leaked, even publicly.

Cybergangs also often publish unencrypted

Contrary to common belief, many of the criminal organizations that manage ransomware attacks end up publishing the stolen data of the victims even publicly, as an additional tool to pressure to obtain the ransom payment.

The forums and sites used for these publications are often hosted on non-EU servers, where there are no legal consequences, and are easily accessible to anyone. For example, the Conti group, one of the most active in the ransomware world, regularly publishes exfiltrated data through its “Conti Leaks” site.

Even lesser-known ransomware groups end up posting stolen data samples on public forums, then posting the URL to the victim, to demonstrate that the threat of full disclosure is real.

These publications take place on sites accessible to anyone with an internet connection. It is not necessary to resort to the dark web to access the stolen data.

Because cybergangs publish data in the clear

There are mainly three reasons that drive ransomware operators to publish the stolen data also publicly, and not only on the dark web:

  • Increase pressure on the victim: Publishing a sample of sensitive data is a powerful coercion tool to pressure the victim into paying to avoid full disclosure.
  • Damage the image of the target: Cybergangs often aim to inflict as much damage as possible on the victims, as well as to obtain a ransom. The publication of the data damages the reputation of the affected organization.
  • Advertising for your services: Showing the leaked data serves as proof of the effective capabilities of the ransomware group, allowing you to attract more customers for future attacks.

A million dollar business

Selling stolen data has become an extremely lucrative business for cybercriminals, second only to ransomware. Recent reports estimate that revenues from the sale of stolen data alone in 2021 netted hackers over $2 billion.

Sensitive company data can be sold for tens of thousands of euros on the dark web. But free sample posting further increases the destructive impact of the attack.

Conclusion: prevention is better than cure

The possibility that the data stolen by a ransomware attack will be publicly disclosed, and not only on the dark web, is therefore concrete and should not be underestimated. The consequences of such a data breach can be extremely serious for a company, causing reputational damage, legal fines and loss of intellectual property.

It therefore becomes crucial to invest in prevention, adopting modern security solutions such as SOC (Security Operation Center) platforms that monitor the corporate network 24 hours a day to identify and block attacks before hackers can steal or encrypt sensitive data.

In addition, advanced threat intelligence services such as those provided by companies such as Secure Online Desktop allow you to monitor the dark web to identify any stolen company data that is being offered for sale, to take immediate action and limit the damage.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS Unknown Feed

RSS Full Disclosure

  • Three bypasses of Ubuntu's unprivileged user namespace restrictions March 27, 2025
    Posted by Qualys Security Advisory via Fulldisclosure on Mar 27Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions ======================================================================== Contents ======================================================================== Summary Bypass via aa-exec Bypass via busybox Bypass via LD_PRELOAD Acknowledgments Timeline (advisory sent to the Ubuntu Security Team on January 15, 2025)...
  • SQL Injection in Admin Functionality - dolphin.prov7.4.2 March 25, 2025
    Posted by Andrey Stoykov on Mar 24# Exploit Title: SQL Injection in Admin Functionality - dolphin.prov7.4.2 # Date: 03/2025 # Exploit Author: Andrey Stoykov # Version: 7.4.2 # Date: 03/2025 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-21-sql.html SQL Injection in Admin Functionality: Steps to Reproduce: 1. Login as admin user and visit the page […]
  • Stored XSS via Send Message Functionality - dolphin.prov7.4.2 March 25, 2025
    Posted by Andrey Stoykov on Mar 24# Exploit Title: Stored XSS via Send Message Functionality - dolphin.prov7.4.2 # Date: 03/2025 # Exploit Author: Andrey Stoykov # Version: 7.4.2 # Date: 03/2025 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-20-stored-xss.html Stored XSS via Send Message Functionality: Steps to Reproduce: 1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose" 2. Add...
  • APPLE-SA-03-11-2025-4 visionOS 2.3.2 March 20, 2025
    Posted by Apple Product Security via Fulldisclosure on Mar 20APPLE-SA-03-11-2025-4 visionOS 2.3.2 visionOS 2.3.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/122284. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. WebKit Available for: Apple Vision Pro Impact: Maliciously crafted web content […]
  • APPLE-SA-03-11-2025-3 macOS Sequoia 15.3.2 March 20, 2025
    Posted by Apple Product Security via Fulldisclosure on Mar 20APPLE-SA-03-11-2025-3 macOS Sequoia 15.3.2 macOS Sequoia 15.3.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/122283. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. WebKit Available for: macOS Sequoia Impact: Maliciously crafted web […]
  • APPLE-SA-03-11-2025-2 iOS 18.3.2 and iPadOS 18.3.2 March 20, 2025
    Posted by Apple Product Security via Fulldisclosure on Mar 20APPLE-SA-03-11-2025-2 iOS 18.3.2 and iPadOS 18.3.2 iOS 18.3.2 and iPadOS 18.3.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/122281. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. WebKit Available for: iPhone XS […]
  • APPLE-SA-03-11-2025-1 Safari 18.3.1 March 20, 2025
    Posted by Apple Product Security via Fulldisclosure on Mar 20APPLE-SA-03-11-2025-1 Safari 18.3.1 Safari 18.3.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/122285. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. WebKit Available for: macOS Ventura and macOS Sonoma Impact: Maliciously crafted […]
  • CVE-2019-16261 (UPDATE): Unauthenticated POST requests to Tripp Lite UPS Systems March 20, 2025
    Posted by Lucas Lalumière on Mar 20[Author]: Lucas Lalumiere [Contact]: lucas.lalum () gmail com [Date]: 2025-3-17 [Vendor]: Tripp Lite [Product]: SU750XL UPS [Firmware]: 12.04.0052 [CVE Reference]: CVE-2019-16261 ============================ Affected Products (Tested): ============================ - Tripp Lite PDU's (e.g., PDUMH15AT) - Tripp Lite UPS's (e.g., SU750XL) *NEW* ====================== Vulnerability Summary: ====================== CVE-2019-16261 describes...
  • Multiple sandbox escapes in asteval python sandboxing module March 11, 2025
    Posted by areca-palm via Fulldisclosure on Mar 11[CVE pending] Sandboxing Python is notoriously difficult, the Python module "asteval" is no exception. Add to this the fact that a large set of numpy functions are exposed within the sandbox by default. Versions
  • SEC Consult SA-20250226-0 :: Multiple vulnerabilities in Siemens A8000 CP-8050 & CP-8031 PLC February 27, 2025
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 27SEC Consult Vulnerability Lab Security Advisory < 20250226-0 > ======================================================================= title: Multiple Vulnerabilities product: Siemens A8000 CP-8050 PLC Siemens A8000 CP-8031 PLC vulnerable version:

Customers

Newsletter

{subscription_form_1}