Gone are the days when ransomware operators were happy with encrypting files on-site and more or less discretely charged their victims money for a decryption key. What we commonly find now is encryption with the additional threat of leaking stolen data, generally called Double-Extortion (or, as we like to call it: Cyber Extortion or Cy-X). This is a unique form of cybercrime in that we can observe and analyze some of the criminal action via ‘victim shaming’ leak sites.
Since January 2020, we have applied ourselves to identifying as many of these sites as possible to record and document the victims who feature on them. Adding our own research, analyzing, and enriching data scraped from the various Cy-X operators and market sites, we can provide direct insights into the victimology from this specific perspective.
We must be clear that what we are analyzing is a limited perspective on the crime. Nevertheless, the data gleaned from an analysis of the leak-threats proves to be extremely instructive.
We’ll refer to the listing of a compromised organization on a Cy-X leak site as a ‘leak threat’. The numbers you’ll see in most of the charts below refer to counts of such individual threats on the onion sites of the Cy-X groups we’ve been able to identify and track over the last two years.
images from Hacker News