Data Dumping by Ransomware Operators: Where and How do They Leak?

June 5, 2020

More ransomware gangs are now changing their tactics to first conduct extensive reconnaissance to find and steal sensitive information before attempting the encryption of data. It helps them in selling these files or credentials on underground forums when the compromised party fail to agree or meet a proposed deal. 

What happened recently?

The operators of the REvil (Sodinokibi) ransomware rolled an eBay-like site to auction off the victims’ stolen data.
  • They have named the site “The Happy Blog,” which currently advertises auction data for two firms.
  • The first leak is from a food and harvest distributor. They promise more than 10,000 stolen files containing confidential cash-flow analyses, distributor data, vendor information, business insurance data, and more.
  • The second data dump offers accounting documents, accounts details, and other important information that may be of value to competitors or interested parties from a Canadian agriculturlal company.

Though the trend of stealing and leaking data was started by the Maze ransomware group in November 2019, it propagated instantly amongst the hacking groups and other groups followed.

Top leaks in the last few weeks

  • The Sodinokibi ransomware actors leaked files stolen from the U.K. electricity middleman, Elexon. The leak contains highly sensitive and confidential files and data, as per experts. The operators published 1,280 files allegedly stolen from the company on their leak site.
  • Recently, the CLoP ransomware group leaked the ExecuPharm’s compromised data on underground forums. The U.S. pharmaceutical giant’s servers were attacked—via a phishing email—on March 13, compromising selected corporate and personnel information.
  • The Maze ransomware operators released the second part of credit card information of Banco de Costa Rica (BCR) customers last week from the stolen 11 million credit card credentials. BCR is one of the largest state-owned commercial banks in Costa Rica. It was attacked the second time by the group after the bank failed to secure its network post an August 2019 incident.

Where to look for the dumped data?

  • AKO ransomware actors leak victim's data on "Data Leak Blog."
  • The CLoP group releases its data on the leak site called 'CL0P^-LEAKS.'
  • DoppelPaymer launched a dedicated leak site called "Dopple Leaks."
  • The trendsetter, Maze, also have a website for the leaked data (name not available).
  • Nemty also has a data leak site for publishing the victim's data but it was, recently, unreachable.
  • The Nephilim ransomware group’s data dumping site is called 'Corporate Leaks.'
  • NetWalker, previously Mailto ransomware, owns an auto-publishing data leak site that uses a countdown to try and scare victims into paying.
  • Pysa ransomware operators have a data leak site called 'Pysa Homepage.'
  • Ragnar Locker publishes hijacked data on 'Ragnar Leaks News' site.
  • The Sekhmet operators have a site titled 'Leaks leaks and leaks.'
  • Snatch ransomware actors previously had a site but it is down now. They were also out of the picture in the recent incident.
  • CryLock, ProLock and Snake ransomware groups do not have their leaks sites but they reveal and inform the leak in their own unique ways.

Moreover, some groups have advanced their modus operandi to become more effective.

The ransomware game of intrusion


  • Nemty operators, that launched itself as a classic RaaS (Ransomware-as-a-Service) in the summer of 2019, declared to shut down their public Ransomware-as-a-Service (RaaS) operation and go private to focus and put more resources on targeted attacks
  • In the past few months, the ransomware operators have been distributing via email spam (malspam) campaigns, exploit kits, boobytrapped apps, and by brute-force attacks against RDP endpoints.


  • Two weeks back, experts found NetWalker doing away with phishing for malware distribution model and endorsing a network-intrusion model that targets only huge businesses.
  • With its ransomware-as-a-service (RaaS) model, it has decided to work only with highly skilled network intruders that can map the environment and help them escalate in a compromised system.


  • The group gained a new feature last month allowing it to crypto-lock both locked files and those in use by other applications and processes, such as databases or mail servers, as disclosed in the Intel 471 report.

Read the original article and additional information at Cyware Social