Clop ransomware goes to open leak sites

A couple of days ago, cybersecurity researchers started to notice that the extortionist group Clop copied the tactics of its competitors from the ALPHV group and created open leak websites accessible without Tor-connections and dedicated to specific organizations-victims. In this way, attackers are trying to speed up the leakage of stolen data and put pressure on victims to pay the ransom faster.

When Clop ransomware attacks a corporate network, they first steal data from the company’s servers and then encrypt it to make it difficult to access. The stolen data is later used as leverage for a double extortion where victims are threatened to release their sensitive data to the public unless they pay a ransom.

Data breach websites are usually located on the Tor network, as this makes it difficult for law enforcement to block or seize the infrastructure. However, this hosting method has its disadvantages for ransomware operators, as access to sites requires a specialized Tor browser, and search engines do not index leaked data. In addition, the loading speed on such sites is usually quite slow.

To overcome these hurdles, last year the ALPHV group, also known as BlackCat, introduced a new ransomware tactic — setting up open websites to leak stolen data that were “advertised” as a way for ordinary employees of a hacked enterprise to check if their data had fallen into the hands of hackers. Access to such sites does not require special software, as they are accessible from the regular Internet.

This method greatly facilitates access to the data and is likely to lead to the fact that they will be quickly indexed by search engines, which will increase the spread of leaked information on the Internet.

The first site created by the Clop attackers was dedicated to a consulting firm PWC Australia. Four ZIP archives with stolen company data were posted on the site. Shortly thereafter, the attackers also set up websites to aon, Ernst and Young, Ameritrade and several other organizations.

Clop’s sites aren’t as advanced as the ones ALPHV built last year and just contain links to download data. While the authors of the BlackCat malware, in their own way, got confused with a full-fledged search database on their sites.

Such sites are designed to scare employees, managers and business partners of the company who could suffer from a data breach. Since they could easily find their personal data in the archives, they could put pressure on the company to pay the hackers a ransom.

However, despite some of the advantages of this method of leaking data, it also has its significant drawbacks, since by placing them on the Internet, and not in Tor, they are much easier to close. Therefore, at this point, all known open ransomware Clop sites have been disabled.

It is not clear if this was due to a law enforcement order, DDoS attacks by cybersecurity companies, or because hosting providers and domain registrars blocked the sites themselves. However, due to the ease with which such exposed sites can be shut down, there is some doubt that this extortion tactic is really worth the effort.