What is a Dark Web Leak Site?
The dark web (also referred to as the darkweb and darknet) is a subset of the internet that is hidden and requires a certain browser or software to access content. Dark web leak sites are websites within the dark web used by ransomware groups, hackers and other malicious actors to leak stolen data and conduct ransom negotiations with victims.
The Dark Web Explained
The dark web is an area of the internet that is not indexed by surface web search engines like Google or Bing. Unlike the deep web, which is simply not indexed by search engines, dark websites are intentionally kept hidden. The dark web is usually accessed via the Tor network (aka The Onion Routing, as defined, or The Onion Router, per popular use).
The Tor network consists of sites known as onion sites or onion links because they end in .onion rather than .com or .org. This network allows users to browse anonymously and access non-indexed content. Tor protects users by providing information through an encrypted path of random servers, increasing their privacy and making it virtually impossible to be the subject of surveillance and tracking. Threat actors take advantage of this inherent privacy, which means that the dark web is an online underworld of anonymous and often illegal activity. For example, people often use this network for sharing pirated content, as well as trading, selling illegal drugs and paraphernalia.
How Do Dark Web Leak Sites Work?
Dark web leak sites are used by threat actors on the dark web to carry out encrypted business operations and to monetize ransomware, malware and other online attacks. Dark web leak sites serve as a platform for uploading and sharing sensitive and personal information that threat actors have stolen from targeted organizations.
For example, ransomware groups and malicious actors are increasingly using the dark web to publish information about breached organizations and set up leak sites. In some instances, threat actors might list the names of organizations they have targeted with ransomware attacks.
Some actors also use their leak sites to publish proof of compromise, which is often a sample of the data stolen during a ransomware attack. Malicious actors threaten to use the leak site to post the complete set of compromised information and share this information with the media if the organization does not pay the ransom demand.
As a result, dark web leak sites give ransomware gangs increased leverage over their victims. By "naming and shaming" organizations that have been impacted, and by issuing public threats, they increase the pressure on organizations and increase the likelihood of getting paid quickly. Even if organizations have backed up their data and have the ability to recover from a ransom attack, the threat of exposing sensitive information can lead to an organization paying the threat actor.
Ransomware Leak Site Trends
Across all industries and sectors, organizations of all sizes are vulnerable to devastating damage from this type of attack. Unfortunately, despite the public’s growing awareness and attempts to contain cyberattacks, ransomware threats remain persistent.
In the world of ransomware, dark web data leak sites are a relatively new tactic, becoming popular in 2020. In the 2023 Unit 42® Ransomware Threat Report, Unit 42 analyzed these sites to discover the latest trends.
Every day, Unit 42 threat researchers see about seven new ransomware victims posted on leak sites. That’s one every four hours. In 2022, names and proof of compromise for 2,679 victims were publicly posted on ransomware leak sites, which is about 4% higher than the number observed in 2021.
The Unit 42 threat researchers also uncovered that the manufacturing industry was one of the most targeted by ransomware breaches in 2022, followed by the professional and legal services industry.
Because ransomware attacks are opportunistic in nature, one of the reasons the team sees particular industries being more heavily impacted is that they frequently use systems with outdated software that isn't readily or frequently updated/patched. Ransomware attackers also look for targets in sectors where the timely delivery of specific goods or services is essential to corporate operations.
Another key analysis in the report looked at organizations posted on leak sites by country. The report found that the United States is the most severely impacted by ransomware operations, accounting for 42% of the observed leaks in 2022, followed by Germany and the U.K., accounting for less than 5% each. However, despite the concentration of ransomware attacks in the U.S., the team’s data showed that ransomware groups do have a global presence and were observed impacting organizations in 107 countries in 2022.
It’s also worth mentioning that when Unit 42 tracks organizations whose information was posted on a leak site, they’re typically looking at victims who chose not to pay the ransom. It’s therefore expected that the actual global impact of ransomware gangs who maintain leak sites is higher than the team can observe, since presumably some organizations choose to pay the ransom demands to keep their information off the dark web.
Ransomware groups that often use leak sites to pressure victims include LockBit 2.0, Pysa, Avaddon, Hive, Black Matter and Grief. But a major trend observed with dark web leak sites is the ebbs and flows of responsible gangs. Activity from a particular hacker group tends to be unpredictable, with rampant activity often followed by a lull. There could be various explanations for this, including pressure from law enforcement, operational woes, intense competition or rebranding.
Read the 2023 Unit 42 Ransomware and Extortion Report for additional insights, including actionable recommendations mapped to the MITRE ATT&CK framework.
What to Do If Your Organization Appears on a Dark Web Leak Site
If your organizational information appears on a dark web leak site, it can trigger legal and financial consequences as well as reputational damage and related business losses. It's important to act quickly and take specific steps to mitigate the damage.
Step 1: Confirm that the leak is legitimate
Gather as much information about the leak as possible, including the source of the hack and the type of information that might have been exposed. Cross-check this information with your organization's internal data to confirm if the leak is legitimate. There are also several online tools and services that specialize in dark web monitoring. By verifying the legitimacy of the leak first, you can save yourself from unnecessary actions.
Step 2: Inform your organization's IT security team and legal department
If you verify the legitimacy of the dark web site leak, the next step is to notify your IT security team and legal department (including eliciting guidance from external counsel). The security team will work to investigate the breach and secure your organization's systems and networks to prevent further data and personal information exposure.
Concurrently, the legal department will assess the breach's implications and take legal action if required. They may need to work with law enforcement agencies, like the FBI, to investigate the breach and identify the perpetrators. Additionally, your organization's legal team may need to comply with legal and regulatory compliance requirements and notify affected individuals and regulatory bodies.
Step 3: Strengthen your security protocols and systems
As your IT team begins to understand the nature of the data breach, it's critical to review and strengthen the organization's security protocols and systems to prevent future breaches from occurring. IT team members should thoroughly review existing security measures and identify areas that require improvement or modification.
Take this opportunity to protect sensitive information by implementing additional security measures, including multifactor authentication, limiting remote access protocols, and enforcing data and traffic encryption. It's also essential to reestablish clear security policies and guidelines for employees, such as password requirements and data access controls. Ensure employees are trained on new security policies and understand their importance.
Step 4: Monitor the dark web
Once the cyberthreat has been managed and your systems and network return to working order, continue to monitor the dark web for further leaks. Consider the benefit of a retainer agreement with a reputable cybersecurity firm to help monitor possible threats.
Your organization's ability to react quickly and efficiently to a dark web leak notification can help mitigate the impact of a leak on your organization, protecting your reputation and sensitive information.