Beginning in late 2019 and early 2020, carriers of various ransomware strains have begun to adopt a new tactic.

In a bid to crack down on hacked companies to meet rescue demands, several ransomware groups have also begun stealing data from their networks before encrypting them.

If the victim – usually a large company – refuses to pay, ransomware bands threaten to leak information online, to the so-called “leak sites”, and then advise journalists on the security incident. company.

Businesses that may try to keep the incident going or do not want to filter intellectual property online, where competitors can reach, usually cover and pay for the ransom.

Although the tactic was initially pioneered by the Maze ransomware team in December 2019, it is also now becoming widespread among other groups.

At the time of writing, ZDNet has identified nine ransomware operations that are currently running or have maintained a “leak”, either on the dark web or the public internet.

The following is a list of all ransomware “leak sites”, in alphabetical order, which we will keep going, as an index of all the groups participating in this tactic. We will not be linked to any of these sites, nor will we list any victims who are past or present. This list is only for the purpose of making known to the victims’ companies that in the event of an infection with any of the following ransomware strains, they should treat the incident as a classic breach of data in which the data they have been exfiltrated and have reached third parties. Hands, more than ransomware, were simply encrypted data but never went out of the victim’s network.

CLOP

DoppelPaymer

Maze

Nefilim

Novelty

RagnarLocker

Revil (Sodinokibi)



Sekhmet

Snatch

The “leak site” of the Snatch ransomware band has been down for weeks. It is not clear whether the group dropped the files that are leaking from the infected hosts or moved the file to a new secret URL.