Skip to content

Ransomware Gangs Make Stolen Data Searchable: Cyber Threat Intelligence Roundup

Ransomware groups are making stolen data searchable, Chinese state-sponsored actors are increasingly targeting Russia, and Qakbot malware attacks are on the rise

Emerging Issue

In this week’s recap: A handful of threat actors have implemented a search function that makes it easier for victims to find leaked data and are using it as an extortion mechanism. In addition, suspected China-backed APTs are increasingly targeting Russia. And a surge of QBot attacks has been attributed to improvements and new attack techniques implemented by the long-lasting malware developers and operators.

1. Ransomware gangs now let you search their stolen data

Two ransomware groups and a data extortion group have adopted a new strategy to force victims to submit to ransom demands to keep their pilfered data from being publicly disclosed by their attackers.

These groups have added a search function on their data leak sites that make it easier for victims and their partners/clients/shareholders to ascertain whether the leaked data contains any sensitive or damaging details regarding their businesses or relationships.

According to BleepingComputer, the ALPHV/BlackCat ransomware operation may have kicked off the trend. Last week they revealed a searchable database that contains data stolen from non-paying victims.

The ransomware gang made it clear that they are indexing repositories.; helpfully suggesting that the search option functions best when users look for information by filename or content known to be contained in documents or images. Results are culled from the “collections” feature on BlackCat’s leak site. And while there is still room for improvement when it comes to the feature’s accuracy, the capability is an undeniable evolution of the threat actors’ extortion methodology.

When much of an extortion operation’s success depends upon the amount of pressure it can apply to its victims, the ability to search the contents of stolen data is an invaluable addition to these actors’ toolkits. This easy-to-adopt functionality may likely prove a key resource for extortion-type groups attempting to convince victims to pay for the data’s removal; while potentially enabling victims to avoid further headaches such as class-action lawsuits and hefty fines from data privacy regulators.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“What we’re witnessing here is another natural evolution in the methodology used by extortion-type cybercriminals who seek to increase pressure on their victims to submit to ransom demands, thereby increasing the likelihood and frequency of successful payments. We witnessed the same thing with the emergence of the ‘double-extortion’ tactic, and again with the inevitable adoption of the ‘triple-extortion’ tactic by financially motivated cybercriminals.

It remains to be seen whether the implementation of such a seemingly trivial tactic will prove successful for the threat actors named above, and for those that are sure to adopt the search capability moving forward in an attempt to keep pace with their peers. What is clear is that the tactic does not require any major investment, so if it does prove to be successful, it is sure to become an attractive update to the data leak sites belonging to various cyber extortionist operations.”

2. Hackers linked to the Chinese government increasingly targeting Russia, analysis suggests

Nation-state hackers with links to the Chinese government appear to be targeting Russian entities at an increasing rate, reports SentinelOne Senior Threat Researcher Tom Hegel. The motivation behind the ongoing activity is espionage-related, as evidenced by the activity’s targeting, which is indicative of state-backed cyber threat actors possessing a keen “interest in Northeast Asia, including governments, critical infrastructure, and other private businesses.”

Hegel’s analysis attributes the attacks on Russian targets with high confidence to a Chinese state-sponsored cyberespionage group. A similar conclusion was also presented in a recently issued Ukraine CERT (CERT-UA) alert. The attacks use phishing emails to deliver Microsoft Office (MS Word) documents to exploit targets and ultimately deliver their remote access trojan (RAT) of choice, which seems to be Bisonal — a RAT unique to Chinese threat actors. Bisonal has a long history of being employed in espionage campaigns against defense companies in Russia, Japan, and North Asia – and more recently, attacks on Pakistani telecommunications organizations.

According to SentinelOne, China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the beginning of the Russia/Ukraine conflict, such as Scarab, Mustang Panda, Space Pirates, and now the activity described herein. ​​SentinelOne believes this is a separate Chinese campaign, but Hegel admits that specific actor attribution is impossible at this time. The use of the Bisonal RAT is likely a contributing factor to the difficulties SentinelOne’s researchers faced in attaining attribution for this activity. Chinese APTs are notorious for sharing tools and methodology and the malware has been leveraged by a wide range of China-backed threat actors at various points in time.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“China has recently made a lot of significant moves in the cyber domain. As CTI recently reported, the Chinese Communist Party (CCP) and its tightly controlled government – including its legions of well-resourced APT groups affiliated with the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA) – are openly engaged in a long-term campaign to become the world’s ONLY superpower. This involves carrying out China’s ‘whole of state’ strategy; a nice-sounding name given to a nationwide operation to steal “world-leading expertise, technology, research and commercial advantage” from Western nations in an intensive bid to boost China’s global standing.

China doesn’t exactly have the best interests of the US or its allies at heart. But from the standpoint of an observer who has been tracking China’s cyber activity and the buildup of its offensive capabilities for the better part of a decade, I can’t help but feel that a sea change is coming. This is evidenced by an increase in China-focused alerting from CISA, CERT-UA, MI5, and the FBI.

With all this in mind, CTI is taking a proactive approach to what we believe to be a coming surge in cyberattacks (most likely in the form of supply-chain-style attacks and attacks on MSPs/ISPs/telecoms) originating from state-linked Chinese threat actors.”

3. Rise in Qakbot malware attacks traced to evolving threat techniques

Recent reporting from Zscaler’s Threatlabz security research team details a significant uptick in the spread of Qakbot (aka QBot) malware over the past six months, which the researchers attribute to new attack techniques and upgrades made to the malware.

QBot has remained a prevalent threat for the past 14 years, displaying an uncommon degree of longevity against the background of a constantly shifting cyber-threat landscape in which malware families and threat actors with less staying power appear, disappear, and rebrand on a regular basis.

The threat posed by QBot is largely due to its modular nature, as well as the malware’s ability to steal information and deploy next-stage payloads – which often take the form of ransomware; a result of QBot’s willingness to maintain lucrative partnerships with some of the landscape’s most notorious extortion gangs.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The fact that QBot has survived for over a decade and is apparently stronger than ever (as evidenced by its evolving TTPs, continuous code development, and blossoming partnerships with some of the threat landscape’s most dangerous ransomware operations) speaks for itself. This is a malware operation that has been considered a significant threat from its very beginning, and should be treated as such. It is very likely that many of the ransomware groups we’ve come to know and fear would not be half as impactful if it weren’t for its reliance upon ‘precursor’ malware like QBot or any of the other top-tier malware families that make rapid ransomware infections of entire domains possible – in some cases, encrypting systems domain-wide within a matter of hours.”

Further reading: Protecting the IT attack surface eBook

All businesses today are at risk from dangerous and evolving cyber threats. CIOs need the tools, processes, and personnel to keep sensitive data out of the hands of cybercriminals. But how do you protect the IT attack surface while pushing forward with digital transformation? Find out the answers in our complimentary eBook.


Check out our recent security recaps

July 12: Growing China threat, Brute Ratel C4, and NPM software supply chain attack

July 7: Updates on Chinese APTs, DragonForce Malaysia, and Linux-targeting malware

Tanium CTI

Tanium's Cyber Threat Intelligence (CTI) analysts process and extract trends from the daily cyber landscape to curate and deliver current intel to stakeholders around threats impacting business and security.