Ransomware Affiliates are Re-Extorting Victims

Ransomware affiliates are innovating their extortion tactics to maximize profits by re-extorting victims who have previously conceded to ransom demands. This disturbing evolution in the ransomware threat landscape was detailed in SentinelOne's latest analysis. The report highlights the shift toward re-monetizing stolen data even after ransoms have been paid, often facilitated through collaborations with third parties or external data leak services. This trend extends beyond mere profit maximization, often arising in situations of financial conflict within the ransomware economy itself.

One specific example involves Change Healthcare, where an affiliate of the ALPHV (aka BlackCat) ransomware group initially compromised the organization's systems in February 2024. After ALPHV allegedly failed to honor the ransom split, the affiliate repurposed the stolen data through a partnership with a new entity called RansomHub, leading to a second extortion attempt. This scenario illustrates a troubling paradigm where victims could face multiple ransom demands for the same breach. "Since threat actors will hold onto exfiltrated data, the likelihood of that data being used to re-extort the victims is high and will continue to grow," the SentinelOne researchers explain. Additionally, the abrupt disruption of ALPHV ransomware operations has driven affiliates to partner with RansomHub in an effort to regain profitability.

This practice of re-extortion is compounded by the emergence of specialized platforms like Dispossessor and Rabbit Hole Data Leak Site (DLS). These platforms facilitate the resale and rebroadcast of stolen data, highlighting the increasingly organized and commercialized nature of ransomware operations. Dispossessor exploits previously compromised data by republishing it across multiple forums and markets, such as BreachForums and XSS. This not only allows for potential double-dipping on ransom payments but also increases the exposure and risk for the victims' data.

Rabbit Hole serves as an accessible platform for smaller cybercriminal teams that lack their own infrastructure. Described as a blog, it allows these groups to publish and manage leaks of victim data, thus putting additional pressure on corporations to comply with ransom demands. The platform enables the organization and dissemination of stolen data through a web portal where threat actors can manage their leaks and enhance their visibility to potential buyers or further extortion targets. The decentralization of data extortion facilitated by Rabbit Hole makes it easier for numerous lesser-known actors to participate in the monetization of stolen data.

Both platforms signify a shift toward a sustained exploitation model in cybercrime, where data is not just stolen and ransomed once but is continually leveraged to extract value. This method of operation complicates the response for affected organizations and indicates a trend where data once stolen remains a perpetual threat due to its potential re-use in various extortion schemes. SentinelOne's report underscores the ongoing risk and highlights that data theft and ransomware are no longer just about immediate financial gain but are part of a broader strategy to exploit corporate data repeatedly.