2.4.1.1 Ransomware and Symmetric Encryption

We previously discussed how early ransomware strains used symmetric encryption to deny victims access to their data. Symmetric cryptography relies on a single key to perform and reverse a function. For example, when encrypting data, the same key is used to encrypt as well as decrypt. This is very convenient for hard drive encryption, as a master key can be built into a hardware chip on a computer (such as on the Trusted Platform Module, or TPM chip). Symmetric key encryption can also be used to lock up files before they are stored in a data repository, such as a backup tape or cloud file share.

The benefit of symmetric key cryptography is that it is very fast. However, the reliance on a single key introduces a major drawback—namely, that all parties need to be in possession of the key to use it.

In early ransomware strains that relied on symmetric keys, the secret key was distributed with the ransomware itself. The ransomware used it to encrypt all the files on the victim’s system. This created an obvious weakness: Because the symmetric key was present in the malware, and on the victim’s system, it was often possible for defenders to recover the key and decrypt the victim’s files without paying the adversary.

2.4.1.2 Ransomware and Asymmetric Encryption

Enter asymmetric (“public key”) cryptography, which relies on a pair of keys. These keys are generated at the same time and perform complementary functions. For example, what one key encrypts, the other can decrypt.

The concept of asymmetric encryption is deceptively simple—and powerful. No longer did adversaries have to worry about victims unlocking their own files using a key that was distributed in the malware. In the simplest model, adversaries generated a pair of keys:

• The public key was distributed with the ransomware and used to encrypt the victim’s data.

• The private key was held by the adversary, and only released to the victim after payment was received.

The downside of asymmetric encryption is that it is not as fast as symmetric key encryption. Speed was very important for cyber extortionists, who needed to encrypt large data sets as quickly as possible, before they were discovered.

2.4.1.3 A Hybrid Model Emerges

Today’s ransomware strains leverage the best of both worlds, by combining both symmetric and asymmetric key encryption. Here is a typical model:

• Ransomware is distributed with the adversary’s public key (or even multiple public keys, in the case of modern affiliate models; see Section 2.9.4.1).

• When a victim’s computer is infected, the ransomware automatically generates a unique symmetric key, which is used to encrypt data quickly. Some ransomware strains generate a unique key for each computer, or for individual file shares, or based on any segmenting model of the adversary’s choice.

• The symmetric key is then encrypted using the adversary’s public key (or keys) and stored locally in a file known as a “keybag.”

• After payment is made, the criminal releases a decryption utility (known as a “decryptor”) that contains the appropriate private key. The decryptor is designed to use the private key to unlock the keybag and decrypt the victim’s files.

In this manner, today’s adversaries leverage the speed of symmetric encryption, along with the security of asymmetric encryption. There are many variations on this model, but the general concept of a hybrid encryption model for file-encrypting ransomware has become widespread.

2.4.1.4 Digital Signing and Verification

Encryption alone couldn’t enable adversaries to launch extortion attacks on the massive, global scale that we see today. Fast and anonymous payment methods and communications systems were also critically important. It turned out that both of these could be achieved using asymmetric cryptography, too.

Recall that asymmetric cryptography relies on a pair of keys that perform complementary functions. For example, what one key signs, the other key can verify. How does this work?¹²

12. “Security Tip (ST04-018): Understanding Digital Signatures,” Cybersecurity & Infrastructure Security Agency, revised August 24, 2020, https://us-cert.cisa.gov/ncas/tips/ST04-018.

• The sender uses a hash function to convert a message to a short, fixed-length chunk of data (“hash”).

• The sender uses their private key to encrypt the hash, using a digital signing algorithm.

• The encrypted hash is appended to the message (which is now “digitally signed”) and the whole package is sent to the recipient.

• To verify the digital signature, the recipient (or anyone with access to the message) uses the sender’s public key, along with the digital verification algorithm, to decrypt the encrypted hash.

• The recipient also generates their own hash of the message and compares it to the decrypted hash. If the values match, then it confirms that the public key is correct and the message has not been modified since it was signed.

This process is fundamental to cryptocurrency and the dark web, as we will see in the following sections.

2.4.2.1 The Birth of Bitcoin

Cryptocurrency changed all that. On October 31, 2008, a cryptographer who went by the pseudonym “Satoshi Nakamoto” posted a groundbreaking new paper to a popular cryptography mailing list. “I’ve been working on a new electronic cash system that’s fully peer-to-peer, with no trusted third party,” they wrote. With that, Bitcoin—the world’s first cryptocurrency—was born.¹³

13. Satoshi Nakamoto, email to [email protected], October 31, 2008, retrieved from the inbox of Sherri Davidoff on October 11, 2021.

A Bitcoin is not a coin at all; it is a chain of digital signatures. Each person holds one or more public/private key pairs, which can be used to spend and receive Bitcoin. Transactions are tracked in a blockchain, a distributed ledger that anyone can download.

To send money, the current owner creates a new message indicating an amount of cryptocurrency and the new owner’s public key, and then signs this message using their private key. This message is broadcast to the Bitcoin network and attached to the blockchain.

To create new Bitcoin, miners (specialized software programs) work to solve a difficult mathematical puzzle. When a miner finds the correct answer, it submits it to the Bitcoin network for validation. If the answer is correct and has not previously been validated, the Bitcoin network creates a new block (a data entry on the blockchain) and the miner is rewarded with ownership of the newly minted Bitcoin, along with any transaction fees. Miners can also make money by validating transactions submitted by others, in which case they gain associated transaction fees.

2.4.2.2 Usage in Cyber Extortion

Once Bitcoin emerged, adversaries suddenly had the ability to receive fast, anonymous, nonreversible payments from victims. While there are many legitimate reasons to use cryptocurrency (privacy protections, political donations, etc.), it was undoubtedly the case that criminals were more willing than mainstream vendors to take risks on a new payment model.

Bitcoin is not backed by a commodity like gold or silver, but rather is a digital currency that is recognized as legal tender. No central authority manages digital currency; instead, the value is set by the market. As a result, the value of Bitcoin and other cryptocurrencies can swing wildly, which can create unexpected challenges for both victims and extortionists during the negotiation phase (see Section 8.5.3 for details).

Although Bitcoin has remained consistently popular among cyber extortionists, many adversaries accept and even prefer other cryptocurrencies. In particular, Monero has gained traction because it more difficult for law enforcement to trace, reducing risk for cybercriminals. See Section 8.2 for more details.

2.4.3.1 What Is Onion Routing and How Does It Work?

Onion routing is the technology that underlies darknets and the “dark web,” which are used by criminals, journalists, intelligence agencies, whistleblowers, and others to facilitate anonymous communications. The concept is simple: To maintain anonymity, network traffic is passed through a series of computers so that the ultimate source and destination addresses are unknown to any one system.

Upon launching onion routing software, a user’s computer establishes a circuit, which is simply the path that the user’s traffic will take through the Internet and back. The route that the data takes through the network is encrypted in layers using the public key of each computer in the circuit.¹⁴

14. Tor Project, https://2019.www.torproject.org/about/overview.html.en.

As data travels through the circuit, each computer uses its private key to decrypt the outer layer, which reveals the address of the next computer. The data is then passed along to that computer. The next computer in the circuit does the same thing, and so on, until the data reaches its destination. No computer in the circuit has the address of both the source and destination systems, thereby preserving anonymity.

2.4.3.2 The Dark Web

Onion routing is the technology that underlies the dark web, which in turn has led to a proliferation of dark e-commerce sites, criminal chat forums, data leak portals, and more.¹⁵ The “dark web” refers to a collection of web services accessible only using onion routing software.

15. Tor Project.

The dark web was popularized by The Onion Routing project, or TOR for short, which was developed during the early 2000s by scientists Paul Syverson, Roger Dingledine, and Nick Mathewson.¹⁶ TOR enables uses to offer “hidden services” such as websites, email, and chat rooms, by registering in the TOR network and obtaining a “hidden service descriptor”—that is, a 16- or 56-character domain name.¹⁷

16. Tor Project.

17. “Hidden Service Names,” https://gitlab.torproject.org/legacy/trac/-/wikis/doc/HiddenServiceNames.

Since its inception, the dark web has become a haven for the cybercriminal underworld. Prominent cyber extortion cartels like Conti, REvil, and many others rely on the dark web to collaborate, purchase access to victim networks, post stolen client data, negotiate ransom payments, and much more.

2.9.4.1 Evolving Technology

Cyber extortionists adapted their technology to suit the needs of their new “affiliates,” or franchisees. The automated portals used by GandCrab to streamline its operations became common among cyber extortion groups as a means of lowering the barriers to entry and supporting higher volumes of victims.

RaaS operators routinely touted their platforms’ features in ads on the dark web. For example, the Lockbit cartel provided a full list of features in its affiliate marketing materials highlighting the benefits of its software. A few of the unique features included:⁶⁴

64. Megan Roddie, “LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment,” Security Intelligence, September 9, 2021, https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/.

• TOR-based administrative control panels

• Anonymous chat rooms for victims, with push notifications alerting the operator when a new message arrived

• Automatic exploit detection

• Automatic log deletion

• Automatic file exfiltration tools

The operators took their profits as a percentage of the revenue their affiliates generated. This gave them incentive to compete for skilled affiliates by investing time and capital into improving their technology products.

2.9.4.2 Affiliate Recruitment Methods

The pioneering GandCrab group recruited affiliates mainly through underground forums and tightly controlled messaging.⁷³ By keeping their recruitment efforts confined to these exclusive audiences, the GandCrab group was at a much lower risk of accidentally interacting with law enforcement or unwanted media contacts. Their recruitment specified that they would not work with native English speakers, they would not attack Commonwealth of Independent States (CIS) countries, and applicants had to navigate an extensive interview process to join the organization.

73. Brian Krebs, “Who’s Behind the GandCrab Ransomware?,” Krebs on Security, July 8, 2019, https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/.

REvil, which is considered to be the successor to GandCrab, largely followed the same recruitment playbook, although the group took the extra step of depositing large amounts of Bitcoin in the forums they were advertising with as a sign that they could be trusted by potential affiliates.⁷⁴

74. Lawrence Abrams, “REvil Ransomware Deposits $1 Million in Hacker Recruitment Drive,” Bleeping Computer, September 28, 2020, www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/.

Despite the success of this strategy, the need for more affiliates led to increasingly public methods of attracting the attention of potential candidates. Lockbit 2.0, for example, published its affiliate program directly on its dark web extortion portal for all to see, even announcing proudly at the top of the page that “Lockbit 2.0 is an affiliate program.” Key benefits of using the Lockbit platform were advertised prominently on the post, including encryption speed comparisons, key ransomware features, and the availability of a custom “StealBit” data theft utility designed to exfiltrate files and upload them directly to the Lockbit blog.⁷⁵

75. “Ransomware Profile: LockBit,” Emsisoft, July 21, 2021, https://blog.emsisoft.com/en/38915/ransomware-profile-lockbit/.

2.9.4.3 Protections for Affiliates

Work as an affiliate is risky. To protect “affiliates,” many RaaS operations choose to deposit large amounts of cryptocurrency into third-party controlled accounts, ensuring that the affiliates will still get paid for their work even if something goes wrong with the primary operation. This level of security is designed to provide a sense of confidence in the ransomware group and boost its reputation among potential new affiliates.

In May 2021, this “shadow” court system ended up on full display when the Darkside ransomware group went dark without paying its affiliates.⁷⁶ At that point in time, a sum of roughly 22 Bitcoin (roughly $1 million at the time) that had been deposited by the Darkside group was under the control of moderators for the infamous XSS.is hacker forum. Affiliates began to submit claims that they had not been paid for their work.

76. Becky Bracken, “DarkSide Getting Taken to ‘Hackers’ Court’ for Not Paying Affiliates,” Threat Post, May 21, 2021, https://threatpost.com/darkside-hackers-court-paying-affiliates/166393/.

What made this a truly unique event was the revelation that a “hacker court” existed on these underground forums for the purpose of resolving disputes exactly like this one. Affiliates would submit their claims of work, and an adjudicator from the forums moderator group would review the “evidence” and either award or deny the claim. In some cases, moderators even went as far as using the term “defendant” to describe the defunct Darkside group in their rulings.⁷⁷

77. Dan Goodin, “Hear Ye, DarkSide! This Honorable Ransomware Court Is Now in Session,” ARS Technica, May 22, 2021, https://arstechnica.com/gadgets/2021/05/darkside-ransomware-makers-accused-of-skipping-town-without-paying-affiliates/.

An underappreciated part of the story, which seemed to be pushed aside by the “hacker court” proceedings, was the revelation that underground forums like XSS.is had quietly created a full infrastructure that RaaS groups could leverage to market, recruit, and secure operations for their ransomware activities.⁷⁸

78. Kevin Lee and Austin Merritt, “Underground Markets: A Tour of the Dark Economy,” Threat Post (webinar), https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/.

2.9.4.4 A Reputation to Uphold

In this franchising model, RaaS operators were at risk if an affiliate “went rogue”— attracting too much attention from law enforcement or simply giving out too much information to the press. The franchise model used by many large cyber extortion groups provided major benefits in regard to the overall scope of attacks, but also took a lot of the control over who was being attacked and how those attacks were being carried out away from the developers.

It was inevitable that this type of freedom would eventually result in a ransomware affiliate going too far with an attack, drawing the eyes of mainstream media, international law enforcement, and even other ransomware groups concerned about one affiliate destroying their collective ability to continue operating. A prime example of this exact type of overreach is the attack on Colonial Pipeline carried out by an affiliate of the Darkside group in May 2021.⁷⁹

79. Anthony M. Freed, “Inside the DarkSide Ransomware Attack on Colonial Pipeline,” Cybereason: Malicious Life, May 10, 2021, www.cybereason.com/blog/inside-the-darkside-ransomware-attack-on-colonial-pipeline.

Taking down a retail business or law firm is bad, but disrupting fuel supplies to the entire eastern seaboard of the United States is absolutely worse, and Darkside felt the heat pretty quickly. The unwanted attention to this organization for what some in the media called an “act of war”⁸⁰ prompted a quick response from Darkside:

80. Fox Business Staff, “Varney: Colonial Pipeline Attack Could Be “Act of War,” Fox Business, May 10, 2021, www.foxbusiness.com/politics/varney-colonial-pipeline-attack-shutdown-economy.

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives.. Our goal is to make money, not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.⁸¹

81. From screenshot of Darkside site, taken by Derek Rowe, LMG Security, 2021.

Even other ransomware groups spoke out against the attacks and their severity, leading many groups to publicly announce that they would no longer attack critical infrastructure, oil pipelines, hospitals, or other high-profile targets that could put a bull’s eye on their backs.⁸²

82. Tonya Riley, “The Cybersecurity 202: Ransomware Groups Are Going Underground, Which Could Make Them Harder to Track,” The Washington Post, May 17, 2021, www.washingtonpost.com/politics/2021/05/17/cybersecurity-202-ransomware-groups-are-going-underground-which-could-make-them-harder-track/.

2.9.5.1 Social Media

Social media are often used by both adversaries and victims in their efforts to advance their public narrative. As an example, the City of Baltimore was the victim of a ransomware attack in 2019 when the “RobbinHood” ransomware group encrypted the city’s servers and effectively took the city offline.⁸⁵ When ransom negotiations broke down, the individuals behind the attack moved to social media—Twitter specifically—to announce to the world that Baltimore had been hacked and was suffering because of it.⁸⁶ The attackers took steps to ensure the conversation was noticed by tagging major news organizations and other media outlets in their post. The spat between Baltimore’s mayor and the attackers quickly became a national story.

85. Emily Sullivan, “Ransomware Cyberattacks Knock Baltimore's City Services Offline,” NPR, May 21, 2019, www.npr.org/2019/05/21/725118702/ransomware-cyberattacks-on-baltimore-put-city-services-offline.

86. “Baltimore Hackers Leak Data on Twitter After No Ransom Was Paid,” CISO Magazine, June 7, 2019, https://cisomag.com/baltimore-hackers-leak-data-on-twitter-after-no-ransom-was-paid/.

Twitter was also used as a point of communication by the victim, too. Baltimore’s mayor, Jack Young, used the platform to provide updates and distribute information about the attack as progress was made. Twitter also played a role when a New York Times article claimed that the infamous EternalBlue exploit, which was stolen from the National Security Agency (NSA) and leaked by The Shadow Brokers in 2017,⁸⁷ was used in the attack.⁸⁸ This was enough to prompt a rare public statement from U.S. government officials disputing the story.⁸⁹

87. Lily Hay Newman, “The Leaked NSA Spy Tool That Hacked the World,” Wired, March 7, 2018, www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/.

88. Nicole Perlroth and Scott Shane, “In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc,” The New York Times, May 25, 2019, www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html.

89. Shannon Vavra, “Ruppersberger: NSA Has No Evidence EternalBlue Was in Baltimore Attack,” Cyberscoop, May 31, 2019, www.cyberscoop.com/dutch-ruppersberger-nsa-eternalblue-robbinhood-baltimore/.

Twitter and other social media platforms have since developed and enforced policies to reduce the power that threat actors can wield via social media. In 2018, Twitter introduced a policy that prohibited posting of hacked materials.⁹⁰ The policy update caused a flurry of questions about how much control the platform would assert over the distribution of information on criminal activities. There was widespread concern over censorship and how legitimate media organizations might be impacted. Since then, Twitter and other social media platforms have continued to refine their policies, struggling to find a balance between protecting journalists and protecting privacy.

90. Catalin Cimpanu, “Twitter Bans Distribution of Hacked Materials Ahead of US Midterm Elections,” ZDNet, October 2, 2018, www.zdnet.com/article/twitter-bans-distribution-of-hacked-materials-ahead-of-us-midterm-elections/.

In the meantime, cyber extortionists adapted and found new avenues for developing relationships with the mainstream media.

2.9.5.2 Branded Data Leak Sites

Frequently banned from social media platforms, adversaries shifted to launching their own, branded web portals, which they used to “name and shame” victims. This tactic was popularized by the Maze group in late 2019 (as discussed in Section 2.8), and quickly copied by REvil, Conti, and other major ransomware players. Typically, these sites are hosted on the dark web, although in some cases (as with the Maze group) they are on the clear net.

The criminals’ public-facing websites evolved to include several common features:

• Branded home page: In some cases, these included eye-catching illustrations, such as the Cuba group’s colorful portrait of Fidel Castro and the Karakut gang’s whimsical cartoon of monkeys smoking and having tea. Other groups were more simplistic, such as REvil’s “Happy Blog,” which simply featured a listing of the group’s latest victims.

• Victim “name-and-shame” section: An area where victims are publicly listed and threatened.

• Auctions: Criminals often auction victim data off to the highest bidder if the victim does not pay. Typically, there is a starting bid and a time limit. If the data is not purchased, the criminals release a link to the world.

• News: Updates from the criminals (also referred to as “press releases”). This may include statements on major cases, such as the Darkside gang’s announcement in response to the Colonial Pipeline backlash.⁹¹

  91. Viewed in screenshot of the Darkside site, taken by Derek Rowe, LMG Security, 2021.

• “About” section: Information about the cyber extortionist gang (typically intended to be inspiring or flattering).

• Contact method: A contact form or chat feature enabling visitors to reach out to the cyber extortion cartel.

The tactic was so effective that data leak sites proliferated. REvil, the top ransomware strain at the time, spun up the “Happy Blog” for publishing and even auctioning off stolen data.⁹² New ransomware strains emerged with their own blogs, such as the Cuba strain (“This site contains information about companies that did not want to cooperate with us. Part of the information is for sale, part is freely available.”).⁹³ In early 2021, the NetWalker RaaS operators advertised that their software included “a fully automatic blog, into which the merged data of the victim goes, the data is published according to your settings.”⁹⁴

92. “REvil Hackers Continue to Wrack up High-Profile Targets with Ransomware Attacks,” Dark Owl, updated June 2, 2020, www.darkowl.com/blog-content/revil-hackers-continue-to-wrack-up-high-profile-targets-with-ransomware-attacks.

93. LMG Security case, February 2021.

94. Nathan Coppinger, “Netwalker Ransomware Guide: Everything You Need to Know,” Varonis, November 17, 2020, www.varonis.com/blog/netwalker-ransomware/.

2.9.5.3 Press Programs

Attention from the mainstream media made cyber extortion cartels more powerful. The Maze group recognized the power of the press early on, encouraging their victims to Google past victims’ names so that they could see the nasty headlines for themselves. Since the early days of TDO, cyber extortion gangs have been giving interviews with the press, leveraging the mainstream media like a megaphone to increase pressure on their victims and spread their viewpoints.

Extortionists may reach out directly to known journalists. For example, in one case that the authors of this book handled, the Cuba ransomware gang stole data from a financial firm. The adversary deliberately emailed a reporter, sharing information about the ransom demand, the new current price (after the victim decided not to pay the ransom), and a full file list of all stolen items.⁹⁵

95. LMG Security case, February 2021.

Today, journalists routinely follow data leak sites, dutifully posting articles when sensational leaks are announced.⁹⁶ (The Maze gang, like other groups, published a “press release” when announcing their retirement, another indicator of their growing engagement with mainstream media.⁹⁷)

96. Brian Krebs, “Ransomware Gangs Don’t Need PR Help,” Krebs on Security, July 1, 2020, https://krebsonsecurity.com/2020/07/ransomware-gangs-dont-need-pr-help/.

97. Pierluigi Paganini, “Maze Ransomware Gang Shuts down Operations, States Their Press Release,” Security Affairs, November 2, 2020, https://securityaffairs.co/wordpress/110318/cyber-crime/maze-ransomware-teminates-operations.html.

Once cyber extortion websites became popular, the cartels had a way to build a community and interact with the public. For example, the Darkside cartel had a “Press Center” where they encouraged journalists and recovery companies to register on their site, describing the following benefits:⁹⁸

98. Website of the DarkSide ransomware criminal gang, available on the dark web via Tor (since removed). From a screenshot obtained by LMG Security, June 2021.

Why do I need to register?

• You can ask questions and get information from the primary source.

• Notifying you of data breaches before posting. The ability to receive non-public information.

• Fast replies within 24 hours.

Recovery

Why do I need to register?

• Automatic receiving of decryptors after payment.

• Get an additional discount. The discount increases depending on the number of payments.

• Communication with the support in a personal chat.

To register, journalists or recovery organization staff were required to provide an email address. If the email domain was a generic hosting provider such as gmail.com, they would be required to prove their affiliation before their registration was approved.

2.9.5.4 Third-Party Exposure Extortion Services

The abundance of data being exfiltrated created a market for third-party data exposure services like the infamous Marketo⁹⁹ “leaked data marketplace,”^100,101 which provided cyber extortion groups with an easy way to host, market, and distribute data that had been stolen from a victim’s network. The operators behind marketplaces like Marketo did not actively hack anyone or distribute any malicious software, but provided a service to advertise stolen data.

99. Note that the cybercriminal enterprise Marketo is in no way affiliated with the legitimate Adobe Marketo software suite.

100. Photon Research Team, “Marketo: A Return to Simple Extortion,” Digital Shadows (blog), July 8, 2021, www.digitalshadows.com/blog-and-research/marketo-a-return-to-simple-extortion/.

101. Lawrence Abrams, “Data Leak Marketplaces Aim to Take over the Extortion Economy,” Bleeping Computer, May 7, 2021, www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/.

These services go far beyond common dark net e-commerce markets. Marketo actively engages with victims, competitors, and the larger community.¹⁰² In Marketo’s manifest, the group explains that stolen data is always first offered to the victim themselves.¹⁰³ If the victim chooses not to pay, then Marketo threatens to notify “every company affiliate.” This includes competitors, who have received emails such as the following:

102. Dmitry Smilyanets, “‘Yes, We Are Breaking the Law:’ An Interview with the Operator of a Marketplace for Stolen Data,” The Record, September 17, 2021, https://therecord.media/yes-we-are-breaking-the-law-an-interview-with-the-operator-of-a-marketplace-for-stolen-data/.

103. Marketo.cloud, https://marketo.cloud/manifest.

Hello, we are Marketo and we know you have a competitor—[NAME REDACTED]. So we would like to inform you that we attacked them and downloaded quite a bit of data. We have confidential and personal data, info about their tax payments, clients and partners. That might be significantly lower than the NASDAQ price.¹⁰⁴

104. Lawrence Abrams, “Data Leak Marketplace Pressures Victims by Emailing Competitors,” Bleeping Computer, June 21, 2021, www.bleepingcomputer.com/news/security/data-leak-marketplace-pressures-victims-by-emailing-competitors/.

Marketo also advertises a list of “partners” that receive a weekly report of victims, along with supporting documentation. These include regulatory agencies such as the Federal Deposit Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), the Financial Crimes Enforcement Network, and media entities such as Bleeping Computer and SC Media. It is not clear whether these entities are voluntarily receiving these reports, or whether they act upon them.¹⁰⁵

105. Smilyanets, “‘Yes, We Are Breaking the Law’.”

By specializing in data leaks, centralized exposure extortion services such as Marketo can build strong relationships with the media, They can also invest in tools and templates, which can help their clients (the data thieves themselves) more effectively leverage their stolen goods.