In an evolution in ransomware and data extortion, gangs are reported to be now offering the ability to search stolen data in an effort to have victims pay ransom demands.

Bleeping Computer reported today that the ALPHV/BlackCat ransomware gang was the first to offer the feature, announcing that they have created a searchable database with leaks from nonpaying victims. The hackers said that their stolen data had been fully indexed and that the search feature included support for finding information by filename or by content available in documents and images.

The Blackcat ransomware gang claims it is offering the search service to make it easier for cybercriminals to find passwords or other confidential information.

Following the lead from Blackcat, the infamous LockBit ransomware gang — currently in its third incarnation — has launched a similar search function, but apparently not as advanced as that offered by Blackcat. Lockbit’s dark web portal allows visitors only to find victims by name.

A third leak site, run by the Karakurt data extortion gang, is also now offering a similar feature. However, it was not working when tested.

Allowing stolen data to be searched and accessed by both cybercriminals and victims alike is an interesting step forward in this business. Stolen data that had previously been published where a ransom had not been paid was always available from the groups.

However, accessing the data typically requires downloading a massive file that had to be searched on a local computer. With built-in search, even lay people looking to see if they were exposed to the leak can now search the data as easily as doing a Google search.

“Ransomware continues to evolve at a breakneck pace, often taking pages from successful legitimate business practices, such as ‘as-a-service’ offerings, profit sharing, and tech support, and this is just another example of its maturity,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The ability to structure and easily search for information makes it easier for other cybercriminals to use the stolen data to initiate other attacks, especially social engineering attacks such as email phishing.”

Kron added that bad actors involved in email phishing could also be able to make great use of the information found in many data dumps. “This in turn could push victim organizations to pay, rather than simply hoping that the information will be lost in the obscurity of the attacker’s website,” he said.

Photo: U.S. Air Force