LeakedData, emerging in December 2024, is the operational front of the Silent Ransom Group, a Conti ransomware offshoot that shifted from ransomware encryption to targeted data extortion using social engineering and legitimate remote management tools. The group primarily targets U.S.-based law firms, insurance providers, and financial services companies to maximize extortion leverage by threatening data leaks. #SilentRansomGroup #LeakedData #ContiRansomware
Keypoints
- LeakedData is a rebranded identity of the Silent Ransom Group (SRG), a post-Conti ransomware extortion group active since mid-2022.
- SRG uses “callback phishing” tactics, tricking victims into installing legitimate remote management tools to gain system access without malware.
- The group targets data-sensitive U.S. organizations, especially law firms, insurance, accounting, and financial services, to exploit reputational and regulatory risks.
- SRG operates a minimalistic data leak site that publishes victim data after countdown timers, pressuring victims to pay ransoms.
- They create fake IT support-themed domains to phish credentials and sustain tailored phishing campaigns with convincing spoofed emails.
- Mitigation includes monitoring suspicious domains, restricting network and remote access, enforcing MFA, and targeted phishing awareness training.
- SOCRadar provides threat intelligence, dark web monitoring, and vulnerability management to help defend against SRG’s evolving tactics.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing via service – SRG uses tailored emails impersonating brands like Duolingo to lure victims into callback phishing (‘…the group sends emails impersonating brands like Duolingo or Masterclass, claiming a suspicious charge and urging the recipient to call a support number.’).
- [T1204.002] User Execution: Malicious File – Victims are socially engineered to install legitimate remote management software (‘…victims were instructed to install legitimate remote management tools via a link sent by email.’).
- [T1071.001] Application Layer Protocol: Web Protocols – SRG exfiltrates data to private servers hosted on providers like Hostwinds (‘…exfiltrate sensitive files, often to private servers hosted on providers like Hostwinds.’).
- [T1536] Masquerading – The group registers fake helpdesk-themed domains to impersonate IT support portals (‘…create fake helpdesk-themed domains to impersonate corporate IT support portals.’).
- [T1036.005] Masquerading: Match Legitimate Name or Location – Domains mimic internal IT support with names like “company-helpdesk.com” (‘…domains follow recognizable naming conventions such as combining a target’s name with “help” or “helpdesk”.’).
- [T1083] File and Directory Discovery – Lateral movement and data theft after gaining access via remote tools (‘…gain deeper access to systems, allowing the attackers to move laterally, exfiltrate sensitive data, and ultimately extort the victim organization.’).
Indicators of Compromise
- [Domains] Fake IT support and helpdesk-themed domains – examples include “company.name-helpdesk.com” registered mainly via GoDaddy and using domaincontrol[.]com nameservers.
- [Email Templates] Callback phishing emails impersonating brands like Duolingo and Masterclass to lure victims into calling attackers.
- [Remote Management Tools] Legitimate software used for access: Zoho Assist, AnyDesk, WinSCP (used for data exfiltration over SFTP).
- [Hosting Providers] Data exfiltration and victim data hosting on private servers such as Hostwinds.
Read more: https://socradar.io/dark-web-profile-silent-ransom-group-leakeddata/