Threat actors are re-extorting victims by monetizing stolen data through third-party leak services and new data-leak platforms, expanding beyond their original RaaS agreements. The post highlights cases around Change Healthcare, ALPHV, RansomHub, Dispossessor, and Rabbit Hole, and explains how leaked data is now spread across multiple channels to extract additional payments. #RaaS #RansomHub #ALPHV #ChangeHealthcare #Dispossessor #RabbitHole #LockBit #CL0P #UnitedHealthGroup
Keypoints
- Ransomware affiliates are re-monetizing stolen data outside of original RaaS agreements by partnering with third parties or external data-leak services to re-extort victims.
- High-profile events include the ALPHV/BlackCat affiliate activity against Change Healthcare and the emergence of RansomHub and Dispossessor as third-party extortion platforms.
- RansomHub operates as a ransomware-as-a-service (RaaS) platform, coordinating with affiliates across multiple ransomware families and using revolving Telegram groups to amplify leaks.
- Dispossessor repackages data from multiple operations (e.g., CL0P, Hunters International, 8base) and acts as a data-aggregation/reposting hub, sometimes linking to Snatch.
- Rabbit Hole DLS provides a lightweight, collaborative leak blog where small to mid-sized actors can publish and manage leaks via a “cabinet” system.
- The evolving trust model of RaaS and affiliate networks is fragile, with multiple groups renegotiating payments and data being used for renewed extortion; law enforcement encourages not paying ransoms and reporting incidents.
MITRE Techniques
- [T1041] Exfiltration – Data exfiltration and monetization through data leaks and third-party extortion. ‘Ransomware affiliates are actively re-monetizing stolen data outside of their original RaaS agreements’
- [T1567.002] Exfiltration to Web Service – Leaks published on data-leak sites and public channels; ‘downstream amplification of these leaks is now common and generally open to all non-private Telegram or Discord groups’
- [T1583] Acquire Infrastructure – ‘RansomHub operates as a ransomware-as-a-service (RaaS), partnering with affiliates that work with a variety of ransomware families’
Indicators of Compromise
- [Domain] – Data-leak platforms and associated sites – disposessor.com, disposessor-cloud.com, and 2 more domains
- [IP] – 205.209.102.218 – Public-facing infrastructure linked to Dispossessor activity
- [Onion] – z5jixbfejdu5wtxd2baliu6hwzgcitlspnttr7c2eopl5ccfcjrhkqid.onion, ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion, and h6tejafqdkdltppzj7q34enltmfnpxaf7cseslv6djgiukiii573xtid.onion
- [Hash] – tox[:]CE742906B254399832E4ED6EC1DDA50D7942F9A4F3F0FE46C19E1737FF29EF67DDAF3AB87B44, tox[:]36712626ED19B307ECB3E971AFDFAA449607100383DBE4C064CCD5909355D908AECCF6180CDA