{"id":8933,"date":"2026-02-12T12:00:00","date_gmt":"2026-02-12T10:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8933"},"modified":"2026-06-14T19:58:36","modified_gmt":"2026-06-14T16:58:36","slug":"naming-and-shaming-how-ransomware-groups-tighten-the-screws-on-victims","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2026\/02\/12\/naming-and-shaming-how-ransomware-groups-tighten-the-screws-on-victims\/","title":{"rendered":"Naming and shaming: How ransomware groups tighten the screws on victims"},"content":{"rendered":"<p>In the realm of cybercrime, change is arguably the only constant. While <a href=\"https:\/\/www.welivesecurity.com\/2020\/09\/18\/five-cybercriminals-extortion-schemes\/\">cyber-extortion<\/a> as a broader category of crime has proved its staying power, ransomware \u2013 its arguably most damaging \u2018flavor\u2019 \u2013 doesn\u2019t live or die on encryption alone. The playbook of \u2018yore\u2019 largely involved locking files or systems and demanding payment for a decryption key, but in recent years campaigns switched to combining encryption with data exfiltration and threats to publish the stolen information.<\/p>\n<p>This is where dedicated leak sites, or data leak sites (DLSs), come in. First appearing in late 2019, DLSs have since become the backbone of the double extortion strategy. Threat actors steal corporate data (before encrypting it) and then weaponize the loot publicly, effectively turning a security incident into a full-blown public crisis.<\/p>\n<p>Security experts and law enforcement have, of course, been tracking this shift for years. The FBI and CISA now routinely describe ransomware as a \u201cdata theft and extortion\u201d problem. Public tracking projects such as <a href=\"https:\/\/www.ransomware.live\/stats\">Ransomware.live<\/a> point in the same direction, even if precise victim counts should be treated with caution. The leak sites reflect only what criminals choose to \u2018advertise\u2019, not the full universe of incidents.<\/p>\n<p>Let\u2019s examine the role of DLSs in the ransomware ecosystem and the implications for victim organizations.<\/p>\n<h2>How do ransomware groups use data leak sites?<\/h2>\n<p>Hosted on the dark web and accessible through the Tor network, the sites often publish a sample of stolen data and threaten victims with full public disclosure unless payment is made. Sometimes the material is published after the victim refused to cave in, thus further turning the screw on them. Information about the victims, the extent of stolen material and even deadlines that are meant to feel inexorable are all part of the strategy.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 1\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/figure-1.png\" title=\"Figure 1. Number of publicly reported victims on data leak sites, collected via ecrime.ch (source: ESET Threat Report H2 2025)\" width=\"\"><figcaption><em>Figure 1. Number of publicly reported victims on data leak sites, collected via ecrime.ch (source: <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-threat-report-h22025.pdf#page=21\">ESET Threat Report H2 2025<\/a>)<\/em><\/figcaption><\/figure>\n<p>What makes the strategy devastating is speed and amplification. Once the incident is in the open, multiple risks are collapsed into a single, highly visible moment and the victim organization operates under a cloud of suspicion and uncertainty \u2013 often even before its IT and security staff have a full picture of what was stolen or how far the intrusion spread. And that is, of course, the point \u2013 data leak sites are a coercion tool.<\/p>\n<p>This is also why they\u2019re carefully curated. Attackers often publish just enough material to show that they are not bluffing: a handful of contracts or a tranche of emails. More is coming unless the victim caves in.<\/p>\n<p>Indeed, the damage rarely stops with the initial victim. The data, once dumped or resold, becomes fuel for follow-on crime, and security teams see it reappear in <a href=\"https:\/\/www.welivesecurity.com\/en\/scams\/spotting-phish-many-faces\/\">phishing kits<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2022\/04\/26\/trouble-bec-how-stop-costliest-scam\/\">business email compromise<\/a> (BEC) campaigns, and <a href=\"https:\/\/www.welivesecurity.com\/en\/cybersecurity\/ai-driven-identify-fraud-havoc\/\">identity fraud schemes<\/a>. In supply-chain incidents, one breach can ripple outward, exposing the victim\u2019s customers and partners. This cascading effect is partly why authorities treat ransomware as a systemic risk, rather than a series of isolated mishaps.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 2. Typical LockBit leak site\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/figure-2.png\" title=\"Figure 2. Typical LockBit leak site (source: ESET Research)\" width=\"\"><figcaption><em>Figure 2. Typical LockBit leak site (source: <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/cosmicbeetle-steps-up-probation-period-ransomhub\/\">ESET Research<\/a>)<\/em><\/figcaption><\/figure>\n<figure><img decoding=\"async\" alt=\"Figure 3. Data leak site of the Medusa ransomware\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/figure-3.jpg\" title=\"Figure 3. Data leak site of the Medusa ransomware\" width=\"\"><figcaption><em>Figure 3. Data leak site of the Medusa ransomware<\/em><\/figcaption><\/figure>\n<h2>Pressure by design<\/h2>\n<p>Every element of a leak site is designed to maximize psychological pressure.<\/p>\n<ul>\n<li><strong>Proof of unauthorized access<\/strong>. The gangs post sample documents, such as contracts and internal emails, to demonstrate that the intrusion was real and the threat is credible.<\/li>\n<li><strong>Urgency<\/strong>: Timers and countdowns instill the feeling that time is running out as decisions made under time pressure are more likely to favor the party that controls the clock.<\/li>\n<li><strong>Public exposure<\/strong>: Even if the stolen data is never released publicly, the mere association with a breach triggers reputational harm that can take years to repair.<\/li>\n<li><strong>Regulatory risk<\/strong>: Under frameworks like GDPR, HIPAA, and an expanding patchwork of state-level privacy laws in the US, a confirmed breach involving personal data can trigger mandatory disclosures, investigations, and fines..<\/li>\n<\/ul>\n<figure><img decoding=\"async\" alt=\"Figure 4. World Leaks data leak site\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/figure-4.jpg\" title=\"Figure 4. World Leaks data leak site\" width=\"\"><figcaption><em>Figure 4. World Leaks data leak site<\/em><\/figcaption><\/figure>\n<h2>Beyond extortion<\/h2>\n<p>Some ransomware-as-a-service (RaaS) operators have expanded what leak sites do. LockBit, before its infrastructure was seized by law enforcement in early 2024, ran a bug bounty program on its leak site, offering payments to anyone who found vulnerabilities in their code.<\/p>\n<p>Others post \u2018gigs\u2019 for corporate insiders, offering payment to employees willing to provide login credentials or weaken security controls. Still other sites double as onboarding platforms for the next wave of attackers as attackers advertise \u2018affiliate programs\u2019, explaining the revenue split and how to apply.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 5. Bug Bounty program announced by LockBit in 2022\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/figure-5.jpg\" title=\"Figure 5. Bug Bounty program announced by LockBit in 2022 (source: Analyst1)\" width=\"\"><figcaption><em>Figure 5. Bug Bounty program announced by LockBit in 2022 (source: <a href=\"https:\/\/analyst1.com\/ransomware-diaries-volume-1\/\">Analyst1<\/a>)<\/em><\/figcaption><\/figure>\n<h2>Zooming out<\/h2>\n<p>Data leak sites work because they hit companies\u2019 weak spots that go beyond technology. A potential data leak triggers multiple risks at once: reputational damage, lost trust among customers and partners, financial hits, regulatory sanctions, and litigation.<\/p>\n<p>As ransomware gangs also sell the stolen information, they feed markets for stolen data and enable follow-on attacks. Some groups have even been spotted skipping encryption entirely and instead \u2018only\u2019 grab data and threaten to publish it.<\/p>\n<p>The victims, meanwhile, have to make decisions without enough time to think about the consequences. The people whose personal information is caught up in the incident face a long tail of cleanup, possible account takeovers and <a href=\"https:\/\/www.welivesecurity.com\/en\/cybersecurity\/ai-driven-identify-fraud-havoc\/\">identity fraud<\/a>.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 6. Ransomware detection trend in H1 2025 and H2 2025\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/figure-6.png\" title=\"Figure 6. Ransomware detection trend in H1 2025 and H2 2025, seven-day moving average (source: ESET Threat Report H2 2025)\" width=\"\"><figcaption><em>Figure 6. Ransomware detection trend in H1 2025 and H2 2025, seven-day moving average (source: <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-threat-report-h22025.pdf#page=34\">ESET Threat Report H2 2025<\/a>)<\/em><\/figcaption><\/figure>\n<p>Against that backdrop, paying up might look like the (relatively) easy way out or the least bad option. It is neither. Payment doesn\u2019t guarantee file or system recovery, nor does it guarantee that the data stays private. Many organizations that paid up were hit again within months. And every payment helps fund the next attack.<\/p>\n<p>For organizations, the ransomware threat demands comprehensive defensive measures, which include:<\/p>\n<ul>\n<li>Deploying advanced security solutions with EDR\/XDR\/<a href=\"https:\/\/www.welivesecurity.com\/en\/business-security\/preventing-business-disruption-building-cyber-resilience-mdr\/\">MDR capabilities<\/a>. Among other things, they monitor anomalous behavior, such as unauthorized process execution and suspicious lateral movement, to stop the threat in its tracks. Indeed, the products are a thorn in criminals\u2018 sides, who increasingly deploy <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/shifting-sands-ransomhub-edrkillshifter\/\">EDR killers<\/a> in an attempt to terminate or crash security products, typically by abusing vulnerable drivers.<\/li>\n<li>Restricting lateral movement through well-defined, stringent access controls. <a href=\"https:\/\/www.welivesecurity.com\/2021\/07\/23\/protecting-hybrid-workplace-zero-trust-security\/\">Zero-Trust principles<\/a> enhance a company\u2019s security posture by eliminating default trust assumptions for any entity. Threat actors often <a href=\"https:\/\/www.welivesecurity.com\/en\/business-security\/cybercriminals-hacking-systems-logging-in\/\">exploit compromised login credentials<\/a> and remote desktop protocol access to manually navigate networks.<\/li>\n<li>Keep all your software up-to-date. <a href=\"https:\/\/www.welivesecurity.com\/en\/cybersecurity\/patch-perish-organizations-vulnerability-management\/\">Known vulnerabilities<\/a> are one of the primary entry vectors for ransomware actors.<\/li>\n<li>Maintaining backups stored in isolated, air-gapped environments that ransomware cannot access or modify. Ransomware\u2019s primary objective is to locate and encrypt sensitive data. Worse, even when victims pay ransoms, flawed decryption processes can result in permanent data loss, not to mention other possible ramifications of paying the ransom. Resilient backups and <a href=\"https:\/\/www.welivesecurity.com\/en\/business-security\/resilience-face-ransomware-key-business-survival\/\">ransomware remediation capabilities<\/a> go a long way towards mitigating damage from the threat.<\/li>\n<li>Human vigilance, further refined by well-designed <a href=\"https:\/\/www.welivesecurity.com\/en\/business-security\/making-it-stick-get-most-cybersecurity-training\/\">security awareness training<\/a>, also represents a highly effective defensive barrier. An employee who can spot a malicious email early on removes one of ransomware actors\u2019 favorite entry points, and that alone can markedly cut the risk of an attack victimizing your entire organization.<\/li>\n<\/ul>\n<p>The ransomware evolution continues unabated as the ransomware-as-a-service (RaaS) model continues to attract a wide criminal user base and grants numerous threats longevity and adaptability. As long as criminals can reliably turn stolen data into a public spectacle, they will keep doing it and ransomware will remain a money machine.<\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/ransomware\/naming-shaming-ransomware-groups-tighten-screws-victims\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When corporate data is exposed on a dedicated leak site, the consequences linger long after the attack fades from the news cycle<\/p>\n","protected":false},"author":5,"featured_media":8934,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[147],"tags":[],"class_list":["post-8933","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8933","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8933"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8933\/revisions"}],"predecessor-version":[{"id":9666,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8933\/revisions\/9666"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8934"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}