The world of ransomware and cyber extortion continues to change dramatically. On the one hand, new ransomware variants and data leak sites are popping up like mushrooms; on the other, threat groups disappear into the shadows, leaving their mark on the world only to fade away. However, even on the surface, the goal remains the same: to make as much money as possible.
Recent developments in the threat landscape suggest accomplishing this goal can be done without needing encryption and focusing on the more significant moneymaker: data. Data, in this case, could mean everything from standard PII to intellectual property, to even financial data and other sensitive information, and everyone has it. The following blog covers the extortionist threat group Marketo and dives deeper into the world of simple extortion.
What is simple extortion?
To properly set the scene, it’s important to clarify some terms. For this blog, simple extortion refers to extortion which only uses the threat of data loss to demand a ransom payment. This tactic differs from the more traditional ransomware actor who has historically emphasized data encryption.
The world that existed before the introduction of double-extortion (combining data encryption and data loss) focused on how impactful it was to lose access to critical systems or files. This has continued to evolve over the years and has taken many forms from ransomware at the individual level to where we are today, with big game hunting taking center stage, as we’ve recently seen with Kaseya and previous incidents earlier this year.
For this blog, the focus is placed on the threat of extortion without needing data encryption, which properly sets the stage for Marketo.
What is Marketo?
Not to be confused with the popular and legitimate marketing software Marketo, this Marketo was established in April 2021 and is emphatically focused on the sale of compromised data. An associated Twitter profile (@Mannus Gott) introduced the marketplace as an “informational marketplace” in a post on 16 Apr 2021. The post states the Marketo group’s intentions by clearly stating, “We are not ransomware and we do not hack
How does Marketo operate?
The marketplace itself operates in a similar fashion to other data leak sites with some unique features. Interestingly the group includes an “Attacking” section naming organizations that are in the progress of being attacked. The marketplace allows for user registration and provides a contact section for victim and press inquiries. Victims are provided a link to a separate chat to conduct negotiations.
Within the individual posts, Marketo provides a summary of the organization, screenshots of seemingly compromised data, and a link to an “evidence pack” otherwise known as a proof. They auction sensitive data in the form of a silent auction through a blind bidding system where users make bids based on what they think the data is worth. As you would suspect, the data then goes to the highest bidder. The post includes a running “Bids counter” likely as a way to increase bidding amounts and show the attention a post is getting.
A recent addition to the marketplace includes a partner section that names multiple data and consumer protection agencies to include the Consumer Financial Protection Bureau, Financial Crimes Enforcement Network, and the Securities and Exchange Commission to name a few.
How does Marketo incentivize victims to pay up?
For data extortion to be effective, there has to be enough pressure on the victim to pay the ransom. Marketo increases pressure on their victims in a couple of interesting ways.
- Marketo has been observed sending samples of compromised data to the competitors, clients, and partners of their victims.
- Marketo publicly shames organizations that have not contacted the group stating the organization does not care about data security.
- Marketo will share subsets of data with victims as a way to prove the validity of their claims.
- Marketo publishes data incrementally until all information is public.
Who does Marketo target?
Victims of Marketo appear to be fairly widespread from both an industry perspective but mirror the general trend of targeting US-based organizations. At the time of writing, the Marketo group has listed 34 organizations to their affiliated data leak site in the span of three months. They have remained consistently active, with at least one organization being named each week over their period of operation.
Victims have primarily fallen within the Industrial Goods & Services, Healthcare, and Technology sectors. This includes targeting a US police department, dental care organizations, and the most recent targeting of an organization said to own and operate one of the largest petroleum systems in the Northeast.
Marketo vs. the Dark Overlord
It wouldn’t be fair to write about extortion without mentioning one of the more prolific extortionist groups, The Dark Overlord (TDO). TDO was a notorious extortion group operating from June 2016 to 2018. TDO primarily focused on targeting healthcare providers by obtaining sensitive personal health information (PHI) and threatening to publish unless paid.
The group would expand to impact media organizations committing some of the more significant spoiler violations of the century by leaking unaired episodes of popular television series. Other notable TDO extortion attempts include targeting American schools and a law firm purportedly harboring information relevant to the September 11 terrorist attacks.
Like Marketo, TDO also used social media profiles to publicly announce an attack and increase pressure on victims to pay or see their data published.
Simple Extortion vs. Ransomware
Comparing traditional ransomware operations to simple extortion groups, like Marketo, indicates some of the potential pros of this business model and may indicate a possible shift in the threat landscape.
- Ransomware requires significant technical resources to thwart advances in cybersecurity. Ransomware teams need developers to create and operationalize malware to ensure it achieves the goal of encryption. Additionally, developers must account for all the telemetry evidence that needs to be obfuscated to protect their ransomware operation. There is no need for malware development in simple extortion models, especially when sensitive data is all too often stored improperly or is behind a simple password.
- The rise of ransomware-as-a-service (RaaS) introduced affiliates responsible for carrying out ransomware attacks. Often these models see a percentage split for any ransom payments. There is no need for an affiliate in a simple extortion model as threat actors responsible for obtaining the data can publicly release it how they see fit.
- Ransomware has proven to be relatively destructive from the lens of the Colonial Pipeline incident. The business interruption from the DarkSide incident caused widespread panic, resulting in everyday citizens across the eastern US seaboard rushing to gas pumps, fearing the worst. Data extortion models will not cause any operational interruptions per se and can still take advantage of organizations that provide critical services without causing a Colonial level panic attack.
Less attention from law enforcement (LE)
- Ransomware continues to garner much of the media attention and will likely continue to do so. As a result, ransomware affiliates are on the hot seat from a law enforcement perspective. The US Department of Justice (DOJ) elevating ransomware to the same priority as terrorist acts signifies this shift. Additionally, recent arrests of affiliates belonging to ransomware groups, including Cl0p and Egregor, demonstrate the LE community’s current attention on ransomware. Simple extortion models are by definition not ransomware and, as a result, are not at this moment on the top of the most wanted list from a LE perspective.
- The move to a double-extortion model in late 2019 by the Maze ransomware group was like a fire that quickly spread, and within a few months, most ransomware groups had an affiliated data-leak site (DLS). If data extortion did not prove an effective tactic for incentivizing a payment, it wouldn’t have been adopted in the way it was by the ransomware scene. Arguably, the threat of data loss might be a more effective negotiating piece seeing as many organizations address the threat of data encryption and storing backups offline. As a result, organizations are willing to pay for their data regardless of they also have to deal with data encryption.
- Evidence of data extortion profitability can be found without looking too far back into history. From January-April 2021, the operators of the Cl0p ransomware group were able to extort multiple organizations as a result of a third-party compromise of the Accellion File Transfer Application. Evidence would show that Cl0p was able to extort victims for tens of millions of dollars and resulted in a significant increase in average ransom payment.
Concluding thoughts on Marketo
The return to simple extortion is likely one that will be here to stay and potentially grow given the recent prominence of Marketo, as well as lessons learned from Cl0p’s activities. This potential shift in the threat landscape should be a call for action to identify exposed documents and ensure proper data storage proactively. A daunting task for any organization; this means identifying where assets are exposed and what the entire attack surface might look like.
Extortion scenarios and table-top exercises need to incorporate situations outside of traditional ransomware. Business continuity plans and other incident response scenarios around data loss need to be documented, updated, and put into practice occasionally to ensure they even work. Finally, organizations need to understand where the “crown jewels” are so that in the event of a compromise, or even through daily operations, they can better understand what the potential risk is and how it might affect the enterprise if the jewels are stolen.
Digital Shadows proactively monitors breach sites such as Marketo while also catching the chatter on dark web forums and marketplaces. We can help you understand the context of some of these attacks and adversaries because we’ve been watching them. If you’re also curious about who these groups are and how they’re working today, you can check out Searchlight for seven days to see if it works for you or contact us for a demo of our capabilities.