Activists Publish a Vast Trove of Ransomware Victims' Data

By Andy Greenberg

For years, radical transparency-focused activists like WikiLeaks have blurred the line between whistle-blowing and hacking. Often, they've published any data they consider to be of public interest, no matter how questionable the source. But now one leak-focused group is mining a controversial new vein of secrets: the massive caches of data stolen by ransomware crews and dumped online when victims refuse to pay.

Today the transparency collective of data activists known as Distributed Denial of Secrets published a massive new set of data on its website, all collected from dark web sites where the information was originally leaked online by ransomware hackers. DDoSecrets has made available about 1 terabyte of that data, including more than 750,000 emails, photos, and documents from five companies. The group is also offering to privately share an additional 1.9 terabytes of data from more than a dozen other firms with selected journalists or academic researchers. In total, the giant data collection spans industries including pharmaceuticals, manufacturing, finance, software, retail, real estate, and oil and gas.

All of that data, along with terabytes more that DDoSecrets says it plans to offer in the coming weeks and months, is sourced from an increasingly common practice among cybercriminal ransomware operations. Beyond just encrypting victim machines and demanding a payment for the decryption keys, ransomware hackers now often steal vast collections of victim data and threaten to post it online unless their hacking targets pay. In many cases, the victims refuse that extortion, and the cybercriminals follow through on their threat. The result is dozens or even hundreds of terabytes of internal corporate data, spilled out onto dark web servers whose web addresses are passed around among hackers and security researchers.

DDoSecrets' cofounder Emma Best argues that the trail of dumped data that ransomware operations leave in their wake often contains information that deserves to be scrutinized and, in some cases, revealed to the public. "Ignoring valuable data that can inform the public about how industries operate isn't something we can afford to do," Best wrote in a text exchange with WIRED. Best, who uses the pronoun they, couldn't say in many cases exactly what secrets of potential public interest those massive data sets might contain, given that there's too much data for DDoSecrets to comb through on its own. But they argue that any evidence of corporate malfeasance that those documents might reveal, or even intellectual property that can serve the public good, should be considered fair game.

"Whether it's a pharmaceutical company or petroleum company, or a company with technical data and specs that can speed progress for an entire industry or make everyone safer by sharing research," Best says, "then we have a duty to make that available to researchers, journalists, and scholars so they can learn about how typically opaque industries (many of which control significant aspects of our lives and the future of the planet) operate."

For those combatting the growing global epidemic of ransomware attacks, however, exploiting data leakage left behind by cybercriminal hackers carries new ethical questions. Allan Liska, an analyst and researcher for security firm Recorded Future, says he's seen firsthand the devastating effects of ransomware attacks on businesses large and small, and he argues that amplifying the leaks from ransomware groups only encourages them to threaten those leaks against more victims. "I personally think it's wrong," Liska says. "Even if you think your intentions are good, I think you're taking advantage of somebody who had a crime committed against them."

Best counters that DDoSecrets isn’t publishing any data that wasn’t already made public by those hackers. “All of the data are things ransomware hackers have already released,” they say. “We’re not receiving anything directly from them or working with them in any way. We’re taking data that journalists are unable or are afraid to access and making it available.” Best adds that in the majority of cases, DDoSecrets won’t publish the data themselves but instead will share most of the leaks privately with journalists and researchers. In those cases, they’ll ask that those who publish the data redact anything that is overly sensitive—such as personally identifying information—and doesn’t have public interest value. But the group doesn’t rule out publishing that sensitive information themselves if they do see a public interest value in it, and it plans to offer the same discretion to publish to the journalists and academics it shares data with.