Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
The world of ransomware and cyber extortion continues to change dramatically. On the one hand, new ransomware variants and data leak sites are popping up like mushrooms; on the other, threat groups disappear into the shadows, leaving their mark on the world only to fade away. However, even on the surface, the goal remains the same: to make as much money as possible.
Recent developments in the threat landscape suggest accomplishing this goal can be done without needing encryption and focusing on the more significant moneymaker: data. Data, in this case, could mean everything from standard PII to intellectual property, to even financial data and other sensitive information, and everyone has it. The following blog covers the extortionist threat group Marketo and dives deeper into the world of simple extortion.
To properly set the scene, it’s important to clarify some terms. For this blog, simple extortion refers to extortion which only uses the threat of data loss to demand a ransom payment. This tactic differs from the more traditional ransomware actor who has historically emphasized data encryption.
The world that existed before the introduction of double-extortion (combining data encryption and data loss) focused on how impactful it was to lose access to critical systems or files. This has continued to evolve over the years and has taken many forms from ransomware at the individual level to where we are today, with big game hunting taking center stage, as we’ve recently seen with Kaseya and previous incidents earlier this year.
For this blog, the focus is placed on the threat of extortion without needing data encryption, which properly sets the stage for Marketo.
Not to be confused with the popular and legitimate marketing software Marketo, this Marketo was established in April 2021 and is emphatically focused on the sale of compromised data. An associated Twitter profile (@Mannus Gott) introduced the marketplace as an “informational marketplace” in a post on 16 Apr 2021. The post states the Marketo group’s intentions by clearly stating, “We are not ransomware and we do not hack
The marketplace itself operates in a similar fashion to other data leak sites with some unique features. Interestingly the group includes an “Attacking” section naming organizations that are in the progress of being attacked. The marketplace allows for user registration and provides a contact section for victim and press inquiries. Victims are provided a link to a separate chat to conduct negotiations.
Within the individual posts, Marketo provides a summary of the organization, screenshots of seemingly compromised data, and a link to an “evidence pack” otherwise known as a proof. They auction sensitive data in the form of a silent auction through a blind bidding system where users make bids based on what they think the data is worth. As you would suspect, the data then goes to the highest bidder. The post includes a running “Bids counter” likely as a way to increase bidding amounts and show the attention a post is getting.
A recent addition to the marketplace includes a partner section that names multiple data and consumer protection agencies to include the Consumer Financial Protection Bureau, Financial Crimes Enforcement Network, and the Securities and Exchange Commission to name a few.
For data extortion to be effective, there has to be enough pressure on the victim to pay the ransom. Marketo increases pressure on their victims in a couple of interesting ways.
Victims of Marketo appear to be fairly widespread from both an industry perspective but mirror the general trend of targeting US-based organizations. At the time of writing, the Marketo group has listed 34 organizations to their affiliated data leak site in the span of three months. They have remained consistently active, with at least one organization being named each week over their period of operation.
Victims have primarily fallen within the Industrial Goods & Services, Healthcare, and Technology sectors. This includes targeting a US police department, dental care organizations, and the most recent targeting of an organization said to own and operate one of the largest petroleum systems in the Northeast.
It wouldn’t be fair to write about extortion without mentioning one of the more prolific extortionist groups, The Dark Overlord (TDO). TDO was a notorious extortion group operating from June 2016 to 2018. TDO primarily focused on targeting healthcare providers by obtaining sensitive personal health information (PHI) and threatening to publish unless paid.
The group would expand to impact media organizations committing some of the more significant spoiler violations of the century by leaking unaired episodes of popular television series. Other notable TDO extortion attempts include targeting American schools and a law firm purportedly harboring information relevant to the September 11 terrorist attacks.
Like Marketo, TDO also used social media profiles to publicly announce an attack and increase pressure on victims to pay or see their data published.
.
Comparing traditional ransomware operations to simple extortion groups, like Marketo, indicates some of the potential pros of this business model and may indicate a possible shift in the threat landscape.
The return to simple extortion is likely one that will be here to stay and potentially grow given the recent prominence of Marketo, as well as lessons learned from Cl0p’s activities. This potential shift in the threat landscape should be a call for action to identify exposed documents and ensure proper data storage proactively. A daunting task for any organization; this means identifying where assets are exposed and what the entire attack surface might look like.
Extortion scenarios and table-top exercises need to incorporate situations outside of traditional ransomware. Business continuity plans and other incident response scenarios around data loss need to be documented, updated, and put into practice occasionally to ensure they even work. Finally, organizations need to understand where the “crown jewels” are so that in the event of a compromise, or even through daily operations, they can better understand what the potential risk is and how it might affect the enterprise if the jewels are stolen.
Digital Shadows (now ReliaQuest) proactively monitors breach sites such as Marketo while also catching the chatter on dark web forums and marketplaces. We can help you understand the context of some of these attacks and adversaries because we’ve been watching them. If you’re also curious about who these groups are and how they’re working today, you can check out Search Light (now ReliaQuest GreyMatter Digital Risk Protection) for seven days to see if it works for you or contact us for a demo of our capabilities.