Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

Marketo: A Return to Simple Extortion

admin 8 July 2021

Threat Intelligence

The world of ransomware and cyber extortion continues to change dramatically. On the one hand, new ransomware variants and data leak sites are popping up like mushrooms; on the other, threat groups disappear into the shadows, leaving their mark on the world only to fade away. However, even on the surface, the goal remains the same: to make as much money as possible.

Recent developments in the threat landscape suggest accomplishing this goal can be done without needing encryption and focusing on the more significant moneymaker: data. Data, in this case, could mean everything from standard PII to intellectual property, to even financial data and other sensitive information, and everyone has it. The following blog covers the extortionist threat group Marketo and dives deeper into the world of simple extortion.

What is simple extortion?

To properly set the scene, it’s important to clarify some terms. For this blog, simple extortion refers to extortion which only uses the threat of data loss to demand a ransom payment. This tactic differs from the more traditional ransomware actor who has historically emphasized data encryption.

The world that existed before the introduction of double-extortion (combining data encryption and data loss) focused on how impactful it was to lose access to critical systems or files. This has continued to evolve over the years and has taken many forms from ransomware at the individual level to where we are today, with big game hunting taking center stage, as we’ve recently seen with Kaseya and previous incidents earlier this year.

For this blog, the focus is placed on the threat of extortion without needing data encryption, which properly sets the stage for Marketo.

What is Marketo?

Background

Not to be confused with the popular and legitimate marketing software Marketo, this Marketo was established in April 2021 and is emphatically focused on the sale of compromised data. An associated Twitter profile (@Mannus Gott) introduced the marketplace as an “informational marketplace” in a post on 16 Apr 2021. The post states the Marketo group’s intentions by clearly stating, “We are not ransomware and we do not hack

How does Marketo operate?

The marketplace itself operates in a similar fashion to other data leak sites with some unique features. Interestingly the group includes an “Attacking” section naming organizations that are in the progress of being attacked. The marketplace allows for user registration and provides a contact section for victim and press inquiries. Victims are provided a link to a separate chat to conduct negotiations.

Within the individual posts, Marketo provides a summary of the organization, screenshots of seemingly compromised data, and a link to an “evidence pack” otherwise known as a proof. They auction sensitive data in the form of a silent auction through a blind bidding system where users make bids based on what they think the data is worth. As you would suspect, the data then goes to the highest bidder. The post includes a running “Bids counter” likely as a way to increase bidding amounts and show the attention a post is getting.

A recent addition to the marketplace includes a partner section that names multiple data and consumer protection agencies to include the Consumer Financial Protection Bureau, Financial Crimes Enforcement Network, and the Securities and Exchange Commission to name a few.

How does Marketo incentivize victims to pay up?

For data extortion to be effective, there has to be enough pressure on the victim to pay the ransom. Marketo increases pressure on their victims in a couple of interesting ways.

Marketo has been observed sending samples of compromised data to the competitors, clients, and partners of their victims.
Marketo publicly shames organizations that have not contacted the group stating the organization does not care about data security.
Marketo will share subsets of data with victims as a way to prove the validity of their claims.
Marketo publishes data incrementally until all information is public.

Who does Marketo target?

Victims of Marketo appear to be fairly widespread from both an industry perspective but mirror the general trend of targeting US-based organizations. At the time of writing, the Marketo group has listed 34 organizations to their affiliated data leak site in the span of three months. They have remained consistently active, with at least one organization being named each week over their period of operation.

Victims have primarily fallen within the Industrial Goods & Services, Healthcare, and Technology sectors. This includes targeting a US police department, dental care organizations, and the most recent targeting of an organization said to own and operate one of the largest petroleum systems in the Northeast.

Marketo vs. the Dark Overlord

It wouldn’t be fair to write about extortion without mentioning one of the more prolific extortionist groups, The Dark Overlord (TDO). TDO was a notorious extortion group operating from June 2016 to 2018. TDO primarily focused on targeting healthcare providers by obtaining sensitive personal health information (PHI) and threatening to publish unless paid.

The group would expand to impact media organizations committing some of the more significant spoiler violations of the century by leaking unaired episodes of popular television series. Other notable TDO extortion attempts include targeting American schools and a law firm purportedly harboring information relevant to the September 11 terrorist attacks.

Like Marketo, TDO also used social media profiles to publicly announce an attack and increase pressure on victims to pay or see their data published.

Simple Extortion vs. Ransomware

Comparing traditional ransomware operations to simple extortion groups, like Marketo, indicates some of the potential pros of this business model and may indicate a possible shift in the threat landscape.

Less resource-intensive

Ransomware requires significant technical resources to thwart advances in cybersecurity. Ransomware teams need developers to create and operationalize malware to ensure it achieves the goal of encryption. Additionally, developers must account for all the telemetry evidence that needs to be obfuscated to protect their ransomware operation. There is no need for malware development in simple extortion models, especially when sensitive data is all too often stored improperly or is behind a simple password.

The rise of ransomware-as-a-service (RaaS) introduced affiliates responsible for carrying out ransomware attacks. Often these models see a percentage split for any ransom payments. There is no need for an affiliate in a simple extortion model as threat actors responsible for obtaining the data can publicly release it how they see fit.

Less Destructive

Ransomware has proven to be relatively destructive from the lens of the Colonial Pipeline incident. The business interruption from the DarkSide incident caused widespread panic, resulting in everyday citizens across the eastern US seaboard rushing to gas pumps, fearing the worst. Data extortion models will not cause any operational interruptions per se and can still take advantage of organizations that provide critical services without causing a Colonial level panic attack.

Less attention from law enforcement (LE)

Ransomware continues to garner much of the media attention and will likely continue to do so. As a result, ransomware affiliates are on the hot seat from a law enforcement perspective. The US Department of Justice (DOJ) elevating ransomware to the same priority as terrorist acts signifies this shift. Additionally, recent arrests of affiliates belonging to ransomware groups, including Cl0p and Egregor, demonstrate the LE community’s current attention on ransomware. Simple extortion models are by definition not ransomware and, as a result, are not at this moment on the top of the most wanted list from a LE perspective.

Similar profitability

The move to a double-extortion model in late 2019 by the Maze ransomware group was like a fire that quickly spread, and within a few months, most ransomware groups had an affiliated data-leak site (DLS). If data extortion did not prove an effective tactic for incentivizing a payment, it wouldn’t have been adopted in the way it was by the ransomware scene. Arguably, the threat of data loss might be a more effective negotiating piece seeing as many organizations address the threat of data encryption and storing backups offline. As a result, organizations are willing to pay for their data regardless of they also have to deal with data encryption.

Evidence of data extortion profitability can be found without looking too far back into history. From January-April 2021, the operators of the Cl0p ransomware group were able to extort multiple organizations as a result of a third-party compromise of the Accellion File Transfer Application. Evidence would show that Cl0p was able to extort victims for tens of millions of dollars and resulted in a significant increase in average ransom payment.

Concluding thoughts on Marketo

The return to simple extortion is likely one that will be here to stay and potentially grow given the recent prominence of Marketo, as well as lessons learned from Cl0p’s activities. This potential shift in the threat landscape should be a call for action to identify exposed documents and ensure proper data storage proactively. A daunting task for any organization; this means identifying where assets are exposed and what the entire attack surface might look like.

Extortion scenarios and table-top exercises need to incorporate situations outside of traditional ransomware. Business continuity plans and other incident response scenarios around data loss need to be documented, updated, and put into practice occasionally to ensure they even work. Finally, organizations need to understand where the “crown jewels” are so that in the event of a compromise, or even through daily operations, they can better understand what the potential risk is and how it might affect the enterprise if the jewels are stolen.

Digital Shadows (now ReliaQuest) proactively monitors breach sites such as Marketo while also catching the chatter on dark web forums and marketplaces. We can help you understand the context of some of these attacks and adversaries because we’ve been watching them. If you’re also curious about who these groups are and how they’re working today, you can check out Searchlight for seven days to see if it works for you or contact us for a demo of our capabilities.