Ransomware actors are thriving at the moment: there is barely a day that goes by without the announcement of a new victim. These actors have landed on a business model of double-extortion that works emphatically. In Q2 2021 alone, there were 740 different victims named on dark web leak sites. 

Given that so much of this activity occurs on the ransomware actors’ dark web leak sites, threat intelligence providers can offer organizations essential visibility. The use of threat intelligence, however, goes far beyond access to dark web sources. 

This blog outlines three areas Digital Shadows (now ReliaQuest) focuses on detecting exposed data, tracking threats, and reducing attacker opportunities. 

Detecting Exposed Data on Dark Web Leak Sites

Since the tactic of double-extortion first emerged, we have reported on almost 3,000 victims listed on ransomware dump sites. Despite bans on criminal forums, this continues to thrive. When the heat gets too much for certain variants? No problem, simply rebrand and relaunch with a new name. (If you want to dive into more detail around this trend, I would encourage you to watch Photon’s recent webinar on this very topic).

First and foremost, therefore, threat intelligence providers can detect this exposed data. Some of this data can be highly commercially sensitive, so security teams need to understand their own business’s exposure. While we hope this does not happen to our customers, unfortunately, we have reported instances of our clients becoming victims on these dark web leak sites. 

However, this extends to an organization’s third-party risk program, too. When a supplier exposes your data, you will want to know about this. Although you may expect third parties to have disclosed this already, that is, unfortunately, not always the reality. 

In this way, threat intelligence provides crucial visibility that helps you mitigate the impact of exposed data and inform your third-party risk efforts.

Understanding the Ransomware Threat Landscape

New groups emerge and disappear every month, so it’s essential to keep up with the latest activity. Tracking ransomware victims helps to understand the activity of different actors and identify any trends targeting specific sectors or geographies.

Ransomware Tippers within the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) Portal


When a high-profile incident occurs, our users need to create reports for upper management quickly. SearchLight’s malware profiles (you can see an example below) provide an easy way to get this insight. These profiles include detailed insights, trend data, target sectors, target geographies, related intelligence, associated Mitre ATT&CK techniques, and indicators of compromise. 

An Example of a Malware Profile


Researching Mitre ATT&CK Techniques Tied to Ransomware Variants


Reducing Attacker Opportunities

Finally, it’s important to learn from the threat landscape in order to proactively reduce attacker opportunities. Quite simply, threat intelligence should drive operations.

First, we know that actors have re-used credentials to gain access to networks and deploy ransomware. This was most recently reported with the LockBit malware that targeted Bangkok Airways after having stolen credentials from a previous breach. Detecting exposed credentials, therefore, can go some way to reducing attacker opportunities. 

Second, we also know that ransomware actors rely heavily on access to RDP and VPN instances (alongside other techniques) to deploy their malware. Therefore, monitoring where these accesses are traded online makes sense so you can investigate appropriately.

Tracking Initial Access Broker Listings

Third, attackers also rely on exploitable vulnerabilities to achieve their goals. Threat intelligence providers that also offer attack surface monitoring can provide visibility into these types of vulnerabilities and intelligence on trending vulnerabilities so that you can prioritize patching accordingly. 

Detecting Exploitable Vulnerabilities

Get Started with SearchLight

Hopefully, it’s clear that threat intelligence providers can offer a myriad of ways to protect against ransomware and that it’s about far more than monitoring dark web leak sites. 

If you would like a tailored, more detailed briefing into how SeachLight helps, please reach out to our team. Alternatively, you can view all of our profiles and intelligence tippers free for seven days by registering for Test Drive