Arete has observed a growing trend of threat actors attempting to monetize victim data beyond extorting the victims themselves. Threat actors, including “wonder” and “M0riarty,” took to BreachForums in an attempt to sell exfiltrated data while also increasing pressure on the victims to pay the ransom if the data is identified. Additionally, threat groups such as Meow ransomware have reformatted their data leak sites (DLS), focusing on selling exfiltrated data. This trend adds an additional layer of complications for victims navigating recent security incidents while offering threat actors additional means of profiting from their cybercriminal enterprises.
What’s Notable and Unique
- With a self-proclaimed 14 years of experience, threat actor “wonder” has been observed engaging in cyber extortion, initial access brokering, and reposting leaked data. Most recently, “wonder” pivoted to posting data they exfiltrated personally and offering initial access to other threat actors. Between June and August 2024, “wonder” posted at least 8 victims to BreachForums, claiming data exfiltration and attempting to sell the stolen data.
- A newer threat actor operating under the monicker M0riarty claimed to have breached Interbank, a large Peruvian financial institution, in October 2024. In the post, the actor stated that they would be willing to sell the data should negotiations with the victim fall through. After the initial post, the threat actor received a large amount of interest in the data, even going as far as saying they were unable to keep up with the influx of direct messages they received.
- Active since at least August of 2022, Meow Ransomware’s latest shift in extortion techniques captured the attention of security professionals. Rather than posting data for free on their DLS, they opted to allow individuals to purchase the data for set prices.
Analyst Comments
With the percentage of ransom payments trending downward, threat actors are getting creative with how they monetize their nefarious efforts. One tactic is leveraging additional resources to sell the data to the highest bidder rather than “placing all their eggs in one basket” by only extorting ransom payments from the victims. Along with this shift comes increased ransom demands and more aggressive extortion techniques than observed in years past. This trend of selling or auctioning data will likely increase as victims become increasingly unwilling to pay the threat actors ransoms.
Sources
Arete CTI Team
Related Resources
![]()
Interlock: An Emerging Ransomware Threat
An analysis of the Interlock ransomware group, their tactics, and their impact across various industries.
Read more![]()
Malware Spotlight: Akira Ransomware
Arete has responded to over one hundred incidents attributed to the Akira ransomware group. This spotlight explores Akira’s observed behavior, statistics from Incident Response engagements, and a technical analysis of Akira’s ransomware executable.
Read more![]()
Black Basta Leverages New Social Engineering Technique
Black Basta, a ransomware group active since at least April 2022, is deploying a new social engineering tactic using Microsoft Teams in an active campaign.
Read more
