{
	"id": "350de85c-b397-45e8-ac3c-18a5453b19b3",
	"created_at": "2026-04-06T00:22:02.945812Z",
	"updated_at": "2026-04-10T03:29:39.81395Z",
	"deleted_at": null,
	"sha1_hash": "20baf490bcac32036585fda02e82e70a312212dd",
	"title": "Ransomware gang now lets you search their stolen data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3338491,
	"plain_text": "Ransomware gang now lets you search their stolen data\r\nBy Ionut Ilascu\r\nPublished: 2022-07-11 · Archived: 2026-04-05 20:02:23 UTC\r\nTwo ransomware gangs and a data extortion group have adopted a new strategy to force victim companies to pay threat\r\nactors to not leak stolen data.\r\nThe new tactic consists in adding a search function on the leak site to make it easier to find victims or even specific details.\r\nAt least two ransomware operations and a data extortion gang have adopted the strategy recently and more threat actors are\r\nlikely to do the same.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nEasy finding victim data\r\nLast week, the ALPHV/BlackCat ransomware operation announced that they created a searchable database with leaks from\r\nnon-paying victims.\r\nThe hackers made it clear that the repositories have been indexed and the search works when looking for information by\r\nfilename or by content available in documents and images.\r\nThe results are pulled from the “Collections” part of BlackCat’s leak site and may not have the best accuracy but it is still an\r\nevolution of the cybercriminal’s extortion strategy.\r\nSearch option on ALPHV ransomware leak site\r\nSource: BleepingComputer\r\nBlackCat ransomware operators claim that they do this to make it easier for other cybercriminals to find passwords or\r\nconfidential information about companies.\r\nThe gang already tried this strategy in mid-June, when they created a searchable site with data allegedly stolen in an attack\r\nat a hotel and spa in Oregon.\r\nThe site allowed guests at the spa locations and employees to check if their personal information had been stolen during the\r\nransomware attack.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/\r\nPage 3 of 6\n\nVictim's search data leak site\r\nSource: BleepingComputer\r\nThis is a step forward in the extortion business as it puts pressure on the victim to pay the ransom and have the data removed\r\nfrom the web and avoid the potential risk of class action lawsuits.\r\nTowards the end of last week, BleepingComputer noticed that LockBit offered a redesigned version of their data leak site\r\nthat allowed searching for listed victim companies.\r\nLockBit added instant search option on data leak site\r\nSource: BleepingComputer\r\nLockBit’s search is not as advanced as the variant touted by BlackCat, and it is limited to only finding victims by name.\r\nHowever, even in this basic form, the gang’s implementation of the search function still makes it easier to locate on their\r\nleak site data from specific companies.\r\nAnother leak site that has implemented a search function is the one published by the Karakurt data extortion gang.\r\nBleepingComputer’s attempts to use the option showed that it did not work properly, though.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/\r\nPage 4 of 6\n\nSearch bar on Karakurt data extortion gang's site\r\nSource: BleepingComputer\r\nData extortionists are just starting to explore the search feature. It is unclear if making stolen data searchable is a successful\r\ntactic but with multiple extortionist gangs adopting it, the option seems to be an attractive one.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/\r\nPage 5 of 6\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/"
	],
	"report_names": [
		"ransomware-gang-now-lets-you-search-their-stolen-data"
	],
	"threat_actors": [
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434922,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20baf490bcac32036585fda02e82e70a312212dd.pdf",
		"text": "https://archive.orkl.eu/20baf490bcac32036585fda02e82e70a312212dd.txt",
		"img": "https://archive.orkl.eu/20baf490bcac32036585fda02e82e70a312212dd.jpg"
	}
}