{
	"id": "7efe753d-5e07-489a-9a69-be5404a3a0ed",
	"created_at": "2026-04-06T00:17:32.864309Z",
	"updated_at": "2026-04-10T13:11:46.556614Z",
	"deleted_at": null,
	"sha1_hash": "717a3464861bbf426f770189834295f6ef7e6e99",
	"title": "Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 216623,
	"plain_text": "Conti (Ryuk) joins the ranks of ransomware gangs operating data\r\nleak sites\r\nBy Catalin Cimpanu\r\nPublished: 2020-08-25 · Archived: 2026-04-05 21:41:19 UTC\r\nImage: ZDNet\r\nIt has now become a mainstream tactic for big ransomware groups to create so-called \"leak sites\" where they\r\nupload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee.\r\nThese \"leak sites\" are part of a new trend forming on the cybercriminal underground where ransomware groups\r\nare adopting a new tactic called \"double extortion.\"\r\nThe perfect example of how ransomware gangs are currently using \"leak sites\" and \"double extortion\" to put\r\npressure on victims to pay is the case of the University of Utah.\r\nLast week, the university's management admitted to paying $457,000 to a ransomware gang even if they\r\nrecovered their encrypted files using previous backups.\r\nIn a statement posted on its website, the university justified its payment by revealing that the ransomware gang\r\nthreatened to leak files containing sensitive student data online if the university did not agree to pay regardless if\r\nthey recovered their original files.\r\nDozens of ransomware groups operate leak sites\r\nhttps://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/\r\nPage 1 of 3\n\nSuch incidents are becoming more common these days as more and more ransomware groups shift to operating a\r\nleak site to put additional pressure on victims.\r\nThe good news is that not all ransomware gangs operate leak sites.\r\nHowever, this number has been steadily growing since December 2019, when the operators of the Maze\r\nransomware launched the first-ever leak site.\r\nToday, the list of ransomware gangs who operate leak sites includes the likes of Ako, Avaddon, CLOP, Darkside,\r\nDoppelPaymer, Maze, Mespinoza (Pysa), Nefilim, NetWalker, RagnarLocker, REvil (Sodinokibi), and Sekhmet.\r\nSome of these groups are small-time operators that even malware analysts have barely heard of, but some, like\r\nMaze, DoppelPaymer, REvil, and NetWalker, are some of today's largest ransomware threat actors, responsible for\r\na large chunk of ransomware attacks.\r\nOther groups, like BitPaymer, WastedLocker, LockBit, ProLock, and the Dharma family, have not yet adopted\r\nleak sites. The reasons are unknown, but malware researchers have told this ZDNet reporter in previous\r\nconversations that some criminal groups like to operate without drawing too much attention to themselves -- and\r\nleak sites tend to draw way too much attention from journalists, cyber-security firms, and law enforcement\r\nofficials alike.\r\nConti launches leak site\r\nBut last week, we had another major ransomware group shift to this double-extortion tactic and launch a leak site.\r\nKnow as Conti, this is a relatively new ransomware strain. However, reports from Arete, Bleeping Computer,\r\nand Carbon Black claim that Conti \"is being operated by the same group that conducted Ryuk ransomware attacks\r\nin the past\" -- with Ryuk being one of the most active ransomware operations from the past two years and one of\r\nthe biggest players on the ransomware scene.\r\nDiscovered by a malware analyst going by the pseudonym of BreachKey, the Conti leak site is available at\r\ndifferent URLs on both the public internet and the dark web.\r\nBreachKey says the site already lists 26 companies that have fallen victim to the group's attacks and have declined\r\nto pay the ransom, and that for each company listed on the site, the Conti group has leaked documents obtained\r\nfrom their networks.\r\nconti-leak.png\r\nImage: ZDNet\r\nAll in all, the launch of yet another leak site shows that the double-extortion scheme is here to stay with\r\nransomware gangs.\r\nThis new trend also means changes need to take place in how companies treat ransomware attacks. While in the\r\npast, victim companies only had to recover files and get back to day-to-day operations, today, ransomware attacks\r\nalmost always involve the theft of sensitive corporate data, employee or customer personal details.\r\nhttps://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/\r\nPage 2 of 3\n\nThis, in turn, means that most ransomware incidents also require an in-depth incident response and broad network\r\naudits to discover lingering backdoors that could be used for future attacks, but also public disclosure and data\r\nbreach notifications, which are necessary when any type of personal user/employee data has been stolen.\r\nSource: https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/\r\nhttps://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/"
	],
	"report_names": [
		"conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites"
	],
	"threat_actors": [],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/717a3464861bbf426f770189834295f6ef7e6e99.pdf",
		"text": "https://archive.orkl.eu/717a3464861bbf426f770189834295f6ef7e6e99.txt",
		"img": "https://archive.orkl.eu/717a3464861bbf426f770189834295f6ef7e6e99.jpg"
	}
}