The Clop ransomware gang copies an extortion tactic of the ALPHV ransomware gang by creating Internet-accessible websites dedicated to specific victims, making it easier to leak stolen data and further pressure victims to pay a ransom.

When a ransomware gang attacks a target company, it first steals network data and then encrypts files. This stolen data is used as leverage in double extortion attacks, warning victims that the data will be leaked if a ransom is not paid.

Ransomware data leak sites are usually located on the Tor network because it is more difficult for the website to be taken down or for law enforcement to seize their infrastructure.

However, this hosting method presents its own problems for ransomware operators, as a specialized Tor browser is required to access sites, search engines do not index leaked data, and download speeds are generally very slow.

To overcome these hurdles, last year the ALPHV ransomware operation, also known as BlackCat, introduced a new extortion tactic of create clearweb websites to leak stolen data which were promoted as a way for employees to check whether their data has been leaked.

A clearweb website is hosted directly on the Internet rather than on anonymous networks like Tor, which require special software to access it.

This new method makes the data easier to access and will likely cause it to be indexed by search engines, further widening the dissemination of disclosed information.

The Clop ransomware gang adopts a tactic

Last Tuesday, security researcher Dominique Alvieri told BleepingComputer that the Clop ransomware gang had started creating plaintext websites to leak data stolen during the recent widespread MOVEit Transfer data theft attacks.

The first site created by the threat actors was for business consulting firm PWC, creating a website that leaked the company’s stolen data in four extended ZIP archives.

Shortly after Alvieri told BleepingComputer, the threat actors also created websites for Aon, EY (Ernst & Young), Kirkland, and TD Ameritrade.

None of Clop’s sites are as sophisticated as those created by ALPHV last year, as they simply list links to download the data rather than having a searchable database like BlackCat’s sites.

A waste of time?

These sites aim to scare off employees, executives and business partners who may have been affected by the stolen data, hoping this will lead them to put further pressure on a company to pay the ransom.

However, while there may be some advantages to disclosing data in this way, it also presents its own problems, as putting it on the internet, rather than Tor, makes it much easier to delete.

As of now, all known Clop clearweb extortion sites have been taken offline.

It’s unclear whether these sites are down due to law enforcement seizures, DDoS attacks by cybersecurity companies, or hosting providers and registrars shutting down the sites.

Due to how easily they can be shut down, it’s doubtful that this extortion tactic is worth it.