In this article:
Name in API: ransomware_victim
Severity: High
Decay window: 90 days
Factor: Hacker Chatter
Why this matters
In a ransomware attack, a threat actor encrypts compromised data and demands payment from the victim in return for decryption keys that allow the victim to access it again. For added pressure on the victim to pay, the threat actor typically also threatens to release or even sell the data.
A finding for this issue type indicates that the organization sustained a ransomware attack and that the attackers published the stolen data files on the Dark Web. There, they are accessible to anyone who accesses the Dark Web with a Tor browser.
This means exposure of any personal or sensitive information about attacked organization, employees, or customers, such as identity, passwords, credit card numbers, or other, depending what data was compromised.
How we discovered it
Our ransomware leak site crawler traverses various ransomware leak sites on the Dark Web and clear web for ransomware-leaked data. The crawler parses each leak site to extract the compromised victim names and or victim sites.
Learn more about how we collect data in the SecurityScorecard platform.
What you can do about it
You cannot reverse the malicious advertisement of your domain on the Dark Web, but you can take actions to prevent a ransomware event in the future:
Perform a system audit to find how the attackers were able to gain entry. Then fix the issue. This may involve reseting passwords or deploying other authentication methods. When you verify that no trace of the attacker remains, restore the data from most recent good backups if possible. Make sure to notify parties whose data may have been compromised.
How you can resolve it in SecurityScorecard
Because the data is already exposed and accessible on the Dark Web, you cannot resolve this issue type unless you can demonstrate that the finding is incorrect or that the compromised domain does not belong to your Digital Footprint.
Note: Findings for this issue type decay after 90 days and are then removed from your Scorecard.
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving the findings:
I have fixed this
There is no way to remediate this issue type.
I have a compensating control
There is no compensating control for this issue type.
This is not my IP or domain
Indicate that the affected assets do not belong to your organization.
Note: To prevent future findings on specific assets, manage these assets in your Digital Footprint.
I cannot reproduce this issue and I think it is incorrect
Provide a third-party assessment asserting that there was no breach. For example, see this article about an investigation that refuted published claims about a ransomware-related leak.