Pay our ransom instead of a GDPR fine, cybercrime gang tells its targets

Researchers are tracking a new cybercrime group that uses a never-seen-before extortion tactic.

The gang, which operates through a blog called Ransomed, tells victims that if they don’t pay to protect stolen files, they will face fines under data protection laws like the EU’s GDPR, according to a new report by cybersecurity firm Flashpoint.

The group labels its ransom demands a “Digital Peace Tax,” according to the researchers, in the same way that the ransomware group LockBit calls its operations a “post-paid penetration testing service.”

Ransomed is still trying to establish its credibility as a criminal threat, and it’s unclear whether the group is actually deploying ransomware or is just making claims about stolen data, Flashpoint said.

Ransomed launched its website on August 15 and promoted it on Telegram, the report said. Like many other ransomware blogs, it lists alleged victims’ names and threatens to expose data unless ransoms are paid.

The hackers behind Ransomed are probably linked to other data leak websites like BreachForums and Exposed, Flashpot said. Some of these sites have shut down due to money problems or poor management, the researchers said.

The group’s ransom demands range from 50,000 to 200,000 euros ($54,000 to $218,000). Those are less than real GDPR fines, which can go up into the millions and even beyond. Keep demands lower might increase the chances of victims making the payment, Flashpoint said.

The blog's operators posted two bitcoin addresses for payments. Usually, cybercrime groups don't reveal their wallet addresses publicly; instead, they share them directly with victims through ransom notes or negotiation portals.

Credibility issues

As of August 28, Ransomed had listed several companies on the blog, including the Metropolitan Club, a private club in Washington; TransUnion, a U.S. credit agency; and State Farm, a U.S. insurance company. Those organizations have not reported any recent data breaches.

“There is limited evidence that the attacks published on the Ransomed blog actually took place, beyond the threat actors’ claims,” the researchers said.

It is likely that Ransomed is a financially motivated project, and one of several other short-lived operations from its creators, according to researchers.

The blog claims to have the source code of Raid Forums, an illegal hacking forum that was seized last year, and the group says it plans to use it in the future, possibly to turn a ransomware blog into a hacker forum.

The legitimacy and impact of Ransomed "remains to be seen," the researchers said, but its extortion tactics represent a new way for cybercriminals to dress up their illegal activity.