While the dark web is often associated with drugs, crime, and leaked information, there has been a rise in a sophisticated cybercrime ecosystem that operates through platforms like Tor and illicit channels on Telegram. One aspect of this trend is the emergence of ransomware groups and their affiliates, who are employing increasingly intricate methods to extort money from companies. 

According to a recent report from Unit42, ransomware attacks surged by 518% in 2021 compared to the previous year. Another report by KnowBe4 reveals that 83% of successful attacks involved Double and Triple Extortion tactics. Triple extortion is an advanced variation of double extortion, where cybercriminals threaten to expose a company's sensitive data unless a ransom is paid. 

Recently, we have noticed that groups involved in extortion are using more advanced methods. It is now uncommon for a group to only lock a company's data with encryption. Instead, some groups are completely bypassing encryption and concentrating on stealing data and blackmailing employees. 

Single extortion attack refers to a traditional ransomware approach where a group encrypts a company's data and demands payment to unlock it. 

Double extortion attack involves a ransomware group encrypting a company's data and also stealing it. They then threaten to publish the stolen data on ransomware blogs unless the victim pays the ransom.

Triple extortion attack is an advanced version of double extortion. In addition to encrypting and stealing data, the cybercriminals also threaten to expose the stolen information, launch DDoS attacks, or target the company with other harmful activities unless the ransom is paid. 

A ransomware affiliate is someone or a group that rents access to Ransomware-as-a-Service (RaaS) platforms. They use this access to break into company networks, encrypt files using the rented ransomware, and earn a commission when their extortion attempts are successful. 

In the first half of 2023, there have already been over 2,000 instances of data leaks on ransomware blogs. This indicates that 2023 is likely to set a new record for ransomware data disclosure. The emergence of triple extortion ransomware aligns with another significant change in the threat landscape: the increasing prevalence of infostealer malware. 

There has been a notable rise in "initial access brokers" who work on exclusive dark web forums. These brokers specialize in acquiring initial access to companies and then sell it through auction-style platforms, where interested buyers can either bid or choose to purchase immediately at a fixed price. 

As the cybercrime ecosystem becomes more complex, even less experienced threat actors can now launch sophisticated attacks on businesses. At Flare, we firmly believe that setting up a continuous threat exposure monitoring process (CTEM) is vital for strong cybersecurity. 

Gartner predicts that companies adopting CTEM practices can decrease the likelihood of a data breach by 66% by 2026. Infostealer malware, such as Vidar, Redline, and Raccoon, infects individual computers and extracts important information. This includes browser fingerprints, host data, and most critically, all the saved credentials stored in the browser.