Introducing COLT – Compromise to Leak Time

Ransomware, data theft and leaks.

I do not plan on making this a ransomware-focused blog, but let us be honest, ransomware is just so prevalent that you cannot escape it. After my last blog and from private discussions, people working incident response cases in ransomware often are faced with the question: “When will the threat actor announce the attack and leak stolen data?”

Trying to answer this question is hard, as an external observer like myself does not have visibility into incidents or process attackers follow. All I can rely on is the data seen publicly and the claims threat actors make. Once again I turn to my data collection from the the past year and I can create a resource – COLT (Compromise to Leak Time). This number, expressed in days, helps answer that question. Think of it as a smoking gun for a ransomware incident. The moment you see the smoke, the gun fired and every person learns that something has happened.

Due to limited data sets I am only able to create a reliable number for two ransomware groups: DarkSide and PYSA/Mespinoza. Both groups are self-reporting the date they breached a victim and comparing it to the time they announce the victim, we can calculate a delta – COLT.

Let’s crunch the numbers.

DarkSide

For this ransomware group I reviewed 84 data leaks published on their leak blog. The first time the group claims to have compromised a victim was August 8^th, 2020. This victim was announced on the blog on August 19^th, giving us a first COLT of 11 days. Looking at the most recently announced victim, we see a compromise on April 22^nd and a publication on April 28^th, a COLT of only 6 days.

Looking at all data points, we have to following numbers:

• COLT_median: 7 days
• COLT_average: 11 days

This is a pretty quick turnaround from compromise, data exfiltration, system encryption, ransom extortion chat and publication. The largest COLT for a victim of DarkSide is at 93 days, while the shortest is at 0 days, meaning the victim was published the same day it was hacked. DarkSide lists 6 victims with a COLT of 0 days.

Another interesting observation with DarkSide can bee seen when we look at the data by month. Here the COLT_average lies between 10 days (November 2020) and 18 days (February 2021). We can also see that the operators took a break in September, as no victims were reported being compromised or added to the data leak blog.

PYSA/Mespinoza

For this ransomware group I reviewed 115 data leaks published on their leak blog. A problem in this analysis might be that PYSA seems to mix up dates and ordering them the wrong way around (12/04 vs 04/12), wrongly self-reported compromise dates (several victims publicly state different attack dates). Additionally, PYSA publishes several victims in a batch, making it difficult to have really reliable numbers.

For PYSA we have the following result:

• COLT_median: 66 days
• COLT_average: 70 days

The range is between 0 and 452 days (still might contain errors). If we only look at the data for compromises from the past 6 months (November 2020 to April 2021), we get 49 victims and the COLT numbers of:

• COLT_median: 86 days (+20)
• COLT_average: 85 days (+15)

This shows us that PYSA got slower in announcing their victims. The range however gets narrower and is between 7 to 130 days.

What observations can you make from this data? Have you worked incidents and would like to share your data? Let me know, I am always eager to hear other opinions and feedback.

Visualizations

Update 2021-05-03

The MISP project team has added the COLT numbers for DarkSide and PYSA into the ransomware galaxy.