Today the transparency collective of data activists known as Distributed Denial of Secrets published a massive new set of data on its website, all collected from dark web sites where the information was originally leaked online by ransomware hackers. DDoSecrets has made available about 1 terabyte of that data, including more than 750,000 emails, photos, and documents from five companies. The group is also offering to privately share an additional 1.9 terabytes of data from more than a dozen other firms with selected journalists or academic researchers. In total, the giant data collection spans industries including pharmaceuticals, manufacturing, finance, software, retail, real estate, and oil and gas.
All of that data, along with terabytes more that DDoSecrets says it plans to offer in the coming weeks and months, is sourced from an increasingly common practice among cybercriminal ransomware operations. Beyond just encrypting victim machines and demanding a payment for the decryption keys, ransomware hackers now often steal vast collections of victim data and threaten to post it online unless their hacking targets pay. In many cases, the victims refuse that extortion, and the cybercriminals follow through on their threat. The result is dozens or even hundreds of terabytes of internal corporate data, spilled out onto dark web servers whose web addresses are passed around among hackers and security researchers.
DDoSecrets' cofounder Emma Best argues that the trail of dumped data that ransomware operations leave in their wake often contains information that deserves to be scrutinized and, in some cases, revealed to the public. "Ignoring valuable data that can inform the public about how industries operate isn't something we can afford to do," Best wrote in a text exchange with WIRED. Best, who uses the pronoun they, couldn't say in many cases exactly what secrets of potential public interest those massive data sets might contain, given that there's too much data for DDoSecrets to comb through on its own. But they argue that any evidence of corporate malfeasance that those documents might reveal, or even intellectual property that can serve the public good, should be considered fair game.
"Whether it's a pharmaceutical company or petroleum company, or a company with technical data and specs that can speed progress for an entire industry or make everyone safer by sharing research," Best says, "then we have a duty to make that available to researchers, journalists, and scholars so they can learn about how typically opaque industries (many of which control significant aspects of our lives and the future of the planet) operate."
For those combatting the growing global epidemic of ransomware attacks, however, exploiting data leakage left behind by cybercriminal hackers carries new ethical questions. Allan Liska, an analyst and researcher for security firm Recorded Future, says he's seen firsthand the devastating effects of ransomware attacks on businesses large and small, and he argues that amplifying the leaks from ransomware groups only encourages them to threaten those leaks against more victims. "I personally think it's wrong," Liska says. "Even if you think your intentions are good, I think you're taking advantage of somebody who had a crime committed against them."
Best counters that DDoSecrets isn’t publishing any data that wasn’t already made public by those hackers. “All of the data are things ransomware hackers have already released,” they say. “We’re not receiving anything directly from them or working with them in any way. We’re taking data that journalists are unable or are afraid to access and making it available.” Best adds that in the majority of cases, DDoSecrets won’t publish the data themselves but instead will share most of the leaks privately with journalists and researchers. In those cases, they’ll ask that those who publish the data redact anything that is overly sensitive—such as personally identifying information—and doesn’t have public interest value. But the group doesn’t rule out publishing that sensitive information themselves if they do see a public interest value in it, and it plans to offer the same discretion to publish to the journalists and academics it shares data with.
DDoSecrets also notes that the very cybercriminals who might make use of personally identifiable information in ransomware leaks are already scouring those leaks, regardless of whether DDoSecrets collects them or not. "The bogeymen everyone loves to be worried about?" Best writes. "They've already got the data."
Best points to the case of Perceptics, a license-plate-reader technology firm that was breached in the spring of last year and had its files spilled onto the dark web, likely by a ransomware hacker, according to tech news site the Register. Journalists at the Intercept combed through the leaked data to show how Perceptics had lobbied Congress for Customs and Border Protection contracts and downplayed security and privacy issues with its tech—even as the sensitive license-plate information it was collecting was left vulnerable to hackers.
In June of this year, DDoSecrets published its own bombshell collection of hacked documents, a massive collection of law enforcement files known as BlueLeaks, given to the group by a hacker associated with Anonymous. The 269-gigabyte collection of documents from 200 state and local police organizations led Twitter to ban the DDoSecrets account and even block all tweets containing links to its website. Reddit banned the r/blueleaks subreddit. Shortly afterward, German prosecutors in the town of Zwickau ordered police to seize a server belonging to DDoSecrets that hosted many of its files and the search engine for its data collection, a significant setback for the group from which it's still working to recover. It now plans to host its data on Tor-protected .onion sites that hide the location of servers, making such seizures far more difficult in the future.
Despite those hurdles, DDoSecrets remains undeterred in its larger mission. With its new ransomware trove, it's also tapped into a huge new source of leaks. Just last year, more than 1,000 ransomware victims had their data spilled onto dark web sites, according to Recorded Future's Liska. He estimates that one year of ransomware leaks alone adds up to between 100 and 200 terabytes of stolen data posted to various dark web sites.
The ethics of digging through that cornucopia of leaked data for public interest information comes down to more than the question of whether it was leaked by an insider or stolen by a hacker, or even the intentions of whatever hacker might have stolen it, argues Thomas Rid, a professor of strategic studies at Johns Hopkins University who wrote extensively about hack-and-leak operations in his book Active Measures. If the data was truly made public by hackers previous to DDoSecrets collecting it, that's very different from, for instance, WikiLeaks' widely criticized move to publish previously unpublished emails stolen from the Democratic National Committee by Russia's military intelligence agency in 2016.
But Rid points out that in many cases, the data might be available on a dark web site for only a short time, making DDoSecrets' decision to preserve it in perpetuity more ethically fraught. "By the time you're the only source, you're basically the publisher at that moment," Rid says. "Emma and their colleagues have to accept that there are these ethical edge cases. They can't just pretend that they're not in murky terrain."
Best, for their part, says that ignoring the existence of ransomware data only allows cybercriminals to exploit it while leaving its value as a source of newsworthy muckraking or other public benefit. "Terabytes of data are flooding the dark web and being exploited almost entirely by cybercriminals and the sort of people security experts and pundits love to wring their hands about, but they're almost entirely unavailable to the public and to journalists," Best writes. "Our ultimate goal is—and always has been—to serve and inform the public."