VERY IMPORTANT

Threat actors continuously evolve their techniques to maximize financial gains. A recent trend involves ransomware affiliates re-monetizing stolen data outside of their original RaaS agreements, often after disputes with threat actors in the ransomware economy. These affiliates are working with third-parties or external data leak services to re-extort victims who have already paid ransoms to the original attackers. This post examines how affiliate attackers are embracing this new third-party extortion method, illustrated by the attacks on Change Healthcare and the emergence of services like RansomHub and Dispossessor.