If the victim -- usually a large company -- refuses to pay, the ransomware gangs threaten to leak the information online, on so-called "leak sites" and then tip journalists about the company's security incident.
Companies who may try to keep the incident under wraps, or who may not want intellectual property leaked online, where competitors could get, will usually cave in and pay the ransom demand.
While initially the tactic was pioneered by the Maze ransomware gang in December 2019, it is now becoming a widespread practice among other groups as well.
At the time of writing, ZDNet has identified nine ransomware operations that are currently running or have maintained a "leak site," either on the dark web, or the public internet.
Below is a list of all ransomware "leak sites," in alphabetical order, which we'll maintain going forward, as an index of all groups that engage in this tactic. We will not be linking to any of these sites, nor will we be listing any past or present victims. This lists exists solely for the purpose of letting victim companies know that in the case of an infection with any of the ransomware strains listed below that they should treat the incident as a classic data breach where data has been exfiltrated and has reached a third-party's hands, rather than just a ransomware were data was merely encrypted but never left a victim's network.
Ako (rebranded as Ranzy)
The Snatch ransomware gang's "leak site" has been down for weeks. It is unclear if the group has abandoned the leaking files from infected hosts, or has moved it to a secret new URL.
The world's most famous and dangerous APT (state-developed) malware