Shadow Commerce: The Rise and Rampage of SIGbiz Ransomware

On a quiet Monday, a mid-sized logistics company logged in to find its entire digital infrastructure encrypted, files renamed with a chilling extension: .sigbiz. A ransom note blinked on every screen, demanding payment in cryptocurrency and threatening to publish sensitive data on the dark web. The culprit? A new ransomware operation known as SIGbiz, which has rapidly carved out a reputation for ruthless efficiency and public shaming tactics.

Fast Facts

• SIGbiz is a ransomware group first spotted in 2023, targeting businesses worldwide.
• Victims are extorted with threats of data leaks, amplifying pressure to pay.
• The group lists breached companies on "Ransomfeed" leak sites to shame non-payers.
• Attackers demand payment in cryptocurrency, making transactions hard to trace.
• SIGbiz attacks often exploit unpatched software vulnerabilities or compromised credentials.

Inside the SIGbiz Playbook

SIGbiz ransomware attacks follow a now-familiar but increasingly aggressive pattern. After gaining access - often via phishing emails, remote desktop vulnerabilities, or stolen credentials - the attackers move laterally through a network, identifying critical data and backup systems. Once they've mapped the digital terrain, they launch their payload, encrypting files and leaving behind ransom notes with precise instructions for payment.

But SIGbiz doesn’t stop at encryption. Like many modern ransomware groups, they employ double extortion: first locking up data, then threatening to leak it on public "Ransomfeed" sites if the victim refuses to pay. This tactic leverages not just the value of the data itself, but also the reputational and regulatory risks of a public breach. For many organizations, the fear of leaked customer information or intellectual property is as motivating as the need to restore operations.

What sets SIGbiz apart is their rapid adoption of leak site shaming and their focus on mid-sized enterprises - companies with enough resources to pay, but often lacking robust cyber defenses. By posting partial data samples on "Ransomfeed," SIGbiz demonstrates their seriousness and exerts maximum pressure. Security researchers note that the group’s ransom demands range from tens of thousands to millions of dollars, always payable in hard-to-trace cryptocurrencies like Bitcoin or Monero.

While authorities and cybersecurity firms urge victims not to pay, the reality is complicated. Data restoration can be slow, costly, or impossible, and many companies quietly pay up to avoid further damage. Meanwhile, SIGbiz and groups like them continue to innovate, exploiting fresh vulnerabilities and refining their extortion methods.

Conclusion: A New Normal of Cyber Extortion?

The SIGbiz phenomenon signals a troubling evolution in ransomware: more public, more punitive, and more profitable for criminals. As attackers leverage data leaks for leverage, companies face a stark choice - pay up, or risk everything going public. With ransomware-as-a-service models and leak sites proliferating, the age of quiet cyber extortion is over. Only a coordinated defense - technical, legal, and strategic - offers hope against the relentless shadow commerce of SIGbiz and its ilk.

WIKICROOK

• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
• Double Extortion: Double extortion is a ransomware tactic where attackers both encrypt files and steal data, threatening to leak the data if the ransom isn’t paid.
• Leak Site: A leak site is a website where cybercriminals post or threaten to post stolen data to pressure victims into paying a ransom.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Cryptocurrency: Cryptocurrency is a digital currency secured by cryptography, enabling secure, decentralized transactions and often used for both legal and illicit activities.