Last week was a long seven days. On October 28, I was informed about a potential data breach at TSTT that resulted in company data being posted to the dark web.

The dark web is a subsection of the deep web, the parts of the internet that are not indexed by search engines. The deep web is largely content that lies behind a paywall or requires credentials to access and has been blocked from web crawlers.

It is estimated that the deep web constitutes as much as 96 per cent of the active internet. The dark web, which is not entirely populated with illicit activity, is estimated to be around five per cent of the total information and data movement of the internet.

Because there are no indexes, access is difficult. A visitor must use an anonymising browser such as Tor, which routes requests for a dark web site through a series of proxy services that make the user as anonymous as the pages they are trying to access.

The process is slow and a reminder of how far the world has come since Mosaic and the dial-up modem.

The most common and accessible websites are the onion top-level domains called onionsites (more on how the dark web works here: https://cstu.io/e14e69). Facebook, for instance, has a secure deep web access interface through an onion address.

What happened last week?

My initial reporting was done on October 28 after viewing the proof page posted by RansomEXX, a ransomware group that claimed responsibility for a hack on TSTT that resulted in the exfiltration of a declared 6GB of data.

The hack was reported on several websites that track global cybersecurity breaches.

The page was accessed using an onionsite link provided by a Jamaican cybersecurity researcher, Gavin Dennis, whom I worked with previously on the Ansa McAl and Massy data breaches.

The page showed screenshots of data captured in the hack and after the expiration of the ransomware grace period, included links to the data it had stolen.

Ransomware operations are businesses that operate using intimidation, fear and inconvenience to prompt payments.

Companies that have been attacked must worry about their data being released and about whether additional data is still to be revealed while working to safely and fully restore their data if they choose not to pay.

Because data can be copied infinitely, there is never any guarantee that paying the ransom will lead to the safe destruction of captured data. Trusting the word of criminals, even crooks running a business, is never a good idea.

TSTT was a victim in this. While the company has not revealed how access to its data was achieved, there are several ways credentials can be conned out of members of staff through elaborate phishing schemes. Critical software that isn't updated quickly enough is another vector of attack.

Ransomware is a game of patience. Low-level access is normally steadily escalated in compromised systems until desirable data is found and copied. It's only then that the ransom demand is made (How ransomware attacks happen: https://cstu.io/0153d1).

TSTT ha