New Extortion Tactics Used to Force Ransomware Payments

The increase in reported ransomware victims in Q1 2023 indicates the continued prevalence of ransomware as a global, industry-agnostic threat. The research is based on publicly available data, including threat groups and information on the ransomware threat landscape. GRIT detected 849 publicly publicized ransomware victims claimed by 29 separate threat groups in the first quarter. 

According to GRIT’s most recent study, there has been a 27% increase in public ransomware victims since Q1 2022 and a 25% increase since Q4 2022. Most of the publicly disclosed ransomware victims continue to be from the manufacturing, technology, education, banking and finance, and healthcare industries. LockBit is the most prolific ransomware threat group and Clop rose to prominence due to the rapid and broad exploitation of a file-sharing application vulnerability. Vice Society continues to be the most impactful group targeting the education sector, proving that some organizations have a persistent targeting profile.

A GRIT’s analysis revealed that multiple prominent ransomware groups are increasingly employing novel coercive tactics, including the double extortion model, in which ransomware operators not only encrypt files on infected networks and hosts but also exfiltrate data. The fear of disclosing data to the public is used by ransomware groups to induce compliance with ransom demands. Threat groups, including ALPHV and Medusa, have been detected distributing targeted sensitive data, including graphic images relating to medical treatment to put more pressure on victims to contemplate payment. Based on the Q1 observations, more advanced ransomware threat actors will increasingly use novel coercive techniques, especially as the fallout from existing instances generates media attention and civil lawsuits against affected companies. An assessment can be made based on the increased prevalence of the techniques in open-source reporting and internal research and technical and professional understanding of companies’ risk pertaining to ransomware events.

DDoS attacks and selective public disclosure aimed to raise media attention and harm companies’ reputations are additional coercive measures. Additionally, exfiltration-only ransomware attacks have slightly increased in which known ransomware threat actors are unable to encrypt victims’ networks but continue with the extortion process, relying entirely on leveraging data they have successfully exfiltrated. LockBit, Clop, ALPHV, Royal, and BianLian are the top five most active ransomware threat actors. Even though manufacturing and technology remain the most heavily impacted industries, the number of victims in the legal industry went from 23 to 38, a 65% increase from Q4 2022 to Q1 2023 with 70% attributed consistently to the most prolific double extortion model ransomware groups, including LockBit, ALPHV, Royal, and BlackBasta. From Q4 2022 to Q1 2023, the education sector had a 17% increase in publicly listed victims, with Vice Society for 27% of all education-related activity.

With ransomware groups looking to utilize new extortion tactics to force victims into paying a ransom, it’s important for companies to stay ahead of the latest threat landscape and regularly update their data network security infrastructure. At SpearTip, we offer two types of tabletop exercises: Executive and Technical. Executive tabletop exercises are custom designed to strengthen the collaboration among business leaders and promote a common understanding of how leadership teams respond to an incident. Technical tabletop exercises are designed to review current IR policies and procedures by engaging companies’ teams in specific scenarios that test their analytical and remediation capabilities in the event of an incident. All tabletops are based on the most current tactics, techniques, and procedures employed by threat actors, as well as perceived gaps in companies’ current IR plans. Following the exercise, we identify key findings, opportunities for improvement, and remediation steps to strengthen their ongoing security posture. Cybersecurity awareness training is designed to educate individuals and organizations about best cybersecurity practices and to provide the knowledge and skills necessary to protect their systems and data from cyber threats. By providing cybersecurity awareness training, organizations, and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that can reduce the likelihood of cyberattacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.