Threat Actors Develop New Tactics To Increase Ransom Payments

Ransomware continues to be one of the most serious cybersecurity threats that companies and governments face. However, as companies consciously refuse ransom payment demands, threat operators are devising new methods to extract ransom from their victims. The fall of the most notorious ransomware group, Conti, in May 2022 was expected to decrease ransomware attacks significantly. A cybersecurity company discovered that a ransomware attack caused 35.5% of breaches in 2022, a slight 2.5% decline from 2021. Meanwhile, according to one cybersecurity report, ransomware payouts are expected to fall by 38% in 2022, prompting threat operators to adopt more professional and corporate tactics ensuring higher returns. Cybercriminals are increasingly settings KPIs and targets to achieve, and there are targets that they must penetrate within a specific time frame. Because of the business model that ransomware groups follow, it has become a very organized crime, and they have begun to increase the pressure.

Double Extortion Tactics

Double extortion is a strategy that ransomware groups are increasingly employing. In addition to encrypting the files on victims’ devices, the ransomware groups download sensitive information from victims’ machines in the double extortion method. This gives ransomware groups more leverage because now the question is no longer just about decrypting the locked data but also about leaking it. The BlackCat ransomware group is one example because it can encrypt and steal data from victims’ machines and other assets. According to a cybersecurity company, the ransomware group, BianLian, altered the focus of its attacks in March from encrypting victims’ files to extortion to extract payments.

Triple Extortion Tactics

Some ransomware groups take the triple extortion strategy a step further. The ransomware groups encrypt files, extract sensitive data, and then add distributed denial-of-service (DDoS) attacks to the mix in the triple extortion strategy. The files will stay locked if the ransom isn’t paid, and DDoS will disrupt regular services. Previously, ransomware groups were focused on encryption; however, with the help of other groups, they’re now involved in data exfiltration and compromising victims’ companies’ websites or carrying out DDoS attacks. The idea is to put more pressure on victims’ companies.

Contacting Victims’ Companies’ Stakeholders

Another strategy ransomware groups use to pressure victims’ companies is to contact the clients or stakeholders of the companies being attacked. Because this harm the victims’ companies’ reputation and can often result in financial losses more significant than the ransom, victims’ companies tend to pay up. The ransomware groups directly contact victims’ clients through email or phone calls. The Cl0p ransomware group, for example, emailed the victims’ stakeholders and clients, alerting them that their data would be disclosed. Additionally, Cl0p kept a website with a daily updated list of their victims and stakeholders. This increases the pressure on the victims’ companies, making it appear that paying the ransom is the quickest way to end the attack. Lorenz and LockBit ransomware, in addition to contacting clients and stakeholders, released their ransom negotiations with victims’ companies on their leak sites. This can further damage companies’ reputations and increase the urgency of the ransom demands.

Changing The Malware Anatomy

The way malware is coded has also changed, making detection more difficult. Malware authors employ various tactics to avoid sandbox detection and significantly slower incident response protocols. The recently seen BlackCat ransomware runs only if a 32-character access token is supplied to the executable. The automated sandboxing tools will fail to analyze the simple unless and until the required arguments are provided. The information can only be obtained through manual sample analysis, which takes significant time and expertise, putting a considerable strain on victims’ companies during the incidents.

Ransomware groups, including Agenda, BlackCat, Hive, and RansomExx, created Rust-based programing language versions of their ransomware. The cross-platform language enables groups to customize malware for companies’ Windows and Linux operating systems. The Rust programming language makes it easier to target Linux and makes antivirus analysis and malware detection more complex, making it more enticing for threat actors. ALPHV, a Russia-linked group, created the first ransomware written in Rust. The ransomware group, the second most active ransomware in 2022, developed a searchable database on its leak site in which the victims’ clients and employees can search for their data. The group developed “ALPHV Collections,” allowing anyone to search for sensitive stolen information using keywords.

LockBit launched a bug bounty program. Bug bounty programs are typically sponsored by organizations that invite ethical threat operators to uncover and report vulnerabilities in their software in exchange for a reward. With ransomware groups, threat operators or cybercriminals can demonstrate their skills and discover new malware to be deployed. One cybersecurity company recommends that companies create a backup of vital data and store it in secure locations. Even if the systems are infected with ransomware, companies can restore their data from the backups.

Defending Against Ransomware Attacks

Even though companies deploy more controls to protect assets that store or access critical data, they don’t deploy the proper controls around data, which is essential for making threat operators’ job difficult in gaining access to or corrupting data. To effectively respond to ransomware incidents, companies’ cybersecurity solutions must be responsive, agile, and easily scalable, which is best achieved through a cloud and machine learning analytics combination. Avoiding ransom payments is easier if the risks are detected before encryption. Implementing an effective endpoint backup strategy can help avoid ransomware response workflows. Companies must take the following precautions to protect their employees against cunning threat operators.

1. Lock down access to critical data to reduce the blast radius and minimize the damage threat operators can cause. Ensure employees and contractors only have access to the information needed to execute their jobs.
2. Locate and recognize crucial data that’s at risk. Scan for anything threat operators might look for, including personal data, financial data, and passwords.
3. Adopt multi-factor authentication. Allowing MFA reduces the likelihood of a breach by 99%.
4. Monitor what’s most important. Monitor how each user and account use crucial data and watch out for unusual activities that can indicate a potential cyberattack.

Additionally, companies need to have SOPs for responding to and remediating ransomware incidents and effective awareness programs that educate users on detecting and reporting breaches. Companies must ensure their operating systems, software, and security tools have the most recent security patches and updates. Companies need to utilize reliable antivirus and antimalware software that’s frequently updated.

With threat operators developing new tactics and techniques to extort more ransom payments, companies must stay vigilant of the latest threat landscape, regularly update their network security, and keep backups of their sensitive data. At SpearTip, we engage with companies’ people processes and technology to measure the maturity of the security environment. Our consulting team researches the most modern security practices based on security standards to improve companies’ operational, procedural, and technical control gaps. With our firewall review services, we analyze the configurations and interactions of your network infrastructure with the expertise of a skilled penetration tester. SpearTip discovers vulnerabilities in firewall systems and enables you to dedicate your resources to evaluate and prioritize fixes. This will provide visibility of actual network gaps, including existing false negatives. SpearTip provides clear remediation steps for all uncovered weaknesses to ensure a strengthened security posture. Identifying technical vulnerabilities inside and outside of companies provides a deeper context to potential gaps in the environment.

 If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.