With the advent of “big game hunting” in ransomware, criminals are getting creative in how they select victims, maximize disruption, and encourage payment of ransoms. This tactic involves seeking high-value, high-profile targets and timing attacks to inflict extensive damage.
Victims tend to be organizations that are most negatively affected by downtime, such as those in the areas of education, healthcare, and government.
How ransomware criminals are extorting organizations have evolved dramatically since 2019. Beyond rising ransom demands, criminals’ methods for exerting pressure are becoming more intense, creative, and public. Responding to these new challenges requires a comprehensive approach to Zero Trust to deny attackers the ability to exploit attack vectors and move laterally.
Though ransomware strategies change constantly, criminals’ attacks over the past two years have a common theme — their extortion tactics are more painful and visible, with much higher stakes. The goal is no longer just about encrypting files, but about making the potential repercussions for a victim so significant that paying the ransom feels like the only option, thereby increasing their success rates. Here are seven recent tactics attackers have used:
Before 2019, it was rare for criminals to steal data with the intent to leak it. As recently as the third quarter of 2021, however, 83.3% of attacks involved the threat of data exfiltration, according to one analysis. Different ransomware cartels put their spin on how they conduct negotiations and encourage payment. Some, like the Clop ransomware group, demand two separate ransoms — one to get the encryption key and one to avoid having files leaked. This means that even if an organization has backups to restore from, they may pay to avoid reputational harm or fines related to data privacy. Attackers may also return access to some initial files as a measure of good faith — the ransomware equivalent of a free trial. Or they might leak some material right away and publish the rest in timed increments.
With triple extortion, attackers contact customers, business partners, and other third parties associated with the victim organization. In some cases, this is to demand payment from the third party, as occurred with an attack on a psychotherapy clinic. Patients were told to pay if they did not want notes from their sessions posted online. In other instances, the criminals tell recipients to contact the victim organization and urge payment of the ransom — thus outsourcing some of the coercion efforts.
According to the FBI, some organizations are targeted based on imminent events like mergers, acquisitions, and product announcements. The risks of reputational damage and a nosedive in stock value make a ransom demand more compelling. The FBI reports that this occurs for mergers under private negotiations as well. While infiltrating networks, criminals seek to unearth nonpublic data to identify targets and motivate payment. A leak can be particularly destructive for an organization if it involves the release of a product blueprint or roadmap since it erodes competitive advantage. The FBI finds that attackers frequently strike over holidays and weekends when it is easier to cause disruption.
Criminals are overwhelming and harassing victims across multiple channels. Using information acquired while infiltrating a network, some groups will call and email employees. For example, criminals using Egregor ransomware have remotely printed ransom notes on organizations’ own printers. Some use countdown timers to highlight when a ransom offer expires or when the demanded amount will increase.
Dozens of websites for publishing stolen data have emerged in the last two years. Criminals will post data from non-paying victims on these pages or leak files one by one to ratchet up the intensity during negotiations. The publication of personal data requires the victim organization to report the breach to authorities, which might levy fines.
Tactics for boosting the visibility of an attack are extremely varied. For example, attackers can increase pressure to pay — and expose an organization to data privacy legal battles — by contacting journalists. The Ragnar Locker group drew attention to one attack by purchasing Facebook ads with stolen credentials. Some ransomware groups look globally for payoffs by auctioning off victims’ data. One that netted many headlines was the REvil group’s auction of client data from a celebrity law firm.
While an organization is already overburdened with contacting law enforcement and affected customers, locating file backups, and minimizing lateral movement, some attackers will threaten or instigate a distributed denial-of-service attack. During a hectic time, overwhelming a network adds stress and ties up more IT resources.
Why have extortion tactics changed so suddenly, when ransomware has existed for decades?
Criminals are now able to push harder for ransom payments because the stakes are considerably higher for victim organizations to stay online. Avoiding downtime is crucial when much of life happens online — criminals know how disruptive it is if they interfere with employees’ remote connections, student classes, patient appointments, customer orders, or other aspects of daily operations. Even if an organization has backups to restore from, the time this takes can cause a bigger financial hit than paying the ransom.
Other factors behind the evolution of attack tactics over the last two years include:
The rise of ransomware-as-a-service. Just as an organization can purchase a firewall via a cloud-based service, anyone can rent and deploy ransomware, regardless of technical ability. This model, which entails flat-rate pricing or paying a percentage of ransoms received, lowers the barriers to entry for initiating an attack.
Astoundingly high profit margins. One estimate puts ransomware’s profit margin at 98%. Compared with other illicit businesses, ransomware has substantially lower risks of arrest and death, further incentivizing market entrants.
Obligations to protect private data. Following the enactment and enforcement of privacy regulations such as GDPR, data leaks can trigger significant fines for victim organizations — and potential lawsuits from people whose data are exposed. This affects how criminals pick their targets and calculate ransoms, knowing that organizations will be doing cost-benefit analyses when planning incident response.
Organizations need a comprehensive and multifaceted strategy to help prevent and mitigate ransomware, particularly since these new extortion tactics increase the possible fallout of an attack.
A ransomware campaign is composed of several phases, and thus there are numerous opportunities to stop it. Embracing a Zero Trust security model is one way to reinforce a network’s perimeter and limit lateral movement. This approach, which involves imposing strict access controls and not trusting any user or system by default, decreases a criminal’s chances of escalating privileges and finding additional leverage to intensify negotiations.
Aspects of Zero Trust that help prevent and mitigate ransomware attacks include:
Least-privilege access: Giving each user access only to the parts of the network they need minimizes exposure and the potential for lateral movement if an attack occurs.
Multi-factor authentication: Requiring more than one means of proof of identity makes it harder for an attacker to impersonate a user.
Browser isolation: By confining browsing activity to a cloud-based, air-gapped environment, organizations can protect networks from malicious sites and apps.
DNS filtering: Preventing users and endpoints from loading malicious sites helps keep ransomware off user devices and the overall network.
User and device posture checks: Continuously cross-checking with endpoint security providers and identity providers ensures that only secure users and devices can connect to the network.
Cloudflare One, a Zero Trust network-as-a-service (NaaS) platform, combines security and networking services to securely connect remote users, offices, and data centers. It helps prevent ransomware by isolating high-risk browsing, blocking access to malicious URLs, and protecting open server ports against external intrusion.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
New and aggressive ransomware extortion tactics
Factors driving these changing methods
How attackers leverage data they acquire during network infiltration to motivate negotiations
The importance of Zero Trust principles in mitigating ransomware