Ransomware remains one of the biggest cyber threats that organisations and governments continue to face. However, hackers are engineering new ways to extract ransom from their victims as organisations take a conscious call to decline ransom payment demands.
With the fall of the most notorious ransomware gang Conti in May 2022, it was assumed that ransomware attacks would see a major decline. However, Tenable found that 35.5% of breaches in 2022 were the result of a ransomware attack, a minor 2.5% decrease from 2021. Similarly, in the fourth quarter of 2022 ransomware victim count declined by 5.1% versus the third quarter, according to Trend Micro.
Payouts from ransomware victims declined by 38% in 2022, which has prompted hackers to adopt more professional and corporate tactics to ensure higher returns, according to Trend Micro’s Annual Cybersecurity Report.
“Cybercriminals increasingly have KPIs and targets to achieve. There are specific targets that they need to penetrate within a specific time period. It has become a very organised crime because of the business model that the ransomware groups follow because of which they have started increasing the pressure,” said Maheswaran S, country manager at Varonis Systems.
The double extortion tactic
One of the tactics that is increasingly being used by the ransomware groups is double extortion. In the double extortion method, the ransomware group, in addition to encrypting the files on the victim’s systems, also downloads sensitive information from the victim’s machine.
“This gives them more leverage, since now the question is not only about decrypting the locked data but also about leaking it,” Mehardeep Singh Sawhney, a threat researcher at CloudSEK, said.
An example of this is the BlackCat ransomware gang. This ransomware gang can encrypt and steal data off the victim’s machines and other assets running on it, for example, ESXi servers, CloudSEK said.
In March, ransomware group BianLian shifted the main focus of its attacks away from encrypting the files of its victims to focusing more on extortion as a means to extract payments, according to cybersecurity firm Redacted.
The triple extortion method
Some ransomware gangs go a step further and deploy the triple extortion method.
In the triple extortion method, the ransomware gangs encrypt files, extract sensitive data, and then add distributed denial-of-service (DDoS) attacks to the mix. Unless the ransom is paid, not only will all the files remain locked, but even regular services will be disrupted through DDoS.
“Earlier, ransomware groups were focused on encryption but now with a collaboration with other groups, they are involved in data exfiltration as well they compromise the victim organisation’s website or carrying out DDOS attacks. The idea behind this is to add more and more pressure on the victim organisation,” Maheswaran said.
Contacting stakeholders of the victim organisations
Another tactic that the ransomware groups use to add pressure on the victim organisation is directly contacting the customers or stakeholders of the victim organisation.
Since this adversely affects the reputation of the victim organisation and can sometimes lead to financial losses that can amount higher than the actual ransom, victim organisations tend to pay up, Maheswaran said.
The ransomware groups personally search out to the victim’s customers via email or calls, Sawhney said. An example of this is how the Cl0p ransomware group emailed stakeholders and customers of their victims, informing them that even their data would be leaked.
“Cl0p also maintained a website where a list of their victims and stakeholders was updated every day. This adds more pressure on the victim firm, making it seem like the fastest way to end the attack is to pay the ransom amount,” Sawhney said.
Along with contacting customers and stakeholders, Lorenz ransomware and LockBit also leaked their ransom negotiations with victim organisations on their leak site. “ It can further damage the company’s reputation and increase the perceived urgency of the ransom demand,” cybersecurity firm Cyble said in a report.
Modifying the malware anatomy
The actual way of writing the malware has also changed, which has made detection difficult. Malware writers have now started using multiple techniques in order to evade sandbox detection and greatly slower incident response protocols.
“For example, the BlackCat ransomware seen recently runs only if a 32-character access token is supplied to the executable,” Sawhney said. This means that the automated sandboxing tools will fail in analysing the sample, unless and until the arguments needed are supplied.
This information can only be found with manual analysis of the sample, which again takes a lot of time and expertise, hence putting a great deal of pressure on the victim firm during the times of an incident.
Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the programing language Rust. “This cross-platform language allows groups to customise malware for operating systems like Windows and Linux, which are widely used by businesses,” Trend Micro said in a report.
Using the Rust programming language makes it easier to target Linux and more difficult for antivirus to analyse and detect the malware, making it more appealing to threat actors.
Russia-linked ALPHV group was the first ransomware to be coded in the Rust programming language. This group, which was the second most active ransomware in 2022, according to Malwarebytes, also created a searchable database on its leak site where employees and customers of their victims can search for their data. The group’s “ALPHV Collections” allows anyone to use keywords to search for sensitive stolen information.
Another ransomware group LockBit even started its own bug bounty program. Bug bounty programs are generally run by organisations that invite ethical hackers to identify vulnerabilities in their software and inform them in return for a reward. “With ransomware groups, it becomes a platform for hackers or cybercriminals to show their talent and discover new malware to be deployed,” said Vijendra Katiyar, country manager for India at Trend Micro.
Safeguarding against ransomware attacks
While organisations are deploying more and more controls to protect assets that store or access critical data, they don’t essentially deploy the right controls around data, which is extremely important for making an attacker’s job difficult in getting access or corrupting data, according to Maheswaran.
For organisations to effectively respond to ransomware incidents, their cybersecurity solutions need to be responsive, agile, and easily scalable and this is best achieved through a combination of the cloud and machine learning analytics, said Harshil Doshi, country director at Securonix.
“It is easier to avoid paying the ransom if you detect the risk before encryption occurs. Or you can avoid ransomware response workflows altogether by having an effective endpoint backup strategy,” Doshi added.
Organisations should take the following steps to ensure that employees do not fall victim to a clever attacker:
- Reduce the blast radius by minimising the damage attackers could do by locking down access to critical data and ensuring that employees and contractors can access only the data they need to do their jobs;
- Find and identify critical data that’s at risk. Scan for everything attackers look for, including personal data, financial data, and passwords.
- Embrace multifactor authentication. Enabling MFA makes an organisation 99% less likely to get hacked.
- Monitor what matters the most. Monitor how every user and account use critical data and watch for any unusual activity that could indicate a possible cyberattack.
“It’s also important for organisations to have SOPs for responding and remediating to ransomware incidents and have effective awareness programs to educate users to detect and report breaches,” Maheswaran said.
CloudSEK suggests organisations create a backup of critical data and store it in a secure location. This way, even if their system is infected with ransomware, they can restore your data from the backup.
Organisations must also ensure their operating system, software, and security tools are up to date with the latest security patches and updates. They must use reputable antivirus and antimalware software and ensure that it is regularly updated, CloudSEK said.