Ransomware remains one of the biggest cybersecurity threats that organizations and governments continue to face. However, hackers are devising new ways to extract ransom from their victims as organizations make a conscious call to reject ransom payment demands.
With the downfall of the most well-known ransomware gang, Conti, in May 2022, it was assumed that ransomware attacks would see a major decline. However, Tenable found that 35.5% of breaches in 2022 were the result of a ransomware attack, a smaller decrease of 2.5% from 2021.
Meanwhile, payouts to ransomware victims declined by 38% in 2022, prompting hackers to adopt more professional and corporate tactics to secure higher returns, according to Trend Micro’s Annual Cyber Security Report.
“Cybercriminals have more and more KPIs and targets to achieve. There are specific targets that need to be penetrated in a specific time period. It has become a highly organized crime due to the business model followed by ransomware groups for which they have started increasing pressure,” said Maheswaran S, Country Manager, Varonis Systems.
The double extortion tactic
One of the tactics increasingly used by ransomware groups is double extortion. In the double extortion method, the ransomware group, in addition to encrypting files on the victim’s systems, also downloads sensitive information from the victim’s machine.
“This gives them more power because now it’s not just about decrypting the locked data, it’s also about leaking it,” said Mehardeep Singh Sawhney, a threat researcher at CloudSEK.
An example of this is the BlackCat ransomware gang. This ransomware gang can encrypt and steal data from the victim’s machines and other assets running on them, such as ESXi servers, CloudSEK said.
In March, the BianLian ransomware group shifted the primary focus of its attacks from encrypting its victims’ files to focus more on extortion as a means of extracting payments, according to cybersecurity firm Redacted.
The triple extortion method
Some ransomware gangs go one step further and implement the triple extortion method.
In the triple extortion method, ransomware gangs encrypt files, extract sensitive data, and then add distributed denial of service (DDoS) attacks to the mix. Unless the ransom is paid, not only will all files remain locked, but even regular services will be disrupted via DDoS.
“Earlier, ransomware groups focused on encryption, but now, with a collaboration with other groups, they are involved in exfiltrating data and also compromise the victim organization’s website or carry out attacks DDOS. The idea behind this is to add more and more pressure on the victim organization,” Maheswaran said.
Contact stakeholders in victims’ organizations
Another tactic used by ransomware groups to increase pressure on victim organizations is to directly contact customers or stakeholders of the targeted company.
Because this negatively affects the reputation of the victim’s organization and can sometimes lead to financial losses that may be higher than the actual ransom, victim organizations tend to pay, Maheswaran said.
Ransomware groups personally seek out the victim’s customers via email or phone calls, Sawhney said. An example of this is how the Cl0p ransomware group sent an email to its victims’ stakeholders and customers, informing them that even their data would be leaked.
“Cl0p also maintained a website where a list of his victims and interested parties was updated daily. This adds more pressure on the victim company, making it appear that the fastest way to end the attack is to pay the ransom amount,” Sawhney said.
In addition to contacting customers and stakeholders, the Lorenz and LockBit ransomware also leaked their ransom negotiations with victim organizations at their leak site. “It can further damage the company’s reputation and increase the perceived urgency of the ransom demand,” cybersecurity firm Cyble said in a report.
Malware anatomy modification
The way malware is written has also changed, making detection more difficult. Malware authors have now begun using various techniques to evade sandbox detection and much slower incident response protocols.
“For example, the recently seen BlackCat ransomware only executes if a 32-character access token is provided to the executable,” Sawhney said. This means that automated sandboxing tools will fail to analyze the sample unless and until the required arguments are provided.
This information can only be found by manual analysis of the sample, which requires a lot of time and expertise, putting a lot of pressure on the victim company during the moments of an incident.
Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the Rust programming language. “This cross-platform language allows groups to customize malware for operating systems such as Windows and Linux, which are widely used by businesses,” Trend Micro said in a report.
Using the Rust programming language makes it easier to target Linux and harder for antivirus to analyze and detect malware, making it more attractive to threat actors.
The Russian-linked ALPHV group was the first ransomware to be coded into Rust. This group, which was the second most active ransomware in 2022, according to Malwarebytes, also created a searchable database on its leak site where employees and customers of its victims can search for their data. The group’s “ALPHV Collections” allow anyone to use keywords to search for stolen sensitive information.
Another ransomware group, LockBit, even started its own bug bounty program. Bug bounty programs are generally run by organizations that invite ethical hackers to identify and report vulnerabilities in their software in exchange for a reward. “With ransomware groups, it becomes a platform for hackers or cybercriminals to showcase their talent and discover new malware to be deployed,” said Vijendra Katiyar, country director for India at Trend Micro.
Protection against ransomware attacks
While organizations are increasingly deploying controls to protect assets that store or access critical data, they are essentially failing to deploy the right controls around the data, which is extremely important to making it harder for an attacker to gain access or corrupt the data, according to Maheswaran. .
For organizations to effectively respond to ransomware incidents, their cybersecurity solutions must be responsive, agile and easily scalable and this is best achieved through a combination of cloud analytics and machine learning, said Harshil Doshi , Securonix Country Director.
“It’s easier to avoid paying the ransom if you detect the risk before encryption happens. Or you can avoid ransomware response workflows altogether by having an effective endpoint backup strategy,” Doshi added.
Organizations should take the following steps to ensure that employees do not fall victim to a smart attacker:
- Reduce the radius of the blast by minimizing the damage that attackers can do by blocking access to critical data and ensuring that employees and contractors can only access the data they need to do their jobs;
- Find and identify critical data at risk. Find everything attackers look for, including personal data, financial data, and passwords.
- Adopt multi-factor authentication. Enabling MFA makes an organization 99% less likely to be hacked.
- Watch what matters most. Monitor how each user and account uses critical data and watch for any unusual activity that could indicate a potential cyberattack.
“It is also important for organizations to have SOPs in place to respond to and remediate ransomware incidents and to have effective awareness programs to educate users to detect and report breaches,” Maheswaran said.
CloudSEK suggests that organizations back up critical data and store it in a secure location. This way, even if their system is infected with ransomware, they can restore your data from backup.
Organizations must also ensure that their operating system, software and security tools are up to date with the latest security patches and updates. They should use reputable anti-virus and anti-malware software and ensure it is updated regularly, CloudSEK said.
Copyright © 2023 IDG Communications, Inc.
Hackers are constantly evolving their tactics, and the newest ransomware trend shows how desperate they are to ensure payment. Ransomware is a type of malicious software that is used to hold a person or organization’s data hostage until a payment is made. Recent ransomware attacks have been more sophisticated, leaving organizations helpless and with no other choice but to pay.
At Ikaroa, our team of cybersecurity professionals have been closely monitoring the latest ransomware attacks. Our experts have observed that, in some instances, hackers have been using social engineering tactics to fuel their ransomware campaigns. The tactic involves phishing emails sent to individual employees, convincing them to provide sensitive information, such as usernames and passwords, to a website and convince them to install malicious software. Then malware will infect their system, encrypting and stealing data until a ransom is paid.
In other cases, hackers are increasingly using ‘double extortion’ tactics. This involves attackers not only encrypting data, but also stealing it, then using a form of psychological blackmail in order to pressure their targets into paying the ransom demand. They threaten to publish the data if the ransom is not paid. This strategy has proven effective, with victims often deciding it is better to pay rather than face security breaches and public humiliation from having their data released to the public.
At Ikaroa, we take the security of our customers and the community very seriously. Our team is trained to detect and respond to the latest threats, so our clients can be assured that their data and resources remain safe from ransomware attacks. Our security system is designed to detect and isolate malicious activity and is regularly updated with the latest threat intelligence.
Ransomware attackers are becoming more and more sophisticated in their tactics, and organizations need to be vigilant in order to remain safe. With the help of organizations like Ikaroa, your business can stay safe and secure. We take the security of your organization seriously, so you can be confident knowing your data is safe and secure.
