Once, the term "ransomware" was synonymous with encryption — attackers locked victims' data behind cryptographic walls and demanded ransom for the keys. Today, however, the landscape is shifting to encryptionless extortion and harassment. Meanwhile, cybercriminals have abandoned their "code of ethics" and will target anyone to get paid at any cost.
This trend comes at a time when ransomware attacks have reached record levels. NCC Group observed 502 incidents in July, a 154% increase from the same month last year. Arctic Wolf's Ransomware Landscape Overview also found a 46% jump in the first half of 2023 compared to the second half of 2022. Zscaler's 2023 ThreatLabz Ransomware Report showed that attacks increased by more than 37% year over year.
Additionally, recent statistics from Palo Alto Networks Unit 42 revealed that the instances of data theft in ransomware cases have almost doubled from 40% in mid-2021 to about 70% by the end of 2022. Alongside, by late 2022, harassment was a factor in about 20% of ransomware cases, compared to less than 1% in mid-2021.
More extortion, less encryption — why?Security experts have noted that organizations have become better at backing up their data. Mike Sikorski, Unit 42 CTO and VP of engineering at Palo Alto Networks, told SDxCentral during an interview at Black Hat that payment for encrypted data is becoming less common due to government sanctions and insurance policies. “But the threat actors want to get paid, and they're gonna get paid. And so what they do is they steal your data and harass you.”
Another reason for the extortion-only strategy is that it avoids drawing attention from law enforcement or the public eye, thus staying under the radar, noted Deepen Desai, global CISO and head of security research at Zscaler.
“The reason why we see they're doing this is they want to cause less business disruption. They don't want the victim to appear in the news, public attention or law enforcement attention either. They themselves want to stay under the radar as well,” he said.
Zscaler's ThreatLabz research team has observed massive amounts of sensitive information being stolen from organizations during these attacks, with up to 24TB of data being lost from a single victim.
Desai adds that some attackers are even framing their activities as "post-exploitation pen-test services." "The attack that we did on your organization is a service to you. It's a multimillion-dollar ‘pen-test exercise,’ but we're gonna tell you exactly how we went about tapping your environment.”
How encryptionless extortion worksInstead of traditional tactics that involve encrypting a victim’s files and demanding a ransom for their release, the encryptionless ransom attacks skip over the process of encryption but focus on exfiltrating sensitive data as leverage for extortion.
According to Zscaler, the encryptionless extortion tactic originally started with ransomware groups like Babuk and SnapMC, and now a number of new families have adopted this tactic, including Karakurt, Donut, RansomHouse, and BianLian.
Head of Cisco Talos Outreach Nick Biasini outlined two main trends: firstly, large and sophisticated ransomware groups are focusing more on “pure extortion” rather than encryption. Biasini explained larger organizations are getting better at ransomware response and full ransomware deployment targeting these big companies requires a high level of access.
“Whereas just doing a smash and grab on data is much faster. It's much quieter; it allows them to operate with a little more impunity,” Biasini told SDxCentral.
He explained for larger organizations, threat actors have realized that ransomware attacks are less likely to be paid, but “data that's exfiltrated out of your network that's stolen, you can't roll back from," so the extortion method is a higher value proposition.
On the other hand, smaller groups, leveraging open-source builders and leaked code, are targeting more small and medium-sized businesses with simpler ransomware attacks. “They're modifying it, creating their own ransomware variants. But these groups aren't going after these big targets typically, they're going after smaller targets, who are much more likely to pay a ransom and are much less well-equipped to deal with ransomware.”
“For years, small and medium businesses largely haven't had to deal with this rash of ransomware, and they don't really have the budget to be able to support buying a bunch of technology,” he added.
Data exfiltration comes with an irrecoverable lossUnlike encrypted data that can potentially be restored from backups, stolen data is gone forever. For extortion victims, they have to decide whether to pay the ransom to hopefully prevent the data from being released publicly.
“There's nothing you can do with the data's gone,” Biasini said. “So you do have to make a decision on whether or not you want to pay the extortion to prevent the data from being released or not.
“And there's also the risk of the fact that you're trusting a criminal to destroy data that they stole from you … So it's a tough problem for organizations to face for sure,” he added.
On the flip side, Palo Alto's Sikorski noted if ransomware groups release data after being paid, this could damage their reputation and they will be less likely to get their extortion fee in the future.
Unit 42 tracks ransomware groups closely and helps customers with ransom negotiations. These ransomware groups “have a reputation score with us … When [victims] pay, you're going to do what you say; otherwise, when we see you in a few weeks when you hack the next person, we do the IR [incident response] for it, we're gonna advise them not to pay you because we saw you go back on your words.”
“So you'd be surprised they actually follow through for the most part, Maybe they don't delete the data, but they often don't then leak it the next day after they get paid,” he said.
Biasini emphasizes the importance of proactive measures: setting up strong access controls, network segmentation, and behavioral analytics tools that could detect suspicious activities early.
“The biggest thing that you can do is detect the attack before it gets to that stage,” he said. “This is why it's so important to secure accounts, make sure that you have protections in place, segmentation in place, and create a way for them to create noise.”
Ransomware groups’ ethical code is gone, harassment on the riseIn recent years, hackers no longer follow an "ethical code" that once prevented them from targeting certain nonprofit organizations like schools and hospitals.
“Years ago, hackers really wanted to hack banks and stuff like that … they didn't want to steal from the poor, Robin Hood kind of thing,” Sikorski noted. “But now we're seeing them like, 'we'll do anything just to get paid.'”
He added organizations like hospitals and schools are “low-hanging fruits” for cybercriminals. “They don't have a great security budget, they don't have money for things. And so they're easy to hack, but they also don't have a lot of money to pay.”
However, these ransomware attacks will make headlines, get public attention and cause government policy changes. “I think it's going to cause an outcome that's going to bite them in the end," Sikorski said, "because ... it's going to end up causing an even bigger change than we've already seen with ransomware.”
It's clear that the trend of hackers becoming more aggressive and targeting a wider range of victims is likely to continue. Meanwhile, hackers are also becoming more aggressive by using harassment as a way to pressure victims into paying ransoms.
“If they steal your data, they then can mess with you more. And the harassment is getting out of control,” Sikorski said. “We have CEOs or their wives getting text messages or flowers sent to them to harass them and say: 'I got your data, you better pay or this is gonna get much worse for you and I'm gonna go after your patients, your employees.'”
Doel Santos, senior threat researcher at Palo Alto Networks Unit 42, expects the individual harassment to get worse. “That's a line that people don't want to mix — their work life and personal life. Once attackers get access to that, that's where [victims] start panicking and start making rash decisions.”