Ransomware is no longer simply about encrypting files and asking for cryptocurrency. New harassment tactics added with multi-extortion strategies have increased risk to businesses and have made traditional advice about maintaining backups insufficient, according to cyber security software company Palo Alto’s Unit 42 Ransomware and Extortion Report.
Where once ransomware attacks were a relatively simple one-vector attack – encrypting important files and then demanding the key in return for payment (often in cryptocurrency) – threat actors are now adding more layers to their attacks.
The report found operators are now ditching ransom demands in favour of straight extortion, stealing data and threatening to publish it unless a victim pays up.
“The number one goal for many criminal threat actors is getting paid, and they’ll do whatever they can to improve the chances of that happening,” Unit 42 researchers said in its Ransomware and Extortion Report.
“As such, we are seeing threat actors increasingly focus on extortion techniques – often layering them on top of each other.”
The use of multi-layered tactics has seen a sharp rise heading into 2023. In 70% of cases, threat actors also stole the data they encrypted – a sharp rise from 40% in the year before. More strikingly, 20% of ransomware attacks now also include harassment of customers or employees, compared to less than 1% previously.
The harassment is aimed at getting a company’s attention if the negotiation process is taking too long.
Distributed denial-of-service (DDoS) attacks have also been seen as a negotiation tactic, but only in 2% of cases – static from 2021, according to the report.
However, as ransomware strategies evolve, the traditional ways of backups are no longer the ideal solution, according to Unit 42 researchers.
While a good backup regime is still essential for data security, companies are increasingly finding that even if they can restore from backups and ignore ransom requests, threat actors are pivoting to extortion as their own backup plan.
Unit 42 recommended that businesses have a playbook prepared for every facet of modern ransomware attacks and have training and resources to be cyber-ready. It is also important to make sure that both security and legal teams are part of the process.
“During an active extortion incident, rapid support from your incident response partner and outside legal counsel is critical,” the report said.
“From a mitigation perspective, having a comprehensive incident response plan with corresponding crisis communication protocols will greatly reduce uncertainty.
“Harassment awareness training should also be part of a company’s ransomware attack response playbook.
“Post mortems are also essential so that learnings can be properly recorded and acted upon and any possible backdoors from a successful attack addressed.”
How we help
Ready to protect your business? My Business Cyber offers a complete solution to test, train and measure awareness, reducing the risk of human error. Protect your business from cyber scams and attacks with automated staff training, phishing simulations, tools, and resources.
