How ransomware extortion is evolving

The ransomware extortion landscape is evolving with threat actors adopting new methods to blackmail and threaten their victims. Single-extortion, where cyber criminals demand payment to decrypt locked data or systems is quickly becoming less frequent with ransomware groups increasingly adopting double-extortion – where threat actors demand a ransom payment to decrypt victim data/systems and then threaten to publish stolen data unless the ransom is paid. Triple-extortion is also on the rise, such as distributed denial-of-service (DDoS) attacks or further intimidation of the victim/their customers, employees and stakeholders into paying a ransom.

This played out recently when notorious ransomware group BlackCat/APLHV filed a US Securities and Exchange Commission (SEC) complaint against one of its alleged victims for failing to comply with a four-day cyber attack disclosure rule. The unprecedented move took the threat group’s extortion efforts to a new level after it claimed to have recently breached and stolen data from the software company MeridianLink.

Cyber Security Hub spoke with Dr Jason Nurse, Institute of Cyber Security for Society at the University of Kent, and a co-lead of the Royal United Services Institute’s (RUSI) Ransomware Harms and the Victim Experience project, about the changing ransomware extortion landscape and the threats it poses to businesses.

Cyber Security Hub: In what ways are ransomware extortion methods evolving?

Dr Jason Nurse: Ransomware attacks have evolved significantly, displaying increased sophistication and harm-potential. In the past, cyber criminals sought to paralyze an organization’s systems and extort a ransom for access to be restored. In response to businesses enhancing their recovery capabilities and resisting payment, our research has discovered that attackers have adapted their methods to inflict a wider variety of harms.

CSH: What impact are evolving extortion methods having on the ransomware threats faced by organizations?

JN: The evolution of extortion methods means that the ransomware threat is pervasive and a persistent challenge for organizations. We found an extensive range of harms in our recent analysis of impacts from ransomware attacks. As businesses respond to the threat by bolstering their defenses – through measures like improving intrusion prevention systems, employee training and reinforcing backup strategies – cyber criminals promptly adjust their strategies to up the ante.

The significance of this threat has prompted increased government involvement. The Counter Ransomware Initiative (CRI) is an excellent example of such an effort and the recent agreement by CRI member states not to pay ransoms using government funds is certainly a powerful step forward in addressing this complex issue.

CSH: What do evolving extortion trends signify about today’s ransomware threat actors?

JN: The evolving trends in ransomware extortion mechanisms highlight a significant characteristic of today’s threat actors – their unwavering determination. These actors exhibit a remarkable readiness to adapt in any manner necessary to heighten the prospects of securing a ransom payment. Naming and shaming victim organizations on dark web notice boards, contacting individuals who do business with those organizations and disclosing sensitive corporate data all highlight a surprising level of resolve.

What has undoubtedly shocked most of the security community, however, has been the engagement of one cyber criminal group with the SEC. In this instance, the group filed a complaint alleging a business's failure to disclose a purported data breach instigated by the hackers. This places an organization in a challenging position, considering reporting obligations, notification procedures and the broader implications of negative publicity.

CSH: What’s your advice to any organization being extorted following a ransomware attack?

JN: Payment is not the only option – and should certainly not be the first option. The organization must recognize that ransomware groups will employ various tactics to push for a payment. If an organization is being extorted, the initial step should involve isolating all infected systems from the central network or shutting them down altogether. The organization can then engage with law enforcement, regulatory bodies, cyber insurance providers and, depending on the expertise internally, incident response firms for support in their response.

Some of these services may have access to decryption keys (e.g. No More Ransom), offer threat intelligence about the attacker, provide insights into the repercussions of payment and furnish information about the attacker’s affiliations with other entities. Such resources prove invaluable as the organization deliberates on the most effective response to the extortion attempt.

CSH: How can security stay ahead of ransomware extortion?

JN: This is very much an arms race. Cyber attackers are constantly exploring ways to increase the effectiveness of their ransomware extortion tactics. Conversely, defenders are continually preparing and responding to the best of their ability. A proactive strategy for cyber security to get ahead of the threat of ransomware involves developing a better understanding of all its facets – the attackers, the attack vectors, the harms, the payment mechanism, etc. – and tackling each of them directly.

For instance, there have been cases where law enforcement has tracked down attackers and regained extorted funds and apprehended those responsible for attacks. Our research is driven by the conviction that only through a nuanced understanding of the diverse harms stemming from ransomware extortion can we formulate improved policies and mechanisms to address this pervasive threat.