The ransomware extortion landscape is evolving with threat actors adopting new methods to blackmail and threaten their victims. Single-extortion, where cybercriminals demand payment to decrypt locked data or systems, is quickly becoming less common with emerging ransomware groups increasingly adopting double-extortion. -Where threat actors demand ransom payment to decrypt victim data/systems and then threaten to publish the stolen data unless the ransom is paid. Triple-extortion is also on the rise, such as distributed denial-of-service (DDoS) attacks or further threats into paying ransom to the victim/their customers, employees, and stakeholders.
This played out recently when the notorious ransomware group BlackCat/APLHV filed a US Securities and Exchange Commission (SEC) complaint against one of its alleged victims for failing to comply with the four-day cyberattack disclosure rule. . The unprecedented move took the threat group’s extortion efforts to a new level after it recently claimed to have breached and stolen data from software company MeridianLink.
Cyber Security Hub Dr. Jason Nurse, with the Cyber Security Institute for Society at the University of Kent, and co-lead of the Royal United Services Institute (RUSI) Ransomware Harms and Victim Experience Project, spoke about the changing ransomware extortion landscape and the threats it poses to businesses.
Cyber Security Hub: In what ways are ransomware extortion methods evolving?
Dr. Jason Nurse: Ransomware attacks have evolved significantly, demonstrating increased sophistication and damage-potential. In the past, cybercriminals sought to paralyze an organization’s systems and raise a ransom to be restored. In response to businesses increasing their recovery capabilities and resisting payments, our research has found that attackers have adapted their methods to exploit a wide variety of threats.
CSHS: What extortion methods are being developed to address ransomware threats faced by organizations?
JN: The evolution of extortion methods means the ransomware threat is widespread and a constant challenge for organizations. We looked at a wide range of damages in our recent analysis of the impacts from ransomware attacks. As businesses responded to the threat by enhancing their defenses – through measures such as improving intrusion prevention systems, employee training and strengthening backup strategies – cybercriminals quickly adjusted their strategies to respond. .
The importance of this threat has led to increased government involvement. The Counter Ransomware Initiative (CRI) is an excellent example of such an effort and the recent agreement by CRI member states not to pay ransom using government funds certainly helps address this complex issue. A powerful step.
CSHS:What do evolving fakery trends say about today’s ransomware threat actors?
JN: Evolving trends in ransomware extortion mechanisms highlight an important characteristic of today’s threat actors – their unwavering determination. These actors demonstrate a remarkable readiness to adapt by any means necessary to increase their chances of securing ransom payments. Naming and shaming victim organizations on dark web notice boards, contacting individuals doing business with those organizations, and disclosing sensitive corporate data all highlight a surprising level of determination.
What has shocked most of the security community, however, has been a cybercriminal group’s engagement with the SEC. In this example, the group filed a complaint, alleging the business’s failure to disclose an alleged data breach instigated by hackers. This places an organization in a challenging position, given the wide implications of reporting obligations, notification procedures and negative publicity.
CSHS:What is your advice to any organization following a ransomware attack?
JN: Payment isn’t the only option – and certainly shouldn’t be the first option. The organization must recognize that ransomware groups will employ different tactics to push for payment. If an organization is being disrupted, an initial step should be to isolate all infected systems from the central network or shut them down completely. The organization can then engage with law enforcement, regulatory bodies, cyber insurance providers and, depending on expertise internally, incident response firms for support in their response.
Some of these services may have access to decryption keys (e.g. No More Ransom), provide threat intelligence about the attacker, provide insight into payment outcomes and the attacker’s affiliations with other entities. Presents information. Such resources prove invaluable as the organization deliberates over the most effective response to an extortion attempt.
CSHS: How to stay ahead of ransomware extortion?
JN: It’s very much an arms race. Cyber attackers are constantly looking for ways to increase the effectiveness of their ransomware extortion. In contrast, defenders are constantly preparing and responding to the best of their ability. A proactive strategy for cybersecurity to get ahead of the ransomware threat involves developing a better understanding of all its aspects – attackers, attack vectors, harms, payment mechanisms, etc. – and dealing with each of them head-on.
For example, there have been cases where law enforcement has tracked down the attackers and recovered the funds and held those responsible for the attacks. Our research is driven by the belief that only through a nuanced understanding of the diverse harms stemming from ransomware extortion can we design better policies and mechanisms to address this widespread threat.
