Ransomware threat actors are ramping up the pressure against their targets with an array of extortion tactics designed to coerce victims into paying, according to Palo Alto Networks research released Tuesday.
A steady and significant shift from encrypting everything quickly to multiple extortion tactics is making response and recovery more stressful for the organizations hit by these attacks, said Michael Sikorski, CTO and VP of threat intelligence at Unit 42, the security vendor’s research and incident response outfit.
Encryption, long the primary extortion tactic of ransomware, was skipped altogether in about 1 in 10 ransomware incidents Unit 42 responded to in the second half of 2021 and most of 2022.
Ransomware attacks involving data theft jumped from 40% in mid 2021 to 70% by late 2022, Unit 42 found. Harassment spiked 20 times in ransomware cases during the same period, with threat actors resorting to the tactic in 1 in 5 cases.
Threat actors go low with harassment ploys
“We’ve seen this harassment just explode,” Sikorski said. “We had an investigation with the CEO’s wife getting text messages and harassment from the threat actor … it’s stooping to that level.”
Other examples shared by Sikorski convey the extent to which threat actors will go to get paid and wreak havoc in the process.
When a hospital was hit with ransomware and refused to pay, the threat actor started going after the hospital’s patients and threatened to leak their health records if they didn’t pay, according to Sikorski.
In another case, an organization’s CIO told Unit 42 the company didn’t realize how bad the harassment would be after it refused to pay the ransom demand and recovered from backups.
The threat actor was harassing the organization’s customers so badly it made it look like the damage was being caused by the company and not the threat actor ultimately responsible for the attack, Sikorski said.
“Had I known the harassment was this bad, I would have paid that money because we’re losing customers because of it,” Sikorski recalled the CIO telling Unit 42.
Harassment changes organizations’ ransomware playbook
While the resolve among victim organizations to not pay ransoms has increased of late, Sikorski said a trend in the opposite direction could happen, especially as organizations realize how damaging harassment could become if they don’t meet threat actors’ demands.
Insurance coverage, backups and an organization’s ability to recover and resume operations bear little to no impact on data leaks and harassment the victim organization and its customers could endure.
This changes the dynamics of ransomware negotiations as well, as victim organizations consider the potential risk endured if threat actors sell or leak customer data, and harass or extort the customers directly.
“It makes the situation just so much trickier to explain to CIOs and CISOs and CEOs,” Sikorski said. “This is a really complicated situation now. You need to think it through.”
Sikorski continued: “A lot of companies out there, their whole company is the data they have. If it gets leaked it could put you under.”
Ransomware was involved in about one-third of the 1,000 incidents Unit 42 responded to between May 2021 and October 2022, Sikorski said. Overall, an average of seven new ransomware victims are posted on leak sites every day, the report found.
Extortion efforts are opportunistic, but Unit 42 identified some patterns in the organizations attacked.
U.S. organizations were the most severely affected by ransomware attacks, accounting for more than 2 in 5 of the observed leaks, and 30 businesses on the Forbes Global 2000 were publicly impacted by extortion attempts last year, the report found.
The outlook for ransomware activity in 2023 isn’t great either, according to Unit 42.
The firm predicts this will be the year a large cloud ransomware compromise occurs. It also expects a rise in extortion related to insider threats and predicts threat actors will use ransomware and extortion to distract from attacks intended to infect the supply chain or source code.