Ransomware Trends: The Rise of Multi-Extortion Tactics

Ransomware attacks have evolved beyond simply encrypting data and demanding a ransom. Cybercriminals are now using more complex extortion methods to increase the pressure on victims to pay up.

Malicious actors have historically relied on encryption methods to conduct ransomware attacks.

The first documented ransomware attack, known as the AIDS trojan, occurred in 1989 against the World Health Organization's AIDS Conference. Once a user inserted the disc, they were greeted with a lock screen. If the user tried to re-boot their computer, the disk would count that reboot and once 90 reboots occurred, the malware would encrypt files, demanding payment for the key.

Later, cybercriminals developed more sophisticated ways of encrypting data, but they primarily relied on single extortion tactics up to the late 2010s.

Typically, a single extortion tactic follows five steps:

1. Intrusion: The attack gains initial access via phishing, vulnerability exploit or other methods (sometimes followed by privilege escalation and/or lateral movement)
2. Infection: The malware payload is downloaded and installed on the target device or system
3. Encryption: The attacker encrypts the victim's data or systems, rendering them inaccessible
4. Ransom Demand: Victims are asked to pay a ransom in exchange for the decryption key
5. Ransom Negotiation: The attacker negotiates with the victim to find common ground in the amount of the ransom to be paid and the timeline and logistics of the payment

Ransomware groups can use various negotiation tactics to speed up the process, such as imposing deadlines.

Over the years, many organisations have overcome the threat of file encryption with a simple up-to-date backup system.

Ransomware actors had to adapt to the improvements in their victims’ cybersecurity posture. In the early 2020s, some ransomware groups (e.g. Maze) began threatening their victims that data would not only be encrypted but could also be exfiltrated if the victim refused to pay the ransom or took too long to pay. This is known as a double extortion technique.

This data exfiltration can take various forms, such as data leaks in the clear or dark web or the sale of datasets to other cybercriminal groups or on dark web marketplaces.

This approach has become so successful that some ransomware groups have stopped encrypting data altogether, prioritising data exfiltration as the sole way to pressurise their victims to pay.

Double extortion, with or without encryption, has now become the main strategy for ransomware groups.

Some ransomware groups have recently started introducing additional extortion strategies to maximise impact and increase the likelihood of payment.

These strategies include:

• Distributed denial-of-service (DDoS) attacks: The attacker disrupts the victim’s online services or infrastructure with a DDoS attack alongside the ransomware attack, creating the impression that the victim is under siege
• Reputational damage: The attacker threatens to expose its victim publicly (e.g. on social media) and highlight its potential security failures
• Regulatory fines threats: The attacker informs its victim of the sanctions and fines it would need to pay to the authorities if the data exposure resulting from the attack was made public
• Third-party attacks: The attacker targets the victim's customers, partners or suppliers with similar extortion tactics, creating a cascading effect
• Short Selling Stocks: The attacker threatens publicly traded companies by offering short stock opportunities to unscrupulous traders

It is now common to see ransomware groups combining these strategies, operating triple or even quadruple extortion tactics.

ADVERTISEMENT

The evolution of ransomware from single to multi-extortion tactics highlights cybercriminals' increasing sophistication and ruthlessness.

Organisations must stay vigilant and continuously enhance their cybersecurity measures to defend against these complex threats.

Some basic cybersecurity measures are crucial to mitigate these threats, such as implementing robust backup systems, conducting regular security audits and fostering a culture of cybersecurity awareness.

However, organisations must now also involve their entire supply chain in their cybersecurity efforts. Ensuring that partners, suppliers, and other third parties adhere to stringent security standards is essential to creating a resilient defence against these advanced extortion tactics. 

Enjoyed this article? Make sure to share it!

Looking for something else?