Cybercrime Isn’t What It Used to Be: Managing the Evolving Extortion Threat

By Anna Chung, Principal Researcher, Unit 42.

  • 1 year ago Posted in

Once upon a time, it was enough for ransomware threat actors to break into a company’s systems, encrypt them, and get paid. Today, as companies have implemented back-ups and other measures, such a payday is no longer guaranteed; particularly when the industrialisation of ransomware means more and less skilled criminals are turning their hand to cybercrime.

An additional complicating factor is that companies no longer immediately pay up out of panic because they are finding ways to live with attacks. According to 2023 Palo Alto Networks research, whilst the media ransomware payment demand totals around $650,000, actual payments were instead in the region of $350,000 - approximately 46% less.

However, the business of cybercrime is becoming cruder and nastier as a result of threat actors turning to new means and directions to exploit their would-be victims - and extortion tactics have become a significant part of this. Here’s what you need to look out for.

How extortion threats are moving beyond ransomware

Threat actors are increasingly employing extortion techniques to gain leverage over targeted organisations and accomplish their goals. While a significant amount of attention has been focused on ransomware in recent years, modern threat actors have diversified their approaches and added additional extortion techniques to their arsenals when it comes to acquiring payments from targets — and some are even bypassing ransomware altogether to focus specifically on extortion.

Large, multinational organisations, in particular, can be lucrative targets for threat actors and extortion incidents. In 2022, 30 organisations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Over the last four years, at least 96 of these organisations have seen confidential files publicly exposed as part of attempted extortion.

Ransomware actors, for example, often use a variety of extortion techniques - also known as multi-extortion - to pressure organisations into making the difficult decision to pay a ransom. From encryption to data theft, and distributed denial of service (DDoS) attacks to harassment, there have been significant increases in cybercriminal usage of various extortion tactics, which are only expected to grow as cybercriminals get savvier.

The growing multi-extortion threat

The use of data theft has grown markedly as a multi-extortion tactic. For example, recent research has documented a 30% increase in the use of data theft as an additional extortion tactic between 2021 and 2022. When it comes to data theft, threat actors usually acquire an organisation’s data and threaten to leak it unless they are paid, often on dark web sites known as “leak sites”. They often go after sensitive information such as files containing personally identifiable information (PII), protected health information (PHI) and customer financial data.

Many threat actors have realized that encryption alone is not compelling enough to pressure an organisation when it comes to paying a ransom. If victims refuse to pay, attackers escalate to harassment, where they often target employees and customers - an extortion tactic that has increased in use by a factor of 20x since 2021. Harassment typically manifests itself through threat actors calling, emailing, or otherwise contacting an organisation’s employees or customers - they may also post on social media about the incident or contact the media, which increases the reputational impact of an attack.

The traditional advice for getting ahead of such attacks is to keep up-to-date backups stored offline and test them often to achieve redundancy. Unfortunately, threat actors have gotten wise to this. By diversifying into new extortion techniques, they are effectively coercing the victim to pay even if they’ve taken pre-emptive action.

Often, the threat of disclosure of sensitive data is what pushes organisations to pay ransoms. Such leaks can cause reputational damage, loss of confidence from consumers and partners, and potential fines and sanctions from regulators and authorities. It’s not enough to rely on back-ups alone - some organisations have decided not to pay ransoms because they had strong backups, but some threat actors have been known to follow up with harassment campaigns so intense that the resulting costs exceeded the ransom demanded.

Education and fighting back

Fighting back against the ever-growing spectre of extortion techniques requires a multi-pronged cyber threat engagement strategy. Maintaining good general cyber hygiene and delivering security awareness training should form the foundation of any organisation’s approach - and analysing the business impact of losing critical data should be amongst the first steps you should take to effectively manage associated risks.

This can be achieved by conducting a comprehensive audit of any potential upstream and downstream consequences to help prioritise efforts. Identifying exposed assets and maximising the visibility of associated risks is important, particularly when it comes to information technology (IT) and operation technology (OT) assets. Doing so can then inform business continuity planning and help engage stakeholders across the organisation in understanding the risks at play.

Creating and maintaining an up-to-date cybersecurity incidence response (IR) plan with crisis communications protocols can help reduce uncertainty and clarify decision-making. This enables key decision makers to know the capacity of cyber defence teams and the external support they need, as well as putting in place documented processes that identify the key stakeholders required to take quick and effective action.

If devised and implemented properly, a cybersecurity incident response plan can also provide structure to prevent future attacks by identifying weaknesses and gathering valuable threat intelligence. In an extortion incident, having rapid, comprehensive support is key, so incorporating dedicated incident response experts as an extension of your team can help create a predictable incident response budget, enabling quicker action to minimise the impact of an attack. Finally, complementing this with a data recovery plan will further add peace of mind, making sure that data can be recovered quickly and effectively.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.