Make them pay: Hackers devise new tactics to ensure ransomware payment

Ransomware remains one of the biggest cybersecurity threats that organizations and governments continue to face. However, hackers are engineering new ways to extract ransom from their victims as organizations take a conscious call to decline ransom payment demands.

With the fall of the most notorious ransomware gang, Conti, in May 2022, it was assumed that ransomware attacks would see a major decline. However, Tenable found that 35.5% of breaches in 2022 were the result of a ransomware attack, a minor 2.5% decrease from 2021.

Payouts from ransomware victims, meanwhile, declined by 38% in 2022 — and this has prompted hackers to adopt more professional and corporate tactics to ensure higher returns, according to Trend Micro’s Annual Cybersecurity Report. 

“Cybercriminals increasingly have KPIs and targets to achieve. There are specific targets that they need to penetrate within a specific time period. It has become a very organized crime because of the business model that the ransomware groups follow because of which they have started increasing the pressure,” said Maheswaran S, country manager at Varonis Systems. 

The double extortion tactic

One of the tactics that is increasingly being used by ransomware groups is double extortion. In the double extortion method, the ransomware group, in addition to encrypting the files on the victim’s systems, also downloads sensitive information from the victim’s machine.

“This gives them more leverage, since now the question is not only about decrypting the locked data but also about leaking it,” Mehardeep Singh Sawhney, a threat researcher at CloudSEK, said.

An example of this is the BlackCat ransomware gang. This ransomware gang can encrypt and steal data off the victim’s machines and other assets running on it, for example, ESXi servers, CloudSEK said. 

In March, ransomware group BianLian shifted the main focus of its attacks away from encrypting the files of its victims to focusing more on extortion as a means to extract payments, according to cybersecurity firm Redacted.

The triple extortion method

Some ransomware gangs go a step further and deploy the triple extortion method. 

In the triple extortion method, the ransomware gangs encrypt files, extract sensitive data, and then add distributed denial-of-service (DDoS) attacks to the mix. Unless the ransom is paid, not only will all the files remain locked, but even regular services will be disrupted through DDoS. 

“Earlier, ransomware groups were focused on encryption but now with a collaboration with other groups, they are involved in data exfiltration as well they compromise the victim organization’s website or carrying out DDOS attacks. The idea behind this is to add more and more pressure on the victim organization,” Maheswaran said.

Contacting stakeholders of the victim organizations

Another tactic that ransomware groups use to add pressure on victim organizations is directly contacting the customers or stakeholders of the company being attacked.

Since this adversely affects the reputation of the victim organization and can sometimes lead to financial losses that can amount higher than the actual ransom, victim organizations tend to pay up, Maheswaran said. 

The ransomware groups personally search out the victim’s customers via email or calls, Sawhney said. An example of this is how the Cl0p ransomware group emailed stakeholders and customers of their victims, informing them that even their data would be leaked.

“Cl0p also maintained a website where a list of their victims and stakeholders was updated every day. This adds more pressure on the victim firm, making it seem like the fastest way to end the attack is to pay the ransom amount,” Sawhney said.

Along with contacting customers and stakeholders, Lorenz ransomware and LockBit also leaked their ransom negotiations with victim organizations on their leak site. “It can further damage the company’s reputation and increase the perceived urgency of the ransom demand,” cybersecurity firm Cyble said in a report.

Modifying the malware anatomy

The way in which malware is written has also changed, which has made detection difficult. Malware writers have now started using multiple techniques in order to evade sandbox detection and greatly slower incident response protocols. 

“For example, the BlackCat ransomware seen recently runs only if a 32-character access token is supplied to the executable,” Sawhney said. This means that the automated sandboxing tools will fail in analyzing the sample, unless and until the arguments needed are supplied.

This information can only be found with manual analysis of the sample, which takes a lot of time and expertise, hence putting a great deal of pressure on the victim firm during the times of an incident.

Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the programing language Rust. “This cross-platform language allows groups to customize malware for operating systems like Windows and Linux, which are widely used by businesses,” Trend Micro said in a report.

Using the Rust programming language makes it easier to target Linux and more difficult for antivirus to analyze and detect the malware, making it more appealing to threat actors. 

Russia-linked ALPHV group was the first ransomware to be coded in Rust. This group, which was the second most active ransomware in 2022, according to Malwarebytes, also created a searchable database on its leak site where employees and customers of their victims can search for their data. The group’s “ALPHV Collections” allows anyone to use keywords to search for sensitive stolen information.

Another ransomware group, LockBit, even started its own bug bounty program. Bug bounty programs are generally run by organizations that invite ethical hackers to identify vulnerabilities in their software and inform them in return for a reward. “With ransomware groups, it becomes a platform for hackers or cybercriminals to show their talent and discover new malware to be deployed,” said Vijendra Katiyar, country manager for India at Trend Micro.

Safeguarding against ransomware attacks

While organizations are deploying more and more controls to protect assets that store or access critical data, they don’t essentially deploy the right controls around data, which is extremely important for making an attacker’s job difficult in getting access or corrupting data, according to Maheswaran.

For organizations to effectively respond to ransomware incidents, their cybersecurity solutions need to be responsive, agile, and easily scalable and this is best achieved through a combination of the cloud and machine learning analytics, said Harshil Doshi, country director at Securonix.

“It is easier to avoid paying the ransom if you detect the risk before encryption occurs. Or you can avoid ransomware response workflows altogether by having an effective endpoint backup strategy,” Doshi added. 

Organizations should take the following steps to ensure that employees do not fall victim to a clever attacker:

1. Reduce the blast radius by minimizing the damage attackers could do by locking down access to critical data and ensuring that employees and contractors can access only the data they need to do their jobs;
2. Find and identify critical data that’s at risk. Scan for everything attackers look for, including personal data, financial data, and passwords.
3. Embrace multifactor authentication. Enabling MFA makes an organization 99% less likely to get hacked.
4. Monitor what matters the most. Monitor how every user and account use critical data and watch for any unusual activity that could indicate a possible cyberattack.

“It’s also important for organizations to have SOPs for responding and remediating to ransomware incidents and have effective awareness programs to educate users to detect and report breaches,” Maheswaran said.

CloudSEK suggests organizations create a backup of critical data and store it in a secure location. This way, even if their system is infected with ransomware, they can restore your data from the backup.

Organizations must also ensure their operating system, software, and security tools are up to date with the latest security patches and updates. They must use reputable antivirus and antimalware software and ensure that it is regularly updated, CloudSEK said.