A worker discovering a ransomware attack.
Image: PR Image Factory/Adobe Stock

Ransomware groups are pulling no punches in their attempts to force compromised organizations to pay up. A report released Tuesday by Unit 42, a Palo Alto Networks threat intelligence team, found that attackers are increasingly harassing victims and associated parties to make sure their ransom demands are met.

For its new 2023 Ransomware and Extortion Threat Report, Unit 42 analyzed approximately 1,000 incidents that the team investigated between May 2021 and October 2022. Around 100 cases were analyzed for insight into ransomware and extortion negotiations. Most of the cases were based in the U.S., but the observed cybercriminals conducted attacks against businesses and organizations around the world.

By the end of 2022, harassment was a factor in 20% of the ransomware cases investigated by Unit 42, a significant jump from less than 1% in mid 2021.

Jump to:

Double-extortion and multi-extortion tactics from ransomware gangs

One of the key trends revealed in the research is that ransomware gangs are using more aggressive tactics to convince their victims to pay the ransom.

Double-extortion tactics

Over the past few years, double-extortion has become a popular play, with the attackers not only encrypting the data but vowing to leak it publicly unless the ransom is paid. In around 10% of the cases analyzed, the criminals didn’t even bother to encrypt the data but simply stole it for the sole purpose of leaking it unless their ransom demands were met.

Targeting such sensitive information as health records and financial records, the attackers will publish the data on Dark Web leak sites where other criminals can access and exploit it for their own purposes. These incidents of data theft have shot up to around 70% of all cases on average, up from 40% in mid 2021.

Multi-extortion tactics

Double-extortion tactics have now paved the way for multi-extortion methods. In the latest incidents, ransomware gangs are harassing victims and other people as a way to apply even more pressure. The attackers typically email or call an organization’s employees, including those in the C-suite. Sometimes, they’ll directly contact the organization’s customers. They may post information about the attack on social media or reach out to the press to promote the incident.

“Ransomware and extortion groups are forcing their victims into a pressure cooker, with the ultimate goal of increasing their chances of getting paid,” Wendi Whitmore, senior vice president and head of Unit 42 at Palo Alto Networks, said in a press release. “Harassment has been involved in one of every five ransomware cases we’ve investigated recently, showing the lengths that these groups are willing to go to coerce a payday. Many are going so far as to leverage customer information that has been stolen to harass them and try to force the organization’s hand into payment.”

Ransomware payments might be negotiable

As ransomware continues to flourish, the Unit 42 team said they found that confidential data from an average of seven victims are posted on leak sites each day, which is around one new victim every four hours. Ransomware payments ran as high as $7 million; however, the median demand was $650,000, while the median payment was $350,000, indicating that negotiating with the attacker can often lower the amount.

How to defend against or mitigate ransomware attacks

To help your organization better defend itself or recover from these new types of ransomware attacks, Unit 42 offers a number of recommendations.

Set up a threat intelligence program. One way to combat attackers is by learning about the tactics, techniques and procedures that they use to compromise organizations. Toward this end, a threat intelligence program can provide you with specific indicators to help your security team evaluate your risks, see where you’re most vulnerable, and determine how to better protect your organization.

Prepare a playbook for multi-extortion. Before a ransomware attack hits you, make sure you have a comprehensive incident response plan with clear directions on which people to contact in the event of an incident. Know which stakeholders should be involved in the response and who makes the key decisions, such as whether to pay the ransom and who is authorized to approve payments.

Use Extended Detection and Response technology to look for threats. To respond to threats affecting your organization, you have to be able to see them; one technology that can help in this regard is XDR. Giving you visibility into your network and other assets, XDR lets you observe activity across your endpoints in real time so that you can more quickly prevent attacks. The goal is to isolate infected computers as malicious activity is detected to prevent the attack from spreading.

Implement Zero Trust Architecture. Containing a cyberattack is key to protecting your most sensitive assets. Setting up a Zero Trust Network Architecture reduces the chances that the attacker will be able to expand laterally throughout your network even if they’ve found one vulnerability. A refined version of ZTNA called ZTNA 2 will build layers of security designed to prevent an attacker from gaining a greater foothold into your organization.

Provide ransomware harassment awareness training to employees. The proper training should be given to employees so that they know how to respond and whom to contact if they’re being harassed in the aftermath of a ransomware attack. The training should also include steps to take if customers are being harassed as well.

Conduct a post-mortem analysis. Following a ransomware attack, scrutinize your network for any backdoors or other indicators of compromise that the attackers may have exploited. Make sure you remove or disable any vulnerable assets or areas so that the same ransomware gang can’t conduct a follow-up attack.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays