Ransomware has long dominated the headlines as one of the most urgent cyber threats facing U.S. businesses. However, since 2022, cybercriminals have actually been finding it harder to extract ransomware payments from their victims—and this is leading to major changes in how they carry out their attacks.
Recent research has found that ransomware payoffs plummeted by 40 percent from 2021 to 2022, which is the biggest revenue drop we’ve seen.
While it may appear to be great news that ransomware gangs are struggling, the reality is that many of these groups are now becoming even more aggressive and ruthless as a result. Instead of just encrypting a company’s sensitive information, these ransomware groups are now more likely to publicly leak it and sell it to other cybercriminals. This creates a whole host of new problems which business leaders need to be prepared for.
Extortion Actors Are Getting Worse, Not Better
Ransomware originally began as a fairly straightforward attack. The hacker would breach a company’s network and infect its files with encryption malware that could not be removed unless they paid for the decryption key. As bad as these attacks were (and still are), they usually did not involve data theft or data leaking on top of the business disruption. This is why many of the early business ransomware attacks did not always result in full data breach notifications.
However, as fewer victims of conventional ransomware attacks have been willing to pay the ransom, hackers have had to switch gears—finding new ways to apply pressure to organizations to force them to pay up.
Over the last few years, we’ve seen a growing number of ransomware groups adopting a hybrid strategy when it comes to these attacks. These groups retooled their malware so that they could copy and exfiltrate company files before launching the encryption stage of the attack. The hackers would then threaten to release the files publicly, in addition to not removing the encryption, unless the company paid the ransom.
These initial data extortion efforts have evolved into a more sophisticated process. Many of today’s ransomware groups now operate dedicated “leak sites” where they can advertise and promote stolen corporate information. The game has changed dramatically, with businesses more exposed than ever before to damaging information leaks on top of other destructive or disruptive attacks.
Four Types of Data Extortion Attacks
Ransomware now rarely exists as a pure-play encryption attack. In 70 percent of these attacks, the victims also suffer data theft, and the rate of victim harassment by ransomware groups has surged 2,000 percent since 2022. These groups are also increasingly targeting supply chains to carry out mass-hacks on businesses.
Here are the four main types of attacks:
Double Extortion: In a “double extortion” attack, the hacker combines the traditional encryption attack with data theft and extortion to force the victim organization to pay up. This tactic was first pioneered by the Maze ransomware group, and it’s been surging in popularity since 2019-2020. Double extortion is now a common tactic in ransomware attacks as it is used by a growing number of prominent ransomware gangs, including BlackCat (or ALPHV), Cl0p, Vice Society, Play, LockBit, Royal, Medusa, Black Basta and many more.
Triple Extortion: Some ransomware gangs go even further in their attacks, by not only extorting the breached company, but also extorting its downstream partners and customers who may be affected by the leaked data. This tactic is being seen more frequently in the healthcare industry, where patients are targeted with secondary extortion, but it’s an issue that affects every major industry.
Pure Data Extortion: Other ransomware gangs like BianLian have moved away from encryption attacks altogether, and instead focus entirely on data exfiltration and extortion. These attacks may still be referred to as “ransomware,” but no actual ransomware is involved. The attackers instead use a type of malware known as “leakware” or “doxware” that exfiltrates the victim’s data.
Fake Data Extortion: Companies should also be on the lookout for fake extortion, as some low-skilled criminals are piggybacking off of the data extortion crime wave by impersonating well-known hacker groups. Although these are only phishing scams, they can result in financial loss or even malware infections if companies fall for them.
How Do They Expose Stolen Data?
Data extortionists have many different ways of exposing stolen corporate information. Some of these groups will post mini-leaks, or sneak previews, on social media platforms like Twitter or Discord, as well as messaging apps like Signal. But the biggest concern for businesses is the dedicated leak site (DLS).
Leak sites are now a major part of the data extortionist’s strategy. These are sites that host the leaked files and, in many cases, also provide searchable results—so that other users and criminals can look for specific business names and record types. Most of the time, leak sites are hosted in Tor (i.e., the Dark Web), but some groups like BlackCat/ALPHV have also created leak sites on the public Internet.
Data Theft Can (and Will) Be Ruthless
It’s extremely important for businesses to understand that data extortion attacks can have many unexpected outcomes. These attacks can quickly snowball as the attackers look for more and more leverage over their victims.
With traditional cybercriminals, their attacks are “business, not personal,” but this is not true of a data extortionist. The latter will do all they can to humiliate and damage the business they’ve targeted. They will go after traditional targets like intellectual property, business records, personnel files, financial information, etc., but they will also go further by hunting for any other sensitive information that will hurt the company if released. Humiliation is often a major goal in these attacks.
For example, the BlackCat/ALPHV extortion group recently posted nude photos of cancer patients in an attempt to blackmail Lehigh Valley Health Network to pay a ransom. This same group also published screenshots of internal emails and video conferences of Western Digital as part of its threat to “hurt them until they cannot stand anymore.”
How to Adjust Your Security Strategy
The most common defenses against conventional ransomware (i.e., encryption-only attacks) —backing up files and decrypting the malware—clearly will not work with a data extortion threat. While companies should continue to invest in those strategies, they will need to augment their overall security planning with additional layers of defense.
Rapid incident response is critical. Most data extortion groups will try to maintain access to the victim’s network for as long as possible, so they can keep stealing information—and searching for more embarrassing material they can release. The quicker your IT team can identify the breach and boot them off the network, the less damage you will face.
A key element of incident response is “phishing response.” This goes well beyond traditional email security solutions by having a dedicated team or outside service that can fully investigate phishing attacks and hunt inside the network to look for any signs that an attack was successful. This is critical for stopping these attacks early on, before the hackers can cause significant damage.
Implement a post-breach containment strategy. Since even the best preventive security will sometimes fail, companies must put in place stronger protections to limit the potential damage of a successful cyberattack—including data extortion. Key actions include access controls (limiting who can access what, restricting remote-access permissions, implementing multi-factor authentication, etc.), data encryption (so that any stolen files will be useless to the attacker) and network segmentation, so that attackers will have a harder time spreading throughout a company.