The rise of extortion – part one

Ransomware attacks can have a devastating impact on organisations. As detection, protection and remediation efforts to the original ransomware model improved over time, ransomware operators have also altered their tactics, by introducing a double-extortion model in late 2019. They increased their ferocity and leverage over an organisation by incorporating triple-extortion methods in 2020 and in some cases quadruple tiers of extortion.

In a recent survey by CyberEdge Group, 78% of ransomware victims surveyed reported to have experienced multiple vectors of extortion. The shift in such tactics provides further considerations for organisations. While they may be able to recover from the initial ransomware event, the additional layers of extortion are designed to exert maximum pressure in an effort to ensure that the ransom payment is ultimately paid.

Evolution of ransomware attacks

Ransomware isn’t a new phenomenon, in fact its origins can be dated back to the 1980s with the strain dubbed as the ‘AIDs trojan’. This malware encrypted the file system of devices and demanded payment of $180 which was to be mailed to a post box in Panama for the decryption key. A similar premise of encrypting files and providing the decryption key for a ransom payment continued until the late-2010s.

In direct response to organisations becoming better prepared to deal with traditional ransomware attacks, ransomware operators needed to find new ways to extort ransom payments. In 2019 the Maze ransomware group began exfiltrating data of organisations, the first documented case of this being against the Allied Universal security services organisation where 700MB of stolen data was subsequently released following the failure to pay the ransom. This evolution in tactics to include the use of double-extortion has remained prevalent to this day. Palo Alto have reported that instances of data theft in ransomware incidents is seen in 70% of incidents, up from 40% in mid-2021.

Ransomware operators recently began utilising triple- and quadruple-extortion tactics more often in their attacks. This was first noticed as being utilised by threat actors in late 2021 . They added distributed denial-of-service (DDoS) attacks and harassment of third parties impacted by the initial data exfiltration to their arsenal of extortion tactics.

A recent example of third parties being extorted as part of an organisation’s original breach is the MoveIT campaign undertaken by the Cl0p threat group. In early June, a critical zero-day exploit (CVE-2023-34362) affecting MOVEit file transfer software was reported to be actively exploited by Russian based threat group, Lace Tempest, a group known for both ransomware and the running of the Cl0p extortion site. Since the publication of the vulnerability, further flaws have also been detected. The group subsequently undertook a campaign of extortion, threatening to leak all stolen data of organisations, and third-party data captured, if organisations didn’t begin negotiating with the group.

Motivations behind multi-layered extortion tactic

Extortion can be defined as the construction of incentives to gain an unfair benefit. Extortion tactics are designed to coerce parties into complying with demands to avoid retributive punishment actions being leveraged against them. By utilising multi-layered extortion tactics, that are designed to add developing, but sequential, stresses to an organisation who are already experiencing a high-stress situation.

It’s been widely researched that stress impacts how decisions are made. Researchers have indicated that when under stress and faced with a decision regarding a potential reward or potential loss, human nature is to strive to maintain the status quo and prevent the loss. The exploitation of human reactions to stress is what makes the multi-layer extortion tactic effective for threat actors.

The anatomy of extortion

Breaking the whole process of extortion down, there are four stages:

Stage 1: Initial compromise and ransomware deployment

• Ransomware actors will gain initial access to an organisation. This can be achieved in a number of different ways, including phishing emails, software vulnerabilities or compromised credentials.
• Once initial access has been achieved the threat actor and the environment is enumerated. Typically, the threat actor will have to escalate their privileges and attempt lateral movement to other devices on the network.
• Once the threat actor has moved as far as they can within an environment, they will trigger the ransomware malware. This will either encrypt a victim’s files or lock them out of their own systems.
• The target organisation is extorted to pay a ransom in exchange for the decryption key to unlock their files.

Stage 2: Data exfiltration

• Prior to triggering the ransomware malware, the threat actor usually takes a copy of a target organisation’s data and exfiltrates this to their own servers.
• Data exfiltration involves the unauthorised extraction of data from an organisation.
• The threat actor threatens to publicly publish the stolen data to coerce the target organisation to pay the ransom. Publication of such data would likely result in fines if regulatory bodies identify that the organisation has been subject to a data breach, this is often an argument used by the threat actor that the organisation should pay them and not the regulatory body, lose reputation, regain trust and take longer to recover.

Stages 3 & 4: Extorting third parties of data leak and DDoS attacks

• In this stage the threat actor will either launch a DDoS attack against the target organisation to impact their public reputation or the threat actor will attempt to extort the third parties impacted by the stolen data.
• Threat actors have utilised either of the techniques singularly or in conjunction with one another.

It is important to note that the tactics techniques and procedures (TTPs) of different ransomware operators will vary, and these evolve over time to avoid detection.

Coming up…

In the second part of this two-part blog we’ll guide you to mitigate the risk of extortion and outline the trends we’re seeing in this area.