The rise of extortion – part two

In the first part of this two-part blog we covered the evolution of ransomware attacks and the motivations behind multi-layered extortion tactics. We also explained the anatomy of extortion. Now we’ll take you through the practical steps you need to take to reduce your risks, and we’ll look ahead to the trends we’re seeing in this space.

Mitigating the risk of extortion

• Implement a robust cyber security framework:
  • Maintain all vendor security patches for all appliances, applications, network devices and operating systems
  • Implement network segmentation to reduce the number of available lateral movement paths
  • Implement and maintain strong access controls, adhering to the principal of least privilege; this will reduce the available data for threat actors to steal
  • Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor, control network traffic and block malicious network traffic.
• Back-ups and disaster recovery
  • Perform regular backups, following the UK National Cyber Security Centre’s (NCSC) 3-2-1 methodology for back-ups
  • Perform regular restoration tests of all back-ups taken to ensure the validity of the back-ups
• Threat detection
  • Implement a security information event management (SIEM) to report on suspicious activity
  • Utilise endpoint detection and response (EDR), such as Microsoft Defender, to monitor endpoint devices for suspicious or malicious behaviours
• Incident response planning
  • Develop an incident response plan and supplementary playbooks which detail the actions to be undertaken by an organisation in the event of a cyber incident
  • Clearly define the roles and responsibilities of the teams involved in the cyber incident response team (CIRT)
  • Perform regular testing of the incident response plan and implement lessons learned to ensure the plan is fit for purpose
• Security audits and assessments
  • Conduct regular validation scanning to ensure configuration baselines and security patches are being applied appropriately
  • Engage with independent third parties to perform periodic vulnerability assessment and penetration testing exercises to identify any security flaws
• User awareness and training
  • Educate users on the risks associated with phishing emails, social engineering and suspicious attachments or links
  • Promote the use of multi-factor authentication throughout the organisation

Future trends

The digital landscape is ever-evolving, this is also true of the cyber security realm which is constantly challenged by increasingly sophisticated and relentless cyber-attacks. As organisations embrace digital transformation, the risk of cyber-attack grows exponentially, making it imperative for organisations to maintain strict controls over their digital footprints to manage this risk. The ransomware landscape has witnessed a significant shift with the adoption of additional tiers of extortion, thus amplifying the potential consequences for target organisations. While instances of triple and quadruple tiers of extortion are still an emerging trend, instances of expansion on these tactics are constantly being developed.

Social media has become a life blood for most organisations. Threat actors in some instances demand ransom payment to refrain from posting damaging content or to return control of the accounts to an organisation. Unauthorised access to an organisation’s social media and leveraging this for extortion purposes can have severe and far-reaching consequences. This can include:

• Brand reputation damage: Social media platforms have become a direct line of communication between an organisation and their customers or stakeholders. Unauthorised access to such a platform could allow threat actors to post false, malicious, or offensive content, tarnishing the reputation of an organisation. This could lead to a loss of trust in the organisation and impact the brand image in the long term.
• Legal and regulatory consequences: Unauthorised access and misuse of social media accounts may lead to legal ramifications, especially if the content posted violates copyright, defamation, or privacy laws. Additionally, organisations may face penalties for failing to protect sensitive information, such as customer data stored within social media accounts.
• Disruption of business operations: Unauthorised access to social media accounts could result in the suspension or removal of such accounts by the platform administrators. This disruption can hinder an organisation’s ability to communicate with customers, advertise products or services, and maintain a strong online presence.
• Spread of malicious content: Threat actors could utilise the platform to launch further malware or phishing attempts. Potentially infecting the organisations followers or customers. This can lead to further data breaches and security incidents.
• Rebuilding trust and recovery costs: In the aftermath of unauthorised access to an organisation’s social media platforms, the rebuilding of trust with customers and stakeholders can be an arduous process. Recovery efforts, such as security audits, brand monitoring and communication with customers, come with associated costs.

To protect against unauthorised access and subsequent extortion attempts to social media platforms an organisation should implement robust security controls, such as:

• Strong unique passwords, which are stored and shared within a password manager
• Implement multi-factor authentication against the accounts
• Implement strict access controls, so that only individuals who are authorised to access the platform maintain access
• Continuous user education on social engineering and phishing
• Implement continuous monitoring of social media accounts.

Quick detection and response to any suspicious account activity can assist with mitigating the damage caused by such attacks and safeguard an organisations brand reputation.

Conclusion

In the dynamic landscape of cyber security, the rise of multi-tiered extortion avenues in ransomware incidents presents a formidable challenge to organisations. As threat actors continue to evolve their tactics, the consequence of falling victim to such attacks remains increasingly severe. Extortion techniques leveraged in ransomware incidents continue to evolve in complexity and demand an equally comprehensive and proactive defence strategy.

To effectively contain and mitigate the risk of falling victim to ransomware and the threat of extortion, organisations must adopt a multi-layered approach to their cyber security posture. Implementing robust security measures, such as the implementation of an internal cyber security framework which encompasses the application of operating system, application and device firmware patches, implementation and regular maintenance of EDR toolsets, network segmentation, regular user awareness training on social engineering and phishing, and strong access controls fortifies both the internal network of the organisation to prevent spread across different network segments, and also the organisations perimeters against initial access. Additionally, prioritising regular back-ups following NCSC best practises, regular integrity testing of back-ups, and employee training empowers organisations to withstand the impact of data exfiltration and potential ransom demands.

However, triple- and quadruple-extortion tactics currently utilised by threat actors are not the only concern organisations should be mindful of. As we look to the future new challenges await, including the risk of unauthorised access to social media and its detrimental impact on an organisation’s reputation. The potential for threat actors to exploit social media accounts for extortion, market manipulation, propaganda and further compromise emphasises the importance of securing all digital assets and communication channels.

The future of cyber security demands a collective effort from individuals, organisations and governments alike. By fostering a collaborative cyber security ecosystem, sharing threat intelligence and embracing new technologies, we can better protect our digital infrastructure and data from relentless and ever-evolving threat actors.