Ransomware is still one of the most serious cybersecurity risks that organizations and governments face. However, as organizations make a conscious decision to deny ransom payment demands, cybercriminals are devising new methods to recover ransom from their victims.
The fall of the most known ransomware gang, Conti, in May 2022, was expected to result in a significant decrease in ransomware attacks. Tenable discovered that 35.5% of breaches in 2022 were caused by a ransomware assault, a slight 2.5% decline from 2021.
Meanwhile, ransomware payouts are expected to fall by 38% in 2022, prompting hackers to embrace more professional and corporate approaches to assure larger returns, according to Trend Micro's Annual Cybersecurity Report.
“Cybercriminals increasingly have KPIs and targets to achieve. There are specific targets that they need to penetrate within a specific time period. It has become a very organized crime because of the business model that the ransomware groups follow because of which they have started increasing the pressure,” said Maheswaran S, country manager at Varonis Systems.
Double extortion is a strategy that ransomware criminal groups are increasingly employing. The ransomware group, in addition to encrypting the files on the victim's devices, downloads private data from the victim's machine in the double extortion method.
“This gives them more leverage, since now the question is not only about decrypting the locked data but also about leaking it,” Mehardeep Singh Sawhney, a threat researcher at CloudSEK, said.
The BlackCat ransomware group is one example of this. According to CloudSEK, this ransomware gang can encrypt and steal data from victims' PCs as well as other assets operating on them, such as ESXi servers.
According to cybersecurity firm Redacted, ransomware organization BianLian altered the focus of its assaults in March from encrypting victims' files to extortion as a means of extracting cash. Some ransomware criminals take the triple extortion strategy a step further.
The ransomware gangs encrypt files, extract sensitive data, and then add distributed denial-of-service (DDoS) attacks to the mix in the triple extortion strategy. If the ransom is not paid, not only will the files stay locked, but regular services will be affected by DDoS.
Another strategy used by ransomware groups to put pressure on target organizations is to contact the company being attacked's customers or stakeholders directly. Because this harms the victim organization's reputation and can often result in financial damages greater than the ransom, victim organizations tend to pay up, according to Maheswaran.
According to Sawhney, the ransomware groups directly contact the victims' consumers via email or phone calls. The Cl0p ransomware organization, for example, emailed stakeholders and customers of their victims, alerting them that their data will be disclosed.
“Cl0p also maintained a website where a list of their victims and stakeholders was updated every day. This adds more pressure on the victim firm, making it seem like the fastest way to end the attack is to pay the ransom amount,” Sawhney said.
Lorenz ransomware and LockBit, in addition to contacting customers and stakeholders, released their ransom discussions with victim organizations on their leak site. "It can further damage the company's reputation and increase the perceived urgency of the ransom demand," cybersecurity firm Cyble stated in research.
According to Maheswaran, while organizations are deploying more controls to protect assets that store or access critical data, they do not essentially deploy the right controls around data, which is critical for making an attacker's job difficult in gaining access to or corrupting data.
To effectively respond to ransomware outbreaks, organizations' cybersecurity solutions must be responsive, agile, and easily scalable, which is best achieved through a combination of cloud and machine learning analytics, said Harshil Doshi, country director at Securonix.
“It is easier to avoid paying the ransom if you detect the risk before encryption occurs. Or you can avoid ransomware response workflows altogether by having an effective endpoint backup strategy,” Doshi added.
To safeguard employees from clever attackers, organizations should take several measures, including restricting access to critical data to minimize the damage attackers could cause and identifying vulnerable data. Additionally, adopting multifactor authentication reduces the likelihood of being hacked by 99%, and monitoring user activity for any signs of suspicious behavior is critical.
It is also essential to have standard operating procedures for responding to ransomware incidents and user awareness programs to identify and report breaches, according to Maheswaran. CloudSEK recommends backing up critical data in a secure location to restore it in case of a ransomware attack. Organizations must keep their operating system, software, and security tools up to date with the latest security patches and updates, using reliable antivirus and antimalware software regularly updated.