Content, Content

Cyber Blackmail Gains Traction in Ransomware Hijackers’ Tool Set

Cyber hijackers are increasingly using double extortion techniques, locking up systems and also blackmailing their victims into coughing up hundreds of thousands of dollars lest they see their sensitive data posted on the dark web, Palo Alto Networks’ Unit 42 security researchers said.

Indeed, the number of victims whose data was posted on leak sites rose 85 percent in 2021 to 2,566 organizations, according to Unit 42's analysis. Six in 10 leak site victims were in the Americas, followed by 31 percent in Europe, the Middle East and Africa, and nine percent in the Asia-Pacific region. In 2021, 35 new gangs emerged that use such tactics, Unit 42 said.

Among the incident response cases the security wing analyzed, ransom demands and payments rose noticeably in 2021, with the average demand spiking to $2.2 million and the average payment rising to $541,000. On average, ransom demands rose by roughly 144 percent from the prior year, while payments climbed 78 percent during the same period.

Actual payments expressed as a percentage of the demand show paint a more optimistic picture, said Unit 42’s researchers. “While the raw numbers have gone up, it is important to note the payouts tend to be significantly less than initial ransom demands,” the analysts wrote in a blog post. “We calculated actual payments were, on average, 42 percent of the initial ransom amount.”

Hackers levied ransomware attacks most often on the professional and legal services, construction, wholesale and retail, healthcare and manufacturing sectors.

The Conti ransomware group carried out most of the attacks last year, accounting for more than 20 percent of cases worked by Unit 42 consultants in 2021. At seven percent, REvil was the second most frequent perpetrator, followed by Hello Kitty and Phobos at five percent each. Conti also posted the names of 511 organizations on its Dark Web leak site, the most of any group.

In addition to crews using multiple extortion techniques to pry money from their victims, ransomware’s reach is extending through networks of affiliates. Unit 42 identified 56 active ransomware-as-a-service groups in 2021, some of which had been operating since 2020.

"In 2021, ransomware attacks interfered with everyday activities that people all over the world take for granted – everything from buying groceries, purchasing gasoline for our cars to calling 911 in the event of an emergency and obtaining medical care," said Jen Miller-Osborn, deputy director, Unit 42 Threat Intelligence.

Unit 42 suggested the following 10 steps to reduce the risk and impact of a ransomware attack:

  1. Stay educated on the evolving threat landscape to spot the latest threats and implement the latest safeguards.
  2. Analyze the business impact of losing critical data to understand what’s really at risk, including any potential upstream and downstream consequences.
  3. Assess internal and external readiness, including any third parties, partners or supply chain elements that could introduce risks to develop a comprehensive mitigation road map.
  4. Review and test your incident response plan with tabletop exercises and purple team testing simulations to work out kinks and bolster your ability to recover.
  5. Implement a Zero Trust strategy to eliminate implicit trust and continuously validate every stage of every digital interaction to make it harder for attackers to operate.
  6. Identify exposed assets (anything on the public internet) to reduce your attack surface.
  7. Prevent known and unknown threats by continuously identifying and blocking exploits, malware, and command-and-control traffic.
  8. Automate when possible, implementing tools (e.g., security orchestration, automation and response) that support the automated remediation of events.
  9. Secure cloud workloads by leveraging best practices and implementing security measures throughout the development life cycle.
  10. Make incident response experts an extension of your team to help create a predictable incident response budget and act faster to minimize the impact of an attack.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.