As Ransomware Gangs Shift To Data Extortion, Some Adopt A New Tactic: ‘Customer Service’
For some attackers who are skipping the encryption — and solely pressuring victims to pay over stolen data — the goal is actually to minimize disruption, experts told CRN.
While traditional ransomware attacks have been all about maximizing disruption for victims, a growing wave of extortion attacks that don’t deploy encryption are seeking the opposite — as part of an effort to rebrand themselves almost as security advisors, cyberthreat experts told CRN.
As bizarre as it may sound, “we’re seeing this ransomware threat landscape moving more and more towards ‘customer service,’” said Deepen Desai, global CISO and head of security research at cybersecurity vendor Zscaler. Now, some threat actors are actually aiming to “provide the best experience” to victims, Desai said.
“They are trying to minimize downtime for the victim — so that they don’t suffer additional loss and they’re not in the news,” he said.
The number of threat actors that carried out data theft and extortion attacks, without encrypting victim files or systems, grew by 20 percent in 2022, CrowdStrike reported earlier this year. More recently, during the second quarter of the year, the Cisco Talos Incident Response team said it saw a 25-percent jump in encryption-less extortion attacks.
In these attacks, which include the recent widespread MOVEit campaign, threat actors have sought payment exclusively in exchange for not leaking stolen data.
Meanwhile, ransomware attack volume dropped 41 percent during the first half of the year, from the same period of 2022, SonicWall reported.
In a peculiar twist, some attackers claim they want to avoid disruption for victims as part of an effort to paint themselves almost as a security consultant, who’s merely looking to help victim organizations with improving their cyber defense posture, experts said during interviews at the Black Hat 2023 conference in Las Vegas last week.
At GuidePoint Security, No. 52 on CRN’s Solution Provider 500, the incident response team has encountered multiple cases where attackers have told their victims, “‘we did you the favor of not encrypting your environment,’” said Mark Lance, vice president for DFIR and threat intelligence at GuidePoint.
Such attackers will then provide a list of recommendations about how to better secure a breached victim’s environment, Lance said.
“For some groups, we’ve seen that they’ll send what they call a ‘security audit report,’” he said — a multi-page document providing details about how attackers gained initial access to an environment, accessed accounts and elevated user privileges.
“They laid out their entire attack chain: ‘We went to these servers, we took this information out of these drives.’ But then they also put in there the strategic recommendations — ‘in order to prevent this in the future, you need to have MFA, you need to have EDR, you need to have privileged access management,’” Lance said. “They consider themselves [to be] basically providing a security consulting service.”
Zscaler’s Desai said he’s also seen cases where attackers will provide something akin to a penetration testing report to a victim after a ransom is paid. “They’re actually handing them detailed recommendations” about what the victim should do to plug the holes in its security, he said.
“It’s like a super-expensive pentesting service,” Desai said.
Beyond providing so-called “customer service,” attackers undoubtedly have an ulterior motive for wanting to minimize disruption to victims — since disruption tends to attract government and law enforcement attention, he noted. Desai estimated that a dozen cybercriminal groups have run encryption-less data extortion campaigns to date.
‘Easier’ For Attackers
The shift by some cybercriminal groups to encryption-less attacks from traditional ransomware also has other likely causes, experts said.
First and foremost, “it’s easier — both for the hackers themselves and the victims,” said John Hammond, senior security researcher at Huntress.
“Writing ransomware is annoying and slow. And the actual encryption of the computer, at the technical level, is painfully slow,” he said.
Ultimately, when it comes to the shift to encryption-less attacks, “I think more ransomware gangs will start to do that,” Hammond said.
Skipping the encryption, and just extorting victims over their data, can also still lead to a massive payday, according to researchers.
For instance, the recent encryption-less data extortion attacks that exploited the MOVEit file transfer tool could yield between $75 million and $100 million for the cybercriminal group Clop, according to recent findings from incident response firm Coveware.
The attacks by Clop, a Russian-speaking group, exploited a critical vulnerability in MOVEit and are believed to have begun in late May.
Michael Sikorski, CTO and vice president of engineering at Palo Alto Networks’ Unit 42 division, agreed that it’s “definitely possible” that more attackers will shift to encryption-less attacks from traditional ransomware going forward — on account of the fact that encrypting is so much more difficult.
At the same time, “I think it really depends on the scenario — because if it’s somebody who’s going to be so disrupted by the encryption, you might get them to pay quicker to unlock it. Restoring from backups might be so hard,” Sikorski said. “I think it’s just going to be a case-by-case basis.”