Cloud Computing

Extortionware – how bad actors are taking the shortest path to your money


Ransomware on the rise

We’d all like ransomware to be defeated so we can go about our business. That day is not coming in the near future. Instead, and according to the 2023 Verizon DBIR report, ransomware “…continues its reign as one of the top Action types present in breaches, and while it did not actually grow, it did hold statistically steady at 24%.”

And the fundamental reason for its longevity of course is financial. As the DBIR pointed out in nearly all breach types, “…the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches.”

But that’s not the whole story

Ransomware is taking on new forms.  Up until the past year or so, bad actors would typically take steps to infiltrate businesses, then find a way to access as much critical data as they could and encrypt it, then essentially hold this data until the ransom is paid. Ransomware attacks are certainly a frustrating process for businesses, and a rather involved one for bad actors. For attackers, the basic ransom process involves a somewhat diminished payoff, as this multi-player scheme involves profit sharing from other bad actors in the attack chain structure.

Encryption to some bad actors is passe’

When it comes to digital crime these days, never underestimate the greed factor and the ongoing search for a path of least resistance. A trend that has been building recently centers on the thought – “Why bother with encryption at all, why not just analyze the data, find what is valuable, and threaten to expose the most crucial and reputation-damaging information?”

For bad actors, this eliminates one of the steps in the attack-chain, but also reduces the need to share the profits with the encryption players (e.g., commoditized source code libraries).  This type of attack is often referred to as “extortionware” or “cyber extortion,” among other terms.

And what about that Data?

For bad actors who take the time and effort to analyze the data, there can be additional financial rewards. This new focus is centered on identifying partners and clients of the targeted business and utilizing this group as leverage to convince the targeted business to pay the extortion money – to avoid the inevitable exposure and consequences of the breach.

How far has this extortionware gone?

We’ve seen in the past that if there are enough repeat types of tactics and techniques frequently occurring, some in the security industry will categorize them, the same situation here. You will likely find variations of methods used in ransomware extortion – but the following is a very quick summary of at least four known techniques that bad actors have been using, not necessarily in this order:

  • Single extortion attack – typical encryption techniques
  • Double extortion attack – exfiltrate data first, then encrypt, threaten to expose data
  • Triple extortion attack – as in the above but leveraging the victim’s customers and partners
  • Quadruple extortion attack – adding insult to injury above, threatening to attack the victim’s web servers with a DDoS attack.

What is a business to do?

The good news is that most businesses are doing most of what’s required to successfully defend themselves against these types of attacks. But as everyone is aware, these attacks keep occurring, and will continue as long as a financial profit is realizable.

Fundamentally the most successful businesses employ, but are not limited to, three key areas of defense:

  • SOC Expertise – human expertise, either in-house or managed, has the final say.
  • Advanced Security Tools – utilizing XDR, AI, Automation, and other key capabilities to reduce detection and remediation times and to minimize human error, as well as triage, investigations, and incident response.
  • Best Practices – to answer simple questions such as (1) does your security staff have specific roles when a breach occurs, (2) besides having a plan, has it been tested? and (3) is IT, SecOps, and other stakeholders bought into the plan?

Example of an Advanced Security Tools

Recently Cisco announced Cisco XDR, a product that helps to simplify your security operations and to remediate the highest priority incidents with greater speed, efficiency, and confidence.

The name of the game is to be security resilient and to minimize the possibility of attacks such as extortionware. Please check out the Cisco XDR info and demos here.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share: