Ransomware gangs are changing their tactics to counter the advances made by the cybersecurity industry and have begun to fight dirty by putting even more pressure on victims to pay up.
According to cybersecurity company SecureWorks’ annual State of the Threat Report, over the last 12 months, attackers have shortened the time between the initial penetration of the corporate network to the ransomware demand itself from 4.5 days to less than one day. This period, known in the cybersecurity industry as ‘dwell time’, offers well-equipped cybercriminals a leisurely opportunity to drain the company of funds and its most sensitive secrets. In 10 percent of cases, ransomware was even deployed within five hours of initial access.
“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker ways to implement operations,” said Don Smith, VP of Threat Intelligence, SecureWorks Counter Threat Unit.
So the good news is that the cybersecurity industry’s focus on threat intelligence and attack detection has paid off by considerably narrowing the cybercriminals’ window of opportunity to cause damage. But the bad news is that a new generation of lean and hungry threat actors is now roaming the ransomware landscape and employing new ways of tightening the thumbscrews on their corporate victims.
“While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on “name and shame” leak sites,” says SecureWorks.
Gangs “name and shame” their corporate victims
‘Name and Shame’ is the practice of applying added time pressure to the ransomware demand by immediately starting to release the victim organization’s most sensitive data onto data leak sites on the Dark Web, sometimes auctioning the most valuable and sensitive information to the highest bidder. The process of threatening to release the data merely to keep it permanently hidden and encrypted is known as ‘double extortion’ and has been around almost as long as ransomware itself. What differentiates the new ransomware gangs from their more established rivals is their preparedness to rack up the pressure by starting to release large volumes of data at an early stage of their communications with the company whose data has been recently encrypted.
According to cybersecurity firm Asceris: “While all ransomware groups share the same objective, they employ different tactics to achieve their goal. Victims are usually named on the attacker’s data leak site, but the nature and the volume of data that is presented varies considerably by threat group.”
This can narrow the victim company’s window of opportunity to consult with the authorities, liaise with advisers, shareholders, and clients, and, where legally appropriate, negotiate with the cybercriminals in order to minimize long-term corporate as far as possible.
“Organisations that find themselves in the middle of a ransomware attack are under immense pressure to make the right decisions quickly based on limited information. Anyone considering negotiation with a ransomware actor should understand their modus operandi, and how they typically use their leak site to make higher ransom demands and increase the chances of payment,” says Asceris. “Organisations need to understand who they are dealing with, remain calm and composed, and ensure that they have the right information and monitoring at their disposal.”
In the ongoing battle between the ransomware gangs, who now measure their takings in billions, and the cybersecurity industry, things just got a lot meaner.