Comment It’s getting difficult these days to find a ransomware group that doesn’t steal data and promise not to sell it if a ransom is paid off. What’s more, these criminals are going down the extortion-only route, and not even bothering to scramble your files with encryption.
As we’ve pointed out before, by ditching all that fiddly cryptography and just exfiltrating information, miscreants don’t have to bother writing complex malware backed by a backend infrastructure, storing and selling decryption keys, and all the other steps that come with classic ransomware. Data theft and extortion is cleaner and easier.
The Lapsus$ team burst onto the scene earlier this year as an extortion-only gang, hitting up the government of Brazil before targeting such high-profile companies as Nvidia, Okta, and Samsung. Karakurt is another new extortion-only crew that has demanded payments as large as $13 million and could be involved with the Conti ransomware-as-a-service (RaaS) gang.
A category of their own
It’s worth making a distinction between classic ransomware infections and data heists by extortionists, Claire Tills, a senior research engineer at Tenable, believes.
Treating ransomware and data theft separately, rather than lumping it all together, will give people a better idea of what types of attack are most prevalent right now, how they happen and how to stop them, what your priorities should be with your IT defenses and data restoration, and so on.
“There’s value in having a separate category to examine extortion-only attacks versus ransomware,” Tills told The Register, noting that notorious RaaS gang LockBit had issued guidelines for affiliates that included not using file encryption against organizations in such industries as healthcare. Scrambling documents in hospitals can prevent people getting treated and hold up procedures and medications. Just in general, for instance, exfiltration is not as destructive or disruptive as ransomware, and doesn’t require restoration from backups, but can be rather damaging if the data leaks.
“The fact that LockBit has mandated extortion-only attacks for particular targets proves that there’s value in parsing the difference between encryption malware and ‘we’re just stealing data and then threatening to sell it.’
“The tactics are different, the psychology is different, and the disruption to companies is different because if they’re encrypting your systems, it’s a whole different mentality on the response side versus if they’re threatening to sell your sensitive data.”
Cybersecurity outfit Digital Shadows already makes this distinction in its quarterly ransomware reports, by excluding the numbers from extortion-only groups, one of its intelligence analysts Ivan Righi told The Register.
“Ransomware groups can cause disruptions in victims’ networks, which can result in significant damages or financial losses,” he said, noting the particular risk to organizations in critical sectors, as seen in the Colonial Pipeline attack last year. “Extortion groups also pose a large threat, but these attacks are not likely to cause disruptions.”
“Knowing the differences can help defenders better prepare and respond to risks posed by these threat actors,” Righi said.
The psychological side of the threats
There also are the different psychological pressures on organizations, Tills said. With ransomware, the fear is loss of data and the impact on operations. With extortion, there also is the threat of customers, partners, analysts, and the media learning about the attack when the data is dumped online. The extortionists can also contact and pressure victims’ customers and partners into urging the victims to play ball and pay the hush money. That causes extra pain.
“They say, ‘If we reach out to their customers from this data we have, we know their customers are going to call customer support,'” she said. “It’s now not just an IT issue. It is a customer support issue and then it’s going to be investor relations, it’s going to be public relations.”
Also, while security teams will take steps to protect against ransomware and extortion, remediation is different, Timothy Morris, chief security advisor at Tanium, told The Register.
“With the former, [organizations] plan to restore destroyed data or pay the ransom to get it back,” Morris said.
“For the latter, it’s a PR nightmare. You can’t put the toothpaste back in the tube, so there is more risk to calculate. Pay the extortion fee and hope the criminals delete the data … pay the extortion fee and the data is leaked anyway, plus the reputational damage and legal liability that ensues from either.”
Adding nuance to the conversation can be important for security teams as they plan their defense.
They can say “‘here’s what we do for ransomware and hear are the outcomes [and] here’s what we should expect’ and then, ‘Here’s extortion-only. Here’s the threat, here’s the risk, here are the outcomes for our behaviors,'” Tills said. “All of that helps you break it down and develop plans that are much less all over.”
You can thank Maze
The double-extortion ransomware trend started in 2020 with the Maze crew, the first to not only encrypt a victim’s data but also to steal it and threaten to publicly release it if the ransom wasn’t paid.
“Maze’s influence on the current state of ransomware should not be understated,” Rapid7 researchers wrote in a report in July. “Maze … popularized another revenue stream for these bad actors, leaning on the victims themselves for more money.”
It also gave cybercriminals another way to apply pressure to organizations that may have used of data backups and other tools. If you were organized enough to be able to restore the scrambled data yourself, the threat of it being leaked will pressure you into paying up anyway. The shift to extortion-only attacks is a natural evolution.
In a report this year, Tenable staff wrote that “double-extortion is the linchpin for ransomware’s current success.” That led to ransomware groups adding other extortion tactics and “some have called these tactics ‘triple extortion’ or ‘quadruple extortion,’ though whatever you choose to call it, these tactics remain part of the same extortion tree.”
An easier path
Extortion is an easier path for crooks, Morris said. The leak of the Conti information this year showed how organized and complex these ransomware groups can be. Extortion doesn’t require such complicated operations and the attackers don’t have to deal with other groups.
“Ransomware complicates things for the threat actors,” he said. “They must deal with the logistics of keys, plus issues where encryption or decryption doesn’t work, creating technical support headaches and bad reputations … The administration of the keys for ransomware can involve other affiliates within the criminal gangs. Not dealing with those affiliates has its advantages.”
That said, Morris isn’t convinced that extortion-only needs its own category.
“Ransomware, extortion (to prevent leaked company data), and extortion (prevent leaked individual data) are all forms of extortion in my opinion,” he said. “The trends of lower ransom payouts and increase extortion amounts is worth tracking.”
Whether extortion-only groups get their own category, the trend toward extortion among threat groups will continue, Tenable’s Tills said.
“We will see more groups specializing,” she said.
“I don’t think it’ll ever become universal. There will always be those jack-of-all-trade groups that just jump in and pull whatever they want. But over the last six months, we’ve seen more groups filtering themselves into pure extortion because it’s easier, it’s quicker, it can be a higher volume. They don’t have to work with affiliates. They can work directly with initial access brokers. They can do it all themselves.
“There’s not as much infrastructure and bureaucracy as you had with the ransomware groups, so I do think we’ll continue to see that [grow]. But there will always be groups that kind of float around in that middle, making things weird.” ®