More and more ransomware is just data theft, not encryption • The registry

comment Nowadays, it becomes difficult to find a ransomware group that won’t steal data and promise not to sell it if a ransom is paid. Furthermore, these criminals go the route of pure blackmail and don’t even bother to encrypt your files with encryption.

As we mentioned earlier, rogues don’t have to bother writing complex malware backed by a backend infrastructure, storing and selling decryption keys, and all the other steps that come with Classic by doing all those fiddly ones Abandon cryptography and just exfiltrate information ransomware. Data theft and extortion are cleaner and easier.

The Lapsus$ team emerged earlier this year as a pure blackmail gang and attacked the Brazilian government before targeting such high-profile companies as Nvidia, Okta and Samsung. Karakurt is another new extortion-only crew that has requested payments of up to $13 million and may be involved in the Conti ransomware-as-a-service (RaaS) gang.

A separate category

It’s worth distinguishing between classic ransomware infections and data theft by extortionists, says Claire Tills, senior research engineer at Tenable.

By treating ransomware and data theft separately, rather than lumping everything together, people will have a better idea of ​​what types of attacks are currently the most prevalent, how they happen and how to stop them, what your IT priorities are -Should be defense and data recovery etc.

“It makes sense to have a separate category to examine pure extortion attacks versus ransomware,” Tills said The registry, noting that the notorious RaaS gang LockBit had issued guidelines for partners that included not using file encryption against organizations in industries like healthcare. Encrypting documents in hospitals can prevent people from being treated and delay procedures and medications. In general, for example, exfiltration is not as destructive or disruptive as ransomware and does not require restoring from backups, but can be quite harmful if the data is leaked.

“The fact that LockBit mandated pure blackmail attacks for specific targets proves that it makes sense to analyze the difference between encryption malware and ‘we just steal data and then threaten to sell it’.

“The tactics are different, the psychology is different and the disruptions for companies are different because when they encrypt your systems it’s a very different mentality on the response side than when they threaten to sell your sensitive data.”

Cybersecurity firm Digital Shadows already makes this distinction in its quarterly ransomware reports by excluding figures from pure-play blackmail groups, said one of its intelligence analysts, Ivan Righi The registry.

“Ransomware groups can cause disruptions in victims’ networks, which can result in significant damage or financial loss,” he said, noting the particular risk to organizations in critical sectors, such as last year’s attack on the Colonial Pipeline was observed. “Extortion groups also pose a major threat, but these attacks are unlikely to cause disruption.”

“Knowing the differences can help defenders better prepare for and respond to risks posed by these threat actors,” Righi said.

The psychological side of the threats

Added to this are the different psychological burdens of organizations, said Tills. With ransomware, there is a fear of data loss and the impact on operations. Blackmail also risks exposing customers, partners, analysts, and the media to the attack if the data is posted online. The blackmailers can also contact the victims’ customers and partners and pressure them to play along and pay the hush money. This causes additional pain.

“They say, ‘If we can reach their customers using this data, we know their customers are going to call customer service,'” she said. “It’s not just an IT issue now. It’s a customer support issue and then it’s going to be investor relations, it’s going to be public relations.”

While security teams take steps to protect against ransomware and extortion, remediation is different, said Timothy Morris, chief security advisor at Tanium The registry.

“With the former [organizations] plan to recover corrupted data or pay the ransom to get it back,” Morris said.

“For the latter, it’s a PR nightmare. You can’t put the toothpaste back in the tube, so expect more risk. Pay the blackmail fee and hope the criminals delete the data… Pay the blackmail fee and the data is leaked anyway, plus the reputational damage and legal liability that ensue.”

Adding nuance to the conversation can be important for security teams as they plan their defenses.

You can say, “Here’s what we’re doing for ransomware, and hear what the results are.” [and] Here’s what we should expect” and then: “Here’s just blackmail. Here is the threat, here is the risk, here are the results of our behavior,'” Tills said. “All of that helps you break it down and come up with plans that are a lot less complete.”

You can thank Maze

The double ransomware trend started in 2020 with the Maze crew, who were the first to not only encrypt a victim’s data but also steal it, threatening to release it publicly if the ransom was not paid.

“The impact of Maze on the current state of ransomware should not be underestimated,” Rapid7 researchers wrote in a July report. “Maze … popularized another source of income for these bad actors, leaning on the victims themselves for more money.”

It also gave cybercriminals another way to put pressure on organizations that might have used backups and other tools. If you were organized enough to be able to recover the encrypted data yourself, the threat of it being leaked will force you to pay anyway. The shift to pure blackmail attacks is a natural progression.

In a report earlier this year, Tenable employees wrote that “double ransomware is at the heart of ransomware’s current success.” This led ransomware groups to add other extortion tactics and “some have dubbed these tactics ‘triple blackmail’ or ‘quadruple blackmail’, although whatever you call these tactics remain part of the same blackmail tree”.

An easier way

Blackmail is an easier route for crooks, Morris said. The Conti information leak earlier this year showed just how organized and complex these ransomware groups can be. Blackmail does not require such complicated operations, and the attackers do not have to deal with other groups.

“Ransomware complicates things for threat actors,” he said. “They have to deal with the logistics of keys, as well as issues where encryption or decryption doesn’t work, leading to tech support headaches and a bad reputation… Managing the keys for ransomware can involve other partners within the criminal gangs. Not dealing with these affiliates has its perks.”

However, Morris isn’t convinced that “just blackmail” needs its own category.

“Ransomware, blackmail (to prevent company data from leaking) and extortion (to prevent individual data from leaking) are all forms of extortion in my opinion,” he said. “The trends towards lower ransom payments and higher extortion amounts are worth monitoring.”

Regardless of whether pure-play blackmail groups get their own category, the trend toward blackmail among threat groups will continue, Tenable’s Tills said.

“We’re going to see more groups specializing,” she said.

“I don’t think it will ever become universal. There’s always going to be those jack-of-all-trades groups that just jump in and pull what they want. But in the last six months we’ve seen more groups filter blackmail because it’s easier, it’s faster, it can be higher volume, they don’t have to work with affiliates, they can work directly with first access brokers, they can do it all themselves make.

“There’s not as much infrastructure and bureaucracy as there is with the ransomware groups, so I think we’ll continue to see that [grow]. But there will always be groups floating around in that middle and making things weird.” ®

https://www.theregister.com/2022/10/09/extortion_ransomware_threats_category/ More and more ransomware is just data theft, not encryption • The registry

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button