Ransomware operators don’t just target systems and data, they target people in their ever-increasing efforts to get the victim to pay says Peter Mackenzie, manager of Sophos’ Rapid Response team
Ransomware has been around for decades and continues to thrive, largely because ransomware operators are quick to evolve and adapt as the cybersecurity landscape advances.
For instance, as organizations have become better at backing up their data and being able to restore encrypted files from backups, attackers have begun to supplement their approach of demanding a ransom in return for decryption keys, with additional extortion measures designed to ramp up the pressure to pay.
Some of the tactics attackers use to coerce victims into paying are ruthless and could potentially be more damaging to an organization than a period of downtime. Attackers deliberately try to undermine their target’s relationships, trust and reputation. Sometimes the approach they take is very public; at other times, it’s more direct and personal.
To help organizations improve their ransomware defenses, Sophos Rapid Response has compiled the top 10 pressure tactics that adversaries used in 2021:
The long list of ransomware groups that now use, have, or host a public “leak” website for exfiltrated data. The approach is now so common that any victims of a sophisticated intrusion need to assume that an attack with ransomware means they’ve also experienced a data breach.
Attackers are publishing stolen data on leak sites for competitors, customers, partners, the media, and others to see. These websites often have social media bots that automatically publicize new posts, so there is little chance of keeping an attack secret. Sometimes, the attackers put the data up for auction on the dark web or among cybercriminal networks.
However, the biggest worry for victims could be the type of data that attackers steal. While this may include product blueprints or secret sauce recipes, attackers generally dig out corporate and personal bank details, invoices, payroll information, disciplinary cases, passports, drivers’ licenses, social security numbers, and more belonging to employees and customers.
REvil, Conti, Maze, SunCrypt, and other ransomware families have used this intimidation tactic, which can be extremely distressing for recipients.
This tactic involves emailing or messaging people or organizations whose contact details the attackers found in stolen files and telling them to demand that their target pays the ransom to protect their privacy.
Conti and RagnarLocker have recently started threatening victims with messages saying the victim should not contact law enforcement or share details of ransom negotiations. This could be to prevent victims from getting third-party support that might help them to avoid paying the ransom. It also suggests that ransomware brands are becoming more concerned about drawing attention to their activities, particularly from law enforcement.
Another recent and unusual tactic ransomware operators are using is trying to recruit insiders to enable a ransomware attack in return for a share of the takings. In one, widely reported example, the operators behind LockBit 2.0 included a recruitment ad for insiders to help them breach and encrypt the network of “any company” in return for a substantial payout.
After breaching the network, many ransomware attackers create a new domain admin account and then reset the passwords for the other admin accounts. This means that the IT administrators can’t log in to the network to fix the system. Instead, they must set up a new domain before they can even begin trying to restore from backups.
In one incident investigated by Sophos Rapid Response and involving Lorenz ransomware, the attackers targeted employees with phishing emails to trick them into installing an application that provided the attackers with full access to the employees’ email, even after they reset their passwords. The attackers then used the compromised email accounts to email the IT, legal, and cyber insurance teams working with the targeted organization to threaten further attacks if they didn’t pay.
During their reconnaissance of a victim’s network, most ransomware operators will look for any backups connected to the network or the internet and delete them so that the victim cannot rely on them to restore encrypted files. This can include uninstalling backup software and resetting virtual snapshots. In one example seen by Sophos Rapid Response, involving DarkSide ransomware, the attackers deleted the victim’s local backups and then used a compromised admin account to contact the vendor hosting the victim’s off-site cloud backups, asking them to delete the off-site backups. The vendor complied because the request came from an authorized account. Luckily, the vendor was able to restore the backups once they had been informed of the breach.
A flood of printed threats is not just a nuisance in terms of paper supply, but unsettling for people in the office. Ransomware operators including Egregor and LockBit have applied this tactic.
Avaddon, DarkSide, RagnarLocker, and SunCrypt have used distributed denial of service (DDoS) attacks when ransom negotiations have stalled, to force targets back to the table. Adversaries also use DDoS attacks as distractions to tie up IT security resources while the main ransomware attack activity is taking place elsewhere on the network, or as standalone extortion attacks.
The fact that ransomware operators no longer confine their attacks to encrypting files that targets can often restore from backups, shows how important it is for defenders to take a defense-in-depth approach to security. This approach should combine advanced security with employee education and awareness.
The following steps may help organizations deal with threatening attacker behaviors: