Extortion Tactics: When Ransomware Gangs Get Personal

Ransomware gangs have escalated their extortion tactics, targeting not only businesses but also their clients and partners, leading to devastating financial, reputational, and operational harm.

This year, ransomware attacks have evolved significantly, highlighting some of the most advanced and aggressive extortion tactics ever seen. These tactics go beyond the traditional approach of data encryption. Ransomware gangs are now employing intricate, multi-layered strategies to maximize their profits, highlighting the growing complexity of these threats.

Ransomware continues to be a dominant cybersecurity threat in 2024, impacting organizations of all sizes and sectors, both public and private, across the globe. The frequency of these incidents led to a dramatic increase in 2023, nearly doubling compared to 2022.

This surge led to unprecedented costs of $1.1 billion, crossing the $1 billion threshold for the first time. Moreover, the average ransom payment substantially rose in 2023, escalating to over $1.5 million from nearly $800,000 in 2022. This underscores the soaring financial impact of these cyber threats.

Ransomware gangs have been intensifying their tactics to exert maximum leverage over their victims. A prime example is the Clop ransomware group, notorious for its double extortion strategy. This strategy involves not just encrypting the victim’s data, but also exfiltrating sensitive information.

The group also demands two separate ransoms: one for the decryption key and another to prevent the public disclosure of the stolen data. This approach can pressure even organizations with robust backup systems into paying the ransom to avert potential reputational damage and regulatory fines.

Meanwhile, ransomware gangs like BlackCat and Lazarus have taken extortion to a new level by incorporating Distributed Denial-of-Service (DDoS) attacks into their methods. This triple extortion strategy involves threatening or launching DDoS attacks to disrupt the victim’s operations, adding an extra layer of urgency to their ransom demands. Such attacks can severely impair an organization’s online presence, leading to substantial operational disruptions and financial losses.

Taking it a step further, a group like the DarkSide ransomware gang utilizes a quadruple extortion tactic. Apart from encrypting data, exfiltrating sensitive information, threatening to release the stolen data, and launching DDoS attacks, to further intensify the pressure, these gangs directly contact the victim’s customers and stakeholders.

The ALPHV ransomware gang has creatively adapted the quadruple extortion tactic by filing a complaint with the U.S. Securities and Exchange Commission (SEC), alleging that digital lending provider MeridianLink failed to disclose a data breach for which the gang claimed responsibility.

As victim organizations become less willing to pay ransoms, ransomware gangs are resorting to increasingly personal extortion tactics. A notable example is the Volcano Demon gang, a relatively new entrant in the ransomware scene. This gang is known for making direct, threatening phone calls to their victims, often from “No Caller ID” numbers. The aim is to intimidate victims into paying the ransom swiftly. This personal touch adds a layer of psychological pressure, making it harder for victims to dismiss the demands.

The Akira ransomware group, on the other hand, has been seen sending personalized emails and messages to key personnel and executives within the targeted organization. These messages typically contain details about the stolen data and threats of its release if the ransom isn’t paid. By targeting high-level executives, the gang amplifies the urgency and stakes of the ransom demand, leveraging the fear of reputational damage and regulatory repercussions.

In a further escalation of tactics, some ransomware gangs, such as those behind the REvil ransomware, contact third parties like customers, business partners, or even the media. They inform these parties about the breach and the potential release of sensitive data, urging them to pressure the victim organization into paying the ransom. This approach not only intensifies the pressure on the victim but also sows fear and uncertainty among their stakeholders, potentially leading to further reputational damage.

Lastly, certain ransomware groups have started to recruit disgruntled employees or insiders to aid their attacks. These insiders can provide access to critical systems or sensitive information, making the attacks more effective. Insider threats can bypass many traditional security measures, thereby making it easier for ransomware gangs to infiltrate and compromise an organization’s network.

As the threat of ransomware continues to escalate, it’s crucial to implement robust protective measures to safeguard against becoming a victim. Essential controls include the use of Multi-Factor Authentication (MFA) for all user accounts, particularly those with administrative privileges. Regular system updates and patches, along with the adoption of a Zero Trust model, are also key to minimizing the risk of unauthorized access and lateral movement within the network.

In addition to these preventive measures, it’s vital to regularly back up critical data and store these backups in isolated environments. Regular training sessions can educate employees about phishing attacks and social engineering tactics, reinforcing the importance of good cybersecurity hygiene and reducing the likelihood of falling prey to initial access tactics. Deploying advanced threat detection tools that leverage machine learning and behavioral analysis can identify and respond to suspicious activities in real-time, potentially preventing an attack from fully executing.

Lastly, having a well-defined and regularly updated incident response plan is crucial. This plan should outline roles, communication strategies, and recovery procedures to ensure a swift and coordinated response in the event of an attack. These comprehensive measures are integral to maintaining robust cybersecurity and protecting against the ever-evolving threat of ransomware.

Ransomware gangs are persistently honing their tactics to increase pressure on victims and enhance their profitability. Organizations can significantly mitigate the risk of falling prey to ransomware extortion by keeping abreast of these evolving strategies and enforcing stringent cybersecurity measures.