image credit: Pixabay

The Rise of Ransomware 2.0: New Methods of Extorting Victims

September 28, 2021


Until now, ransomware cyberattacks used to follow a simple pattern: infection, encryption, ransom payment. In recent years, access to such malware has become very easy, the idea of accessing a program as a service being more common, marketed on dedicated forums, both on the dark web and on the wider internet. The term used for this service is “ransomware-as-a-service” or RaaS for short, encouraging new methods of extorting victims.

Cybercriminals Shift Focus 

Since 2019, there has been an increase in the use of exfiltrated data to extort victims, who have gone from being simple users to corporations with considerable revenues, thus maximizing the criminals’ profits. Four types of extortion have been identified so far:

Simple extortion. This is the classic method by which such attacks began, with the victim’s data being encrypted and criminals offering to return control in exchange for a fee (paid in cryptocurrency).

Double extortion. This is an “improved” version of the first method, the difference being that criminals threaten to publish the victim’s data in order to convince the victim to pay ransom. This method is specific to large companies, which stand to lose a lot in terms of reputation, as well as financially on the stock markets through such negative publicity.

Triple extortion. This method combines the first two methods of exploiting a ransomware attack. The use of DDoS attacks to load the affected network is what makes the difference, making it impossible to undertake any operation.

Quadruple extortion. Like the previous one, this method combines the elements of the others, adding an element of coercion for the affected company, namely that all customers and partners will be notified of the existence of a cyberattack and that their data will be published should the victim refuse to pay ransom. Such a threat combines multiple techniques and elements, thus creating pressure from customers towards the company’s management, which factors in the decision to pay the ransom.

An analysis of these methods reveals new trends in the use of a ransomware cyber threat, such as attackers focusing on victims in the private sector. Data exfiltration is much more difficult in this case, but the effort increases the revenue considerably, compared to the ransom paid by an individual.

Ragnar Locker and Egregor are two well-known ransomware families practicing this new method of extortion. Ragnar Locker was first discovered in 2019, but it didn’t become well-known until the first half of 2020 when it was seen attacking large organizations. Attacks are highly targeted with each sample specifically tailored to the intended victim, and those who refuse to pay have their confidential data published in the “Wall of Shame” section of their leaks site.

“What we’re seeing right now is the rise of ransomware 2.0. By that I mean, attacks are becoming highly targeted and the focus isn’t just on encryption; instead, the extortion process is based around publishing confidential data online. Doing so puts not just companies’ reputations at risk, but also opens them up to lawsuits if the published data violates regulations like HIPAA or GDPR. There’s more at stake than just financial losses,” comments Dmitry Bestuzhev, head of the Latin American Global Research and Analysis Team (GReAT).

Malicious Attacks Accounted for 80% of Cyber Damage in Europe Last Year

Malicious cyber events accounted for 80% of cyber claims in Europe last year, up from 70% in 2019, according to a study published by insurance broker Marsh in collaboration with Microsoft.

Ransomware attacks accounted for 32% of damages in 2020 – twice the combined rate of incidents recorded between 2016 and 2020 (14%). Overall, cyber damage increased by 8% in 2020 across Europe.

The Changing Face of Cyber Claims 2021 report looks at cyber claims handled by Marsh in Europe from 2016 to 2020. With the increasing frequency and severity of cyber attacks, the claim rate increased from 36.6% in Q4 2020 (based on Marsh’s client base) to 39% in Q1 2021.

While the four most affected sectors—financial institutions, manufacturing, communications-media-technology, and services—remain unchanged compared to the 2019 surveys, Marsh reported that damage notifications in all four sectors increased significantly in 2020, with three sectors seeing triple-digit increases: manufacturing (104%); communications-media-technology (153%); services (200%).

According to the report, as the pandemic gripped Europe in March and April of 2020, cybercriminals monetized human anxiety to create a wave of Covid-19-themed attacks. The attacks combined targeted tactics and malicious systems with people’s need for information and curiosity.

Malicious attacks and ransomware events are becoming increasingly dangerous and destructive as cybercriminals exploit organizations’ poor defenses and human weaknesses. It is not a question of “if” an organization will be affected by a cyber incident, it is only a question of “when” it will happen.