Threat actors have escalated the single extortion ransomware attack model to double and even triple extortion.
With the commodification of cybercrime, adversaries have significantly increased the sophistication levels of their operations, and therefore also the potential devastating impacts of a ransomware attack.
Flare Director of Marketing Eric Clay and CTO & Co-Founder Mathieu Lavoie discussed the latest trends in ransomware attacks including: double/triple extortion, different types of ransomware, methods for stealing sensitive data, and more.
Check out our full webinar recording, Triple Extortion Ransomware & Dark Web File Dumps, and/or keep reading for the highlights.
Commodification of Ransomware Groups
Ransomware groups are becoming more like companies, such as with:
- mission-oriented approaches
- recruitment practices to seek new hires
The Karakurt group, after operating privately for a year, has recently published a recruitment post to attract new members. They pride themselves on their mission to hold companies accountable for existing vulnerabilities in their cybersecurity and for the negligence of their IT staff. These groups can be driven by both financial and political motives, often influenced by the shifting landscape of geopolitics.
In general, there are two distinct types of specialization within such groups. Similar to a company with various departments, a group can have internal specialization. For instance, within a ransomware group, some members might excel in negotiating the ransom, while others primarily focus on developing malware. Another form of specialization involves individual groups having their own areas of expertise, akin to specialized agencies within a larger company. One group might concentrate on distributing ransomware, collaborating with another group that specializes in extortion.
This organized and specialized collaboration among groups can lead to more intricate and scalable operations compared to individual threat actors.
Changes in Ransomware Groups
Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) to optimize their strategy. One alarming trend that we’ve seen recently is ransomware groups resorting to double and triple extortion tactics. In addition (or sometimes in lieu of) encrypting files, many groups now threaten to disclose sensitive files on the dark web, threaten to expose individual employee information, or use DDoS attacks as another incentive to pay.
Recently we have seen some more sophisticated groups move away from encryption and towards simple data exfiltration and ransom. This creates an additional opportunity for threat actors to monetize ransomware since, even if the ransom isn’t paid, actors are able to sell access to the data.
Encryption still creates chaos and loss for companies. It is an effective method of creating pressure and causing operational impact that can lead to financial loss. Therefore, encryption is likely here to stay for many groups, and we will likely continue to see groups finding additional ways to gain leverage and force companies to pay.
Concrete Recommendations to Protect Against Ransomware
There can be context-specific recommendations, but the following are general guidelines that all organizations can follow to protect themselves against ransomware:
- Detection: Ensure that users have MFA, and utilize endpoint detection & response (EDR) to detect any type of attack internally and externally.
- Third party monitoring: Conduct an assessment before beginning a new relationship with a business, and also continuously monitor the third party’s security posturing.
- Ransomware group monitoring: Keeping an eye on ransomware groups and any file listings that seem relevant can be useful to find out earlier about any risks instead of waiting to be notified by the third party. For example, we’ve seen a success story of a company that had been monitoring ransomware groups and knew three weeks in advance that one of their third party partners had been compromised by ransomware before they received a legal disclosure notice from said partner. This can provide more time for affected organizations to review the data they were sending to the breached third party and start addressing the data leak.
- Monitor the dark web: Ensure that you monitor dark web markets and forums for stolen credentials and other relevant threats that could lead to a breach.
How Flare Can Help
Flare monitors the clear & dark web and illicit Telegram channels for high-risk external threats.
Flare can detect any suspicious mentions about organizations to give as much time as possible to prepare for data breaches.
Curious about how Flare can help your organization stay ahead of ransomware attacks? Request a demo to learn more.