Within just a few years, the threat of ransomware has risen to the top of board risk agendas, with the financial, as well as reputational, fallout of ransomware attacks being published across media outlets for the world to see. The growth of ransomware as a cybercriminal tactic was symptomatic of the professionalisation of the cybercrime ecosystem, with specialist actors and markets springing up to cater to every stage of the attack chain.
This includes some key evolutionary steps in ransomware activity such as Ransomware-as-a-Service, which broadened the threat of ransomware from ‘specialist actors’’ to any entity with money and motivation to pay for a ransomware kit from established eCrime groups.
As cybercrime has evolved, it was inevitable that adversaries would professionalise further, finding new and more efficient ways to extort victims. The shift to data extortion/weaponisation showed that cybercriminals are moving beyond ransomware.
Traditionally, ransomware attacks have relied on encrypting data and demanding payment for decryption. Now, adversaries are finding data extortion more lucrative, because it no longer requires complex encryption techniques. Instead, they threaten to publicly disclose the information, playing on companies’ fears of reputational damage to demand payment.
Threat actors understand that the potential reputational, legal and regulatory consequences of data breaches can be far more costly for victims than the ransom itself. So much so that CrowdStrike Counter Adversary Operations observed a 20% increase in the number of adversaries conducting data theft and extortion campaigns without deploying ransomware.
At the same time, threat actors are getting better at gaining access to company data by posing as legitimate users via credential theft. The ‘CrowdStrike 2023 Threat Hunting Report’ found that 62% of interactive intrusions in 2022 involved the abuse of valid accounts, with a significant 160% increase in attempts to gather secret keys and other credentials via cloud instance metadata APIs.
By making it easier to gain access to victims’ data, while making it simpler to make a profit, the barriers to entry for cybercriminal activity will be lowered. This is particularly concerning in an era where the consequence of a data breach has reached an all-time high for companies. No wonder then that cybercriminal activity continues to grow globally.
Adversaries exploit Western data laws to turn up heat on companies
This weaponisation of data is further complicated by stricter cybersecurity requirements imposed by Western governments. In response to escalating cyberthreats, companies are now facing more substantial fines, potential compensation liabilities and mandatory reporting of data breaches.
Cybercriminals have cunningly capitalised on this situation, leveraging privacy policies like the General Data Protection Regulation (GDPR) or local privacy laws as a basis for their extortion demands. By citing the legal and compliance impact of data breaches, adversaries create a complex and daunting situation for companies, wedging them between a rock and their respective government — while demanding businesses quietly pay up to make the threat go away.
Conventionally, the calculus of ransomware was predicated on how much downtime an adversary can inflict on a victim — the rationale being that it was cheaper for the victim to pay out than pay to rebuild systems impacted by the attack. This new wave of data extortion flips that paradigm to be more about risk exposure. For example, if an adversary were to steal thousands of personally identifiable customer records from a company, that company would face a storm of litigation as well as a customer backlash — and adversaries are acutely aware of this.
As data extortion tactics evolve, companies find themselves grappling with moral, ethical and financial dilemmas. Government advice not to pay ransoms clashes with mandatory data breach reporting requirements, leaving organisations torn between safeguarding their data and complying with the law. Regardless of their decision, the fallout from a data breach is often inevitable, causing immense damage to a company’s reputation and leading to significant financial losses.
Focus on collaboration and driving up costs for the adversary
It’s difficult for companies to take control of a data extortion situation when they are having to balance the competing needs of shareholders, customers, employees and regulators. If a business doesn’t pay, adversaries will release data—and if they do pay, they’ll still need to disclose the breach. Instead, businesses should focus their efforts on proactive cybersecurity to reduce the likelihood they’ll be in that situation. This requires layers of security and open collaboration.
The aim of a layered approach should be to raise the cost to the adversary by making them work harder, to the point your business is no longer a profitable target due to the amount of hoops they need to jump through. And while the threat of data extortion will never go away, businesses can proactively work to reduce the size of the target on their back; therefore, minimising the risk of data extortion.
In parallel, a collaborative effort between governments, cybersecurity firms and private organisations is vital to create a unified front against cybercrime. Encouraging information sharing and cooperation will enhance the collective ability to detect and respond to emerging threats effectively.
The joint Five Eyes takedown and disclosure of the famed Russian Snake malware is a standing example of when collaboration and information sharing can work to protect businesses. The disclosure of the Russian FSB’s tradecraft is the type of intelligence businesses need to be across so that they can identify patterns quickly to counteract data exfiltration operations.
Ensuring your business is operationalising this threat intelligence, while simultaneously making it costlier for cybercriminals to breach your network, is key to staying ahead of data extortion attempts.