Recent ransomware attacks signal a new age of extortion

Extortion is no longer a predictable affair: it’s become a strategic chain of demands, with a rise of double extortion, triple extortion, even quadruple extortion forecasting a new, darker era of ransomware attacks.

We sat down with Perry Tsao, VP of Cyber Claims at Elpha Secure, to get his take on how the ransomware examples we’re seeing today point to what may be coming for businesses tomorrow. From the latest ransomware attack methods to the impact of ransomware insurance and incident response, Perry shares some hard facts and keen predictions for cyber extortion in 2022 and beyond to help business owners and insurance brokers prepare.  

Q: Why is ransomware the big talking point in cyber right now?

A: Ransomware news makes headlines every day, so it’s difficult to ignore the risk. And it’s not just industry giants with a bullseye on their brand — smaller businesses are discovering they appeal to cyber criminals, too. The threat seems to be spreading in all directions.

What attackers need to do is compel their victims to cooperate, and that’s relatively easy to do. It comes down to the “FUD” principle – fear, uncertainty, and doubt, which are the fundamental emotions that drive a user to bow to a hacker’s demands. This very human element is what makes ransomware so profitable, and it helps explain why ransomware risk is so robust and widespread. In fact, ransomware attacks have been increasing in frequency and severity, and victims are facing tough choices.

As ransomware escalates, we’re seeing attacks lead to full-scale cybersecurity incident response, which can be stressful, complex, and expensive.

Q: Have criminals changed their tactics to gain more from their attacks?

A: Yes, we’re seeing new types of ransomware and a twist in strategy when it comes to cyber extortion. In the early days, the target was compromised, the data encrypted, and a ransom payment was demanded to restore access to the files.

Then in 2017, groups of threat actors began “big game hunting”, where they’d select and study specific targets based on certain criteria. They would then use more and more sophisticated methods to install ransomware on the victim’s systems. Most big game hunters stake out an IT system for months before installing the malware — it’s a long game that rests on research and patience.

Today, ransomware has evolved into a layered attack, where the criminals carefully plot several moves ahead to corner their victim. It seems the advantage has shifted to the offender, and it’s leading to major privacy concerns and third-party litigation.

Q: Right, that leads to the concept of "double extortion" — what’s this all about?

A: Double extortion was born out of big game hunting in 2019, and it’s par for the course these days. This tactic involves both encrypting and exfiltrating the data, then threatening to release it unless additional payment is made. In this case, a data backup won’t necessarily save you from paying the ransom — in fact, that backup could do very little for you if the data that was stolen could mortally damage your business once released to the public.

But it doesn’t stop there. Triple extortion occurs when the data is encrypted, stolen, and a Denial-of-Service (DoS) attack is launched to disrupt your business and get you to the negotiating table. Or in some cases, the attacker can threaten customers and use other key stakeholders as leverage to force a ransom payment.

Here’s another tier: even after you pay the ransom, a different group of cybercriminals could contact you claiming that they obtained the data from the original thieves, and then threaten to release it unless you pay them a ransom.

More often than not, cyber attacks are indiscriminate, and ransomware can follow the path of least resistance. So you’re not safe just because you’re small.

Q: How are these layers of extortion changing the game for business owners and their clients?

A: For one, more people are more vulnerable to exploitation than before. Consider this: a university is attacked and their data is encrypted. The institution isn’t willing to pay the ransom, so the attacker contacts students directly and threatens to release their personal information. The students are not in any position to deny or agree to the terms that were directed at the institution, yet they could suffer the fallout (and then the university would be facing some major damage control).

As ransomware escalates, we’re seeing attacks lead to full-scale cybersecurity incident response, which can be stressful, complex, and expensive. That’s one major reason to take ransomware seriously, no matter what kind of business you run.

Q: So, what would you say to a business owner who thinks their company is too small or irrelevant to be a target?

A: More often than not, cyber attacks are indiscriminate, and ransomware can follow the path of least resistance. So you’re not safe just because you’re small. And if you’re unlucky enough to be hit with ransomware, you might be surprised at how quickly things unravel.

When small business owners think of themselves as small fish, it doesn’t do them much good. In fact, the threat actors rely on this mentality — that’s precisely what makes you an easy target.

In my experience, once an insured client gets a few steps into the post-incident investigation, they often realize they have some crucial data after all — like customer information that potentially leaves you with reporting obligations.

By waving off the attack as nothing serious early on, you could end up with significant reputational damage if you eventually have to backtrack on that claim. The bottom line is that you won’t know just how severe an event it is until later down the line.

Q:  Where do you think the ransomware problem is headed?

A: A wider attack surface leads to more attacks, which will overwhelm manual efforts: security teams tasked with prioritizing and managing alerts are bound to have trouble keeping up, and that will result in some false positives and missed alerts. So, automation will be key in the months and years to come.

We could also begin to see criminals use data manipulation (as opposed to data encryption and data theft) as a ransomware tactic. This is when the criminals access the system, then inform the victim that some of their data has been distorted, which means it can’t be trusted. The final step would be to demand a ransom in order to reveal what information has been manipulated.  

In terms of momentum, heightened scrutiny may not reduce the frequency of attacks, and while new targets and methods will certainly begin to emerge, the evolution of ransomware will likely depend on the ebb and flow of international politics. The latest ransomware attack out of Belarus featuring a hacktivist assault on the Belarusian railway system is a prime example of this political development.

It’s crucial to plan for the worst case scenario. If your business was attacked with ransomware, would you know how to respond in order to limit or avoid damage?

Ransomware is not going to go away; as long as the “dark” economy is thriving, people are making a good living off cybercrime, and that will inevitably feed the machine. The fact is, cryptocurrency has changed the game, because while it brings certain benefits and opportunities, there’s a strong correlation between crypto and ransomware.

Q: Will businesses be able to overcome this growing threat?

A: It may be a frightening landscape, but that doesn’t mean we can’t manage the risk. We need to continue to make it less valuable for criminals to forge an attack. You can think about it like dealing with a schoolyard bully: if you appear to be strong and difficult to push around, it’s probably not worth picking a fight, so there’s less chance the bully will target you.

When small business owners think of themselves as small fish, it doesn’t do them much good. In fact, the threat actors rely on this mentality — that’s precisely what makes you an easy target. And if you haven’t put any cybersecurity measures in place, a ransomware attack can be an existential threat to your business. So, auditing your systems, addressing clear vulnerabilities, and adding cyber protection (think data backups and multi-factor authentication) is a good place to begin.  

Q: But is device protection enough to ward off a ransomware attack?  

A: Well, it would be foolish to assume so, just based on the prevalence of ransomware and the bad actors that make this their livelihood. It’s crucial to plan for the worst case scenario. If your business was attacked with ransomware, would you know how to respond in order to limit or avoid damage?

A cyber incident response plan is what you need, but it must be tested to be reliable. Run through it (over and over) with your team to make sure it works in the heat of the moment. A tabletop exercise is a good way to test how key stakeholders perform under pressure. While you’re at it, verify the viability of your data backups and practice the backup restoration process to ensure your operation would be able to continue after an attack.

In the end, these practice runs have a huge influence on how quickly and smoothly you can overcome a cyber incident – and whether or not you’ll be forced to pay up. They’re also important elements to activate various ransomware coverages under your cyber insurance policy and, if you did opt to pay the ransom, protect your business from potential government retribution under the recent OFAC guidelines.

Keep up with cyber trends  

Looking for more insights on cyber insurance, cyber risk, and cybersecurity technology? You'll want to follow the Elpha Secure blog for fresh perspectives and detailed content created with help from our very own industry experts.