The tactics and techniques used by ransomware gangs to pressure their victims into paying a ransom are moving beyond simply threatening to publish data online or sell it to others, new insight from Sophos’s Rapid Response team has revealed.
Sophos’s researchers want to highlight the shift in ransomware pressure techniques from solely encrypting data to other pain points. Peter Mackenzie, director of incident response at Sophos, said it was becoming more common for ransomware gangs to supplement their demands with additional extortion measures because many organisations have got much better at backing up and protecting their data.
“The Sophos Rapid Response team has seen cases where attackers email or phone a victim’s employees, calling them by their name and sharing personal details they’ve stolen – such as any disciplinary actions or passport information – with the aim of scaring them into demanding their employer pays the ransom,” said Mackenzie.
“This kind of behaviour shows how ransomware has shifted from a purely technical attack, targeting systems and data, into one that also targets people.”
Stealing and leaking data remains the most frequent tactic by some margin – indeed, it is safest to assume that if you have suffered a ransomware attack, you are also about to suffer a major data breach. However, there are some signs that ransomware gangs are now specifically exfiltrating the data that holds the potential to do the most damage. A recent Sophos investigation into a Conti attack on a transport logistics firm found that the stolen data included details of active road traffic accident investigations, including driver names and even fatalities.
The second most common tactic currently in use is to email and call employees of the victim organisation and threaten to reveal their personal information – a technique favoured by Conti, Maze, REvil and SunCrypt.
Linked to this, the third most popular tactic involves contacting people or organisations whose details are held by the victim to frighten them into exhorting the victim to pay to protect their information – both Cl0p and REvil have taken up this approach with enthusiasm.
The fourth most common tactic observed by Sophos is to silence victims by warning them not to contact the authorities and, increasingly, the media. Mackenzie said this was likely to prevent victims from seeking help that might let them get round paying the ransom, but also because in recent months, many gangs have become more concerned about their image.
Earlier in October, frustrated by the leak of its negotiations with victim JVCKenwood, the Conti gang said it would in future cut off negotiations with victims if screenshots of their negotiations reached the media, or researchers via the likes of VirusTotal, and would leak their data anyway.
A more recent technique that is rapidly gaining popularity is to recruit insiders at the target organisation to enable ransomware attacks on others in exchange for a cut of the profits. In one case examined by Sophos, the LockBit 2.0 crew actually posted an advertisement along with their ransom demand, seeking people to help them breach the victim’s third-party suppliers and partners.
Some of the other common pressure tactics now employed could be considered somewhat punitive measures designed to increase the likelihood of ransom payouts by causing additional frustrations. These include resetting domain admin passwords to thwart legitimate IT staffers logging in to fix the problem, deleting any connected backups they may find, launching distributed denial of service (DDoS) attacks on the target’s websites, and even tying up all the office printers by continually printing copies of the ransom note.
“The fact that ransomware operators no longer confine their attacks to encrypting files that targets can often restore from backups, shows how important it is for defenders to take a defence-in-depth approach to security,” said Mackenzie. “This approach should combine advanced security with employee education and awareness.”