New Levels, New Devils: The Multifaceted Extortion Tactics Keeping Ransomware Alive

Having evolved from a basic premise of locking down a victim’s data with encryption, then demanding a ransom for its release, research now suggests that ransomware will cost around $265 billion (USD) annually by 2031, with a new attack (on a consumer or business) every two seconds.

Against such a pervasive threat, businesses have sought to better prepare themselves against attacks. They have developed an array of tools: better backup management, incident recovery procedures, business continuity and recovery plans have all made the encryption of victims’ data less profitable.

In addition, security researchers together with national bodies such as the Cybersecurity and Infrastructure Security Agency (CISA) have made substantial progress in identifying the weaknesses in the methods used by attackers, in order to develop decryption solutions. No More Ransomware, promoted by Europol, the Dutch police, and other stakeholders lists approximately one hundred such tools.

In response to these developments, attacker groups are reconsidering their strategy. Rather than risk detection by encrypting as much data as possible, they now prefer to quickly extract as much information as possible and then threaten to divulge it. Ransomware has become extortion.

Re-energising the threat of publication

The potential public disclosure of sensitive information is the core of leveraging fear to pressure victims into paying a ransom. The reputational damage and financial repercussions of a data breach can be devastating.

Ransomware gangs have recognised the potential for damage to a brand or group’s reputation simply by being mentioned on the ransomware operators’ sites. A study found that the stock market value of the companies named in a data leak falls by an average of 3.5% within the first 100 days following the incident and struggles to recover thereafter. On average, the companies surveyed can lose 8.6% over one year.

This threat of loss based on association, now quantified and in the hands of cybercriminals has become an effective tool.

Operational disruption and revenue loss

Modern businesses rely heavily on digital systems for daily operations. A ransomware attack can grind operations to a halt, disrupting critical functions like sales, customer service, and production.

This disruption translates to lost revenue, employee downtime, and potential customer dissatisfaction. The longer the disruption lasts, the greater the financial impact becomes. Attackers exploit this vulnerability, pressuring victims to pay the ransom quickly to minimize their losses. And they do this most effectively by recognising key operational data.

This then evolves as a ransomware attack on one company can ripple through its entire supply chain. Suppliers and distributors may be unable to access essential data or fulfil orders, leading to delays and disruptions across the chain.

Knowledgeable attackers now target a single company as a gateway to extort multiple entities within the supply chain, maximizing their leverage and potential payout.

Brand damage at the regulatory level

Brazen ransomware groups have already realised the value in making direct contact with

end-users or companies that are the customers of their targets as it enables the operators to increase pressure.

However, one new avenue of this direct attack on brand reputation is for the gangs to connect with the authorities. In November 2023, the ALPHV/BlackCat ransomware gang filed a complaint with the United States Securities and Exchange Commission (SEC) regarding their victim, MeridianLink.

In mid-2023, the SEC adopted new requirements for notifying data leaks effective from September 2023. One of these rules requires notification within four business days of any data leak from the moment it is confirmed. Not only did ALPHV/BlackCat take control of the trajectory of the extortion, but they also even circulated the complaint form among specialist forums as part of a promotional campaign.

Targeting the most vulnerable

Ransomware gangs are not above using sophisticated, customized extortion strategies on the most vulnerable sectors. Healthcare has long been a key target – there is a step change in urgency when critical medical procedures may be delayed if ransom is not paid.

Just a few months after the international Cronos Operation, the Lockbit group claimed a new victim in the healthcare sector. The Simone-Veil hospital in Cannes suffered a data compromise, adding to the extensive list of attacks conducted in recent months by other ransomware players against the university hospitals of Rennes, Brest and Lille.

Once the data had been extracted from the hospital on April 17, 2024, an announcement concerning their compromise was made on Lockbit’s showcase site on April 29, 2024. According to the cybercriminals’ terms, the hospital had until midnight on May 1, 2024, to pay the ransom.

The lesson here is that attackers exploit the vulnerabilities and pain points specific to each industry, making their extortion tactics more potent. And they do so with no consideration for the victims.

Ransomware attacks are now more than just data encryption schemes. They are sophisticated operations that exploit a range of vulnerabilities to extract maximum leverage from victims. By understanding the multifaceted nature of ransomware extortion, businesses and individuals can develop a more robust defence against this growing threat.

About the Author

Jacques de la Riviere is the Founder and CEO of Gatewatcher, a cybersecurity provider based in France. Jacques has held positions throughout OpenCyber, Adneom and BK Consulting. He is also currently vice-president of Hexatrust – a cluster of 100 European software cybersecurity leaders and cloud providers.