Most Ransom Groups Now Using Extortion, Delinea Survey Finds – Source: securityboulevard.com

The ransomware landscape continues to evolve, with attackers now more likely to exfiltrate data and threaten victims with selling or leaking the sensitive information on the dark web rather than encrypting the data in the target’s system.

The shift, which has been underway for a few years, allows threat groups to evade detection for a longer periods of time – unlike data encryption, exfiltration and extortion don’t shut down a target’s operations and trigger an immediate response – and gives them multiple ways to collect money, either via the victim paying the ransom or other cybercriminals buying the data.

It also allows hackers to put more pressure on victims by threatening to publicly release sensitive data on their data leak sites.

In this year’s annual State of Ransomware study released today, privileged access management (PAM) vendor Delinea found that 64% of the U.S.-based IT and security decision-makers surveyed said the motivation behind ransomware attacks has shifted from the straight money grab that comes with typical data encryption to data extortion. That is up from 46% of respondents in last year’s survey.

Conversely, 34% said ransomware was still about getting as much money as quickly as possible, while 69% had the same view last year.

A More Stealthy Strategy

“In the past year, ransomware adopted a more insidious approach, with greater emphasis on data exfiltration and increased stealth,” the report’s authors wrote. “Cybercriminals are strategically extracting sensitive data without necessarily delivering the destructive encryption payloads that we have seen in the past. This stealth enhances attackers’ ability to operate without raising alarms and without disrupting the victim’s business operations. Ransomware victims must pay to prevent the exposure of confidential information.”

Delinea President Rick Hanson in a statement called the shift in tactics a “critical sea change,” adding that “even as organizations are investing more in safety nets like cyber insurance which often have ransomware payouts included in coverage policies, cybercriminals are finding that using stealth tactics to stay under the radar and access sensitive, valuable information to sell is the better investment of their effort.”

Ransomware groups for the past several years have been using extortion, at times in concert with decrypting a victim’s data in double-extortion schemes.

The authors wrote in the report about several ransomware attacks involving data exfiltration by such variants as Maze and DopplePaymer, and noted the expansive attacks by the Cl0p group, which exploited a vulnerability in Progress Software’s MOVEit file transfer software to target – by the latest estimates – 2,741 organizations and affecting more than 94.2 million people, according to cybersecurity firm Emsisoft.

“Looking ahead to 2024 and beyond, we’ll be keeping an eye on AI-enabled data exfiltration strategies that help ransomware gangs operate in real time and at scale,” they wrote.

Vector Shifts from Email to Cloud, Apps

Ransomware groups also are modifying their tactics, more heavily targeting cloud environments and compromised applications as preferred attack vectors, surpassing email. About 44% of survey respondents said they were more worried about the cloud and 39% pointed to applications, both increases over last year.

Meanwhile, email dropped from 52% last year to 37% this year, illustrating the “multi-faceted nature of the ransomware threat,” the report said.

“As organizations become more reliant on the cloud for everything from software development to delivery of core services, it’s no surprise that they are more concerned with cloud security,” the authors wrote. “Exponential growth in applications for every business function, plus the reliance on APIs to pull those applications together, underscores the need for organizations to scrutinize and fortify their software ecosystems.”

Overall, 53% of those surveyed said their companies had been targeted by ransomware in 2023, more than twice the 25% who said the same in 2022, a return to the year-over-year increases that were seen before 2022 that has been echoed by other studies, they wrote.

Midsize companies were particularly vulnerable to ransomware attacks, with 65% being hit, compared with small businesses with fewer employees (10%) and enterprises of more than 500 (22%).

Victims are Paying the Ransom

At the same time, more victims – 76% – were willing to pay ransoms, compared with 68% in 2022. One reason for the jump may be the rising in cyber insurance, which offers coverage for ransom payments and related costs, according to Delinea.

The United States and other countries for years have talked about banning ransomware victims from paying ransoms in hopes of starving the financially driven threat groups, but it’s been a tricky proposition. In a blog post last month for the nonprofit Center for Cybersecurity Policy and Law, Ari Schwartz, managing director of cybersecurity services for the Venable law firm, noted that the average ransom payment in 2023 reached $1.5 million, up from $812,00 the year before.

At the same, Schwartz noted that ransom payments are down to almost 40%, a different scenario than Delinea found. He said that it’s unlikely for that number to drop until the government begins banning payments and outlined ways of getting there, from forcing companies to report payments to fining them or criminally charging them.

“Organizations attacked by a ransomware gang face a stark choice of whether to pay or not,” he wrote. “For years there have been discussions on how to stop the payments, but these have been too extreme.”

On a positive note, 91% of respondents in Delinea’s survey said their companies are allocating money in the budget to protect against ransomware, up from 68% in 2022, while 76% said their leaders and board members were concerned or very concerned about the threat.