Who needs ransomware, when simple data extortion pays

Ransomware incidents appear to be down, but don’t start singing “We are the champions” quite yet. Cybercriminals just might be switching to a tactic that’s a bit easier and doesn’t involve all that complicated encrypting, decrypting, and negotiating.

Attackers are seemingly moving to abandon ransomware altogether, according to a new report from the cybersecurity software company CrowdStrike. In 2022, CrowdStrike Intelligence observed a 20% increase in data theft and extortion campaigns that didn’t involve the multi-step encryption attack.

“Ransomware is complex. You have to manage cryptography, and file unlockers, and lockers, and negotiations. If you just steal the data and threaten to dispose of it, it’s a lot less work,” said Adam Meyers, senior VP of intelligence at the cybersecurity software company CrowdStrike.

Not itsy, nor bitsy. In February, cybersecurity services firm Mandiant reported a 15% reduction in ransomware-intrusion responses from 2021 to 2022. IT services firm AAG noted that ransomware attacks dropped 23% in 2022 compared to the previous year.

CrowdStrike saw a decline as well, citing a dip in cryptocurrency values and a breakup of major ransomware gangs, like the FBI’s halting of the Hive.

Plenty of 2022 attacks, however, involved data demands, with no ransomware in sight.

In early 2022, a group known as SLIPPY SPIDER targeted tech companies, including Microsoft, Nvidia, and Samsung, in a data-theft and extortion spree. The adversaries used their public Telegram channels to leak data like victim source code, employee credentials, and personally identifiable data.

In a data-extortion (and ransomware-less) attack, the stakes effectively shift from system  downtime to the regulatory impact of sensitive-data loss, said Meyers. Exposed hospital data potentially could violate HIPAA requirements. Compromised customer data could lead to a class-action lawsuit.

And with no ransomware, negotiations can move quickly.

“With a data-extortion, when they steal your sensitive data, and you say, ‘Well, I’m not authorized,’ or, ‘I don't know what Bitcoin is,’ they say, ‘Okay, well, we’re gonna release 10 gigs of your customer data or your most sensitive files to the internet. Let’s see if you figure it out,’” Meyers told IT Brew.

In March 2022, the Lapsus$ gang released 37GB of what it claimed was source code stolen from Microsoft's Azure DevOps server.

PAM! Meyers explained that companies may want to enforce principles of least privilege and get a better understanding of who is authenticating and how.,

In addition to data-protection practices like encryption and network segmentation, tools like privileged access management (PAM) monitor the avenues of data-traversal avenues and help to protect against extortion–what IBM noted in its new threat report as the “most common attack impact on organization.”

In its 2023 threat-intelligence index, IBM noted that ransomware’s share of incidents declined from 21% in 2021 to 17% in 2022.

“Water is always going to find the lowest point in the floor. Attackers are always going to find the easiest path to a payment, and they will adapt to the environment or to recognize which elements of pressure result in the more likelihood to pay,” said John Dwyer, head of research at IBM Security’s X-Force.—BH