Top 10 Ways Ransomware Operators Ramp Up the Pressure to Pay
Ransomware operators don't just target systems and data, they target people in their ever-increasing efforts to get the victim to pay, says Peter Mackenzie, Manager of Sophos’ Rapid Response team.
Ransomware has been around for decades and continues to thrive, largely because ransomware operators are quick to evolve and adapt as the cybersecurity landscape advances.
For instance, as organisations have become better at backing up their data and being able to restore encrypted files from backups, attackers have begun to supplement their approach of demanding a ransom in return for decryption keys, with additional extortion measures designed to ramp up the pressure to pay.
Some of the tactics attackers use to coerce victims into paying are ruthless and could potentially be more damaging to an organisation than a period of downtime. Attackers deliberately try to undermine their target’s relationships, trust and reputation. Sometimes the approach they take is very public; at other times it’s more direct and personal.
To help organisations improve their ransomware defenses, Sophos Rapid Response has compiled the top 10 pressure tactics that adversaries used in 2021:
- Stealing data and threatening to publish or auction it online
The list of ransomware groups that now use, have, or host a public “leak” website for exfiltrated data is long. The approach is now so common that any victims of a sophisticated intrusion need to assume that an attack with ransomware means they’ve also experienced a data breach.
Attackers are publishing stolen data on leak sites for competitors, customers, partners, the media, and others to see. These websites often have social media bots that automatically publicize new posts, so there is little chance of keeping an attack secret. Sometimes, the attackers put the data up for auction on the dark web or among cybercriminal networks.
However, the biggest worry for victims could be the type of data that attackers steal. While this may include product blueprints or secret sauce recipes, attackers generally dig out information such as corporate and personal bank details, invoices, payroll information, details of disciplinary cases, passports, drivers’ licenses, social security numbers, and more, belonging to employees and customers.
- Emailing and calling employees, including senior executives, threatening to reveal their personal information
REvil, Conti, Maze, SunCrypt, and other ransomware families have used this intimidation tactic, which can be extremely distressing for recipients.
- Notifying or threatening to notify business partners, customers, the media, and more of the data breach
This tactic involves emailing or messaging people or organisations whose contact details the attackers found in stolen files and telling them to demand that their target pays the ransom to protect their privacy.
- Silencing victims
Conti and RagnarLocker have recently started threatening victims with messages saying the victim should not contact law enforcement or share details of ransom negotiations. This could be to prevent victims from getting third-party support that might help them to avoid paying the ransom. It also suggests that ransomware brands are becoming more concerned about drawing attention to their activities, particularly from law enforcement.
Another recent and unusual tactic ransomware operators are using is trying to recruit insiders to enable a ransomware attack in return for a share of the takings. In one, widely reported example, the operators behind LockBit 2.0 included a recruitment ad for insiders to help them breach and encrypt the network of “any company” in return for a substantial payout.
- Resetting passwords
After breaching the network, many ransomware attackers create a new domain admin account and then reset the passwords for the other admin accounts. This means that the IT administrators can’t log in to the network to fix the system. Instead, they must set up a new domain before they can even begin trying to restore from backups.
- Phishing attacks targeting victim email accounts
In one incident investigated by Sophos Rapid Response and involving Lorenz ransomware, the attackers targeted employees with phishing emails to trick them into installing an application that provided the attackers with full access to the employees’ email, even after they reset their passwords. The attackers then used the compromised email accounts to email the IT, legal, and cyber insurance teams working with the targeted organisation to threaten further attacks if they didn’t pay.
- Deleting online backups and shadow volume copies
During their reconnaissance of a victim’s network, most ransomware operators will look for any backups connected to the network or the internet and delete them so that the victim cannot rely on them to restore encrypted files. This can include uninstalling backup software and resetting virtual snapshots. In one example seen by Sophos Rapid Response, involving DarkSide ransomware, the attackers deleted the victim’s local backups and then used a compromised admin account to contact the vendor hosting the victim’s off-site cloud backups, asking them to delete the off-site backups. The vendor complied because the request came from an authorised account. Luckily, the vendor was able to restore the backups once they had been informed of the breach.
- Printing physical copies of the ransom note on all connected devices, including point of sale terminals
A flood of printed threats is not just a nuisance in terms of paper supply, but unsettling for people in the office. Ransomware operators including Egregor and LockBit have applied this tactic.
- Launching distributed denial-of-service attacks against the target’s website
Avaddon, DarkSide, RagnarLocker, and SunCrypt have used distributed denial of service (DDoS) attacks when ransom negotiations have stalled, to force targets back to the table. Adversaries also use DDoS attacks as distractions to tie up IT security resources while the main ransomware attack activity is taking place elsewhere on the network, or as standalone extortion attacks.
What defenders can do
The fact that ransomware operators no longer confine their attacks to encrypting files that targets can often restore from backups, shows how important it is for defenders to take a defense-in-depth approach to security. This approach should combine advanced security with employee education and awareness.
The following steps may help organisations deal with threatening attacker behaviors:
- Implement an employee awareness program that includes examples of the kind of emails and calls attackers use and the demands they might make
- Establish a 24/7 contact point for employees, so they can report any approaches claiming to be from attackers and receive any support they need
- Introduce measures to identify potential malicious insider activity, such as employees trying to access unauthorised accounts or content