Threat actors are increasingly employing cyber extortion techniques to gain leverage over targeted organizations and accomplish their goals. While much attention has been paid to ransomware in recent years, modern threat actors increasingly use additional extortion techniques to coerce targets into paying—or dispense with ransomware altogether and practice extortion on its own, according to a new report from cybersecurity company Palo Alto Networks.
While in many cases the motivation is financial, Unit 42 also sees indications that cyber extortion can happen in service of a group’s larger goals— sometimes simply to fund other activities, but other times to distract from them.
Organizations, in turn, need to evolve defenses to address the various methods threat actors use to apply pressure. Incident response plans today need to involve not only technical considerations but also safeguards for an organization’s reputation and considerations for how to protect employees or customers who may become targets for some of the extortionists’ more aggressive tactics.
In our review of incident response cases, as well as our threat intelligence analysts’ assessment of the larger threat landscape, Palo Alto Networks noted some key points:
Top extortion trends
- In Unit 42 ransomware cases, as of late 2022, threat actors engaged in data theft in about 70% of cases on average. Comparing this to mid-2021, Palo Alto saw data theft in only about 40% of cases on average. Threat actors often threaten to leak stolen data on dark web leak sites, which are increasingly a key component of their efforts to extort organizations.
- Harassment is another extortion tactic Palo Alto observed being used in more ransomware cases. Ransomware threat actor groups will target specific individuals in the organization, often in the C-suite, with threats and unwanted communications. By late 2022, harassment was a factor in about 20% of ransomware cases. Compare this to mid-2021, when harassment was a factor in less than 1% of Unit 42 ransomware cases.
Read more: Adversaries using innovative methods to launch cyber attacks
- Extortion gangs are opportunistic, but there are some patterns in the organizations they attack. Based on our analysis of dark web leak sites, manufacturing was one of the most targeted industries in 2022, with 447 compromised organizations publicly exposed to leak sites. Unit 42 believes this is due to the prevalence of systems used by this industry running on out-of-date software that isn’t regularly or easily updated or patched—not to mention the industry’s low tolerance for downtime. Organizations based in the United States were most severely affected, according to leak site data, accounting for 42% of the observed leaks in 2022.
- Large, multinational organizations can be lucrative targets for threat actors. Attacks on the world’s largest organizations represent a small but notable percentage of public extortion incidents. In 2022, 30 organizations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Since 2019, at least 96 of these organizations have had confidential files publicly exposed to some degree as part of attempted extortion.
- Advanced threat groups may use extortion and ransomware to fund other activities — or hide them. Threat groups from countries under economic embargoes or sanctions have been observed using ransomware and extortion to fund their operations. Other threat groups, including some from Iran or China, seem to have different objectives when using ransomware. Threat actors can gain more than money from deploying ransomware—it also has the potential for both destruction and espionage.
Unit 42 experts have put together predictions for what Palo Alto expects to see from extortion groups in the coming year. Our predictions include:
1- 2023 will be the year to witness a large cloud ransomware compromise.
2- A rise in extortion related to insider threats.
3- A rise in politically motivated extortion attempts.
4- The use of ransomware and extortion to distract from attacks aimed to infect the supply chain or source code.
For more on cyber attack news, click here.