The Sophos Rapid Response Team shows how ransomware criminals have honed their techniques. The trend has long been moving away from the pure encryption of data towards other blackmail methods such as direct pressure on individual employees in order to persuade the victims to pay.
As companies become better able to secure their data and restore encrypted files from backups, attackers are supplementing their ransom demands with additional extortion measures that increase the pressure to pay, ”explains Peter Mackenzie, Director, Incident Response at Sophos. “For example, the Sophos Rapid Response team has observed cases where attackers call a victim’s staff via email or phone, address them by name, and provide them with personal information that they have stolen – such as disciplinary action or passport information – with the aim of intimidating them into demanding that their employer pay the ransom. This type of behavior shows how ransomware has evolved from a purely technical attack targeting systems and data to an attack targeting people as well. “
Some of the tactics attackers use to force victims to pay are reckless and can potentially do more harm to a business than downtime. The attackers intentionally try to undermine the relationships, trust, and reputation of their target. Sometimes they are very public, in other cases they are more direct and personal.
For example, the Sophos Rapid Response team has observed cases where attackers call a victim’s staff via email or phone, address them by name, and share personal information that the attacker has stolen, such as details of disciplinary measures or financial or passport details to scare them and get their employer to pay the ransom.
This type of behavior shows how ransomware has evolved from a purely technical attack that targets systems and data to one that also targets people.
To help companies improve their ransomware defenses, Sophos Rapid Response has compiled the top ten blackmail tactics attackers used in 2021:
1. Steal data and threaten to publish it online or auction it off
The list of ransomware groups that now use, own or host a public “leak” website for stolen data is long. This practice has become so common that all victims of a cunning intruder have to assume that a ransomware attack also means data theft.
The attackers publish the stolen data on leak sites so that competitors, customers, partners, the media and others can find out about it. These websites often have social media bots that automatically publish new posts so there’s little chance of keeping an attack a secret. Sometimes the attackers offer the data for auction on the dark web or in cybercriminal networks.
However, the main concern for victims could be the type of data the attackers are stealing. It cannot just be trade secrets and intellectual property. Additionally, the attackers typically dig up information such as corporate and individual banking details, bills, pay slips, disciplinary details, passports, driver’s licenses, social security numbers, and more.
For example, in a ransomware attack on a transport logistics provider, the attackers captured details of ongoing accident investigations with the names of the drivers involved, deaths and other related information. The fact that this information would leak to the public only added to what was already a difficult situation. It was the Conti hacker group
The loss or disclosure of personal data also carries the risk of violating data protection laws such as the European General Data Protection Regulation (GDPR) for the victims.
2. Emails and calls to employees, including officers, threatening to reveal their personal information
REvil, Conti, Maze, SunCrypt, and other ransomware groups have used this intimidation tactic, which can be extremely worrying for recipients.
The people behind the ransomware REvil are said to have called media and business partners of the victims to inform them of the attack and to ask them to persuade the victims to pay. They are also said to have set up a free service that provides encrypted VOIP calls for their partners and customers.
3. Notifying or threatening to notify business partners, customers, the media and others about the data breach
In this tactic, people or organizations whose contact details the attackers found in the stolen files are notified by email or post and asked to pay a ransom in order to protect their data. REvil, Clop, and other ransomware groups use this approach.
4. Silence victims
Conti and RagnarLocker recently threatened their victims with messages asking them not to contact law enforcement or provide details of ransom negotiations. This is to prevent the victims from receiving assistance from third parties who could help them avoid paying the ransom. It also suggests that ransomware makers are increasingly careful to divert the attention of law enforcement agencies from their activities.
Another new and unusual tactic used by ransomware operators is to recruit employees from the affected companies to enable a ransomware attack for a share of the profits. The people behind LockBit 2.0 put up an ad to recruit insiders who should help them break into the system and encrypt it and demand a large sum of money in return. The notice that appears on the victim’s computers after encryption suggests that the attackers are trying to recruit insiders into the victims’ companies to help them break into the networks of third-party vendors or suppliers – an additional reason to Concern for the victim and his partner.
6. Resetting passwords
After breaking into the network, many ransomware attackers create a new domain administrator account and then reset the passwords for the other administrator accounts. This means that IT administrators cannot log into the network to repair the system and have to set up a new domain before they can even attempt to restore the system from the backups.
7. Phishing attacks targeting victims’ email accounts
In an incident investigated by Sophos Rapid Response in which Lorenz Ransomware was involved, the attackers used phishing emails to trick employees into installing an application that gave the attackers full access to the employees’ email accounts, even after they reset their passwords. The hackers then used the compromised email accounts to send emails to the IT, legal, and cyber insurance teams that work with the affected organization and threatened further attacks if they didn’t pay.
8. Deletion of online backups and shadow volume copies
When exploring a victim’s network, most ransomware operators look for backups that are connected to the network or the internet and delete them so that the victim cannot rely on them to restore encrypted files. This can include uninstalling backup software and resetting virtual snapshots. In an example observed by Sophos Rapid Response that involved DarkSide Ransomware, the attackers deleted the victim’s local backups and then used a compromised admin account to contact the vendor that hosts the victim’s external cloud backups, and ask him to delete the external backups. The provider complied with the request because it was based on an authorized account. Fortunately, the provider was able to restore the backups after being notified of the breach.
9. Print physical copies of the ransom note on all connected devices, including point of sale terminals
A spate of printed threats is not only a nuisance to the paper supply, but also a concern for office workers. Ransomware operators like Egregor and LockBit have used this tactic.
10. Carry out distributed denial of service attacks on the target’s website
Avaddon, DarkSide, RagnarLocker and SunCrypt used Distributed Denial of Service (DDoS) attacks when ransom negotiations stalled to force the target people to return to the negotiating table. The attackers also use DDoS attacks as a distraction in order to tie up IT security resources while the main activity of the ransomware attack takes place elsewhere in the network, or as stand-alone blackmail attacks.
What defenders can do
The fact that ransomware operators no longer limit their attacks to encrypting files, which the target can often restore from backups, shows how important it is for defenders to have a comprehensive approach to security, advanced security with training and Awareness of employees combined. It is also worth reconsidering the following steps to improve IT security against a wide range of cyber threats, including ransomware.
The following steps can help companies deal with threatening attacker behavior:
- Implement an employee awareness program that includes examples of the types of emails and calls attackers are using and the claims they might make.
- Establish a 24/7 contact point for employees so that they can report attacks allegedly by attackers and receive any assistance they may need
- Take measures to identify potentially malicious inside activity, e.g. B. Employees attempting to access unauthorized accounts or content
- Monitor network security 24/7 and watch out for early indicators of the presence of an attacker to stop ransomware attacks before they start
- Turn off Remote Desktop Protocol (RDP) for the Internet to prevent cybercriminals from accessing networks. If users need to access RDP, put it behind a – or
- Educate your employees on what to look for in relation to phishing and malicious spam, and put in place robust security policies.
- Make regular backups of the most important and up-to-date data on an external storage medium. The standard recommendation for backups is the 3-2-1 method: 3 copies of the data on 2 different systems, 1 of which is offline, and test the recoverability
- Prevent attackers from gaining access to security and disabling it: Choose a solution with a cloud-hosted management console with multi-factor authentication enabled and role-based management to restrict access rights.
- Remember that there is no silver bullet for protection and that a layered, in-depth security model is required. You should extend it to all end devices and servers and ensure that they can share security-related data.
- Create an effective incident response plan and update it as necessary.
- Reach out to outside experts to monitor threats or respond to emergencies for additional help if needed.
To find out more, speak to your Sophos representative, visit our website or start a free trial.