A report by Palo Alto Networks has identified the most prominent trends regarding ransomware and online extortion schemes, based on the security incident response report, as well as the assessment of experts and analysts of the broad threat landscape.
Cyber Crimes
While much attention has been paid to ransomware in recent years, modern threat actors increasingly use additional extortion techniques to coerce targets into paying—or dispense with ransomware altogether and practice extortion on its own.
Organizations, in turn, need to evolve their defences to address the various methods threat actors use to apply pressure. Incident response plans today need to involve not only technical considerations but also safeguards for an organization’s reputation and considerations for how to protect employees or customers who may become targets for some of the extortionists’ more aggressive tactics.
Top trends in electronic extortion
Multi-Extortion Tactics Continue to Rise
In Unit 42 ransomware cases, as of late 2022, threat actors engaged in data theft in about 70% of cases on average and when researchers compared this to mid-2021, they saw data theft in only about 40% of cases on average. Threat actors often threaten to leak stolen data on dark web leak sites, which are increasingly a key component of their efforts to extort organizations.
Harassment is another extortion tactic we see being used in more ransomware cases. Ransomware threat actor groups will target specific individuals in the organization, often in the C-suite, with threats and unwanted communications. By late 2022, harassment was a factor in about 20% of ransomware cases. Compare this to mid-2021, when harassment was a factor in less than 1% of Unit 42 ransomware cases.
Extortion Gangs Are Opportunistic–But There Are Some Patterns in the Organizations They Attack
Based on our analysis of dark web leak sites, manufacturing was the most targeted industry in 2022, with 447 compromised organizations publicly exposed on leak sites. Unit 42 believes this is due to the prevalence of systems used by this industry running on out-of-date software that isn’t regularly or easily updated or patched—not to mention the industry’s low tolerance for downtime.
Organizations based in the United States were most severely affected, according to leak site data, accounting for 42% of the observed leaks in 2022.
Large, Multinational Organizations Can Be Lucrative Targets for Threat Actors
Attacks on the world’s largest organizations represent a small but notable percentage of public extortion incidents. In 2022, 30 organizations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Since 2019, at least 96 of these organizations have had confidential files publicly exposed to some degree as part of attempted extortion.
Sophisticated groups may use extortion and ransomware to fund or even conceal other activities
Groups in countries subject to embargoes or economic sanctions use ransomware and extortion to finance their operations and some groups seek to achieve different goals behind their use of ransomware, as threat actors can make more money by spreading ransomware, specifically gaining potential destruction and espionage capabilities.
Predictions for What to Expect From Extortion in the Coming Year
Unit 42 experts have put together predictions for what we expect to see from extortion groups in the coming year which includes:
A large cloud ransomware compromise
A rise in extortion related to insider threats
A rise in politically motivated extortion attempts
The use of ransomware and extortion to distract from attacks aimed to infect the supply chain or source code
