The Landscape of Ransomware and Extortion

Director – UNIT 42 Cyber Consulting & Threat Intelligence, Asia Pacific & Japan, Palo Alto Networks

The Palo Alto 2023 Unit 42 Ransomware and Extortion Report is a comprehensive analysis conducted by Palo Alto’s Unit 42 threat intelligence analysts. This report provides valuable insights into the ever-evolving landscape of ransomware and extortion within the cybersecurity industry. By examining patterns, motivations, and tactics employed by threat actors, it sheds light on the impact of attacks and offers predictions for the future behavior of extortion groups.

One significant finding by Palo Alto Networks reveals a 35% increase in ransomware and extortion cases in the Asia Pacific region in 2022, encompassing 302 reported incidents across various sectors. Threat actors have adopted more aggressive strategies to compel organizations into compliance, with incidents of harassment rising by a staggering 20 times compared to the previous year, according to Unit 42™ incident response cases.

CIO World Asia spoke with Vicky Ray, Director – UNIT 42 Cyber Consulting & Threat Intelligence, Asia Pacific & Japan, Palo Alto Networks, about the impact of ransomware and extortion.

The Impact of Ransomware in The Asia-Pacific Region

Based on Unit 42’s data and information obtained from dark web leak sites, certain industries in the APAC region have become prime targets for cyberattacks. These include high technology, manufacturing, professional, and legal services, as well as the public sector. Among the reported ransomware attacks, Australia has experienced the highest number, with 45 incidents accounting for nearly 15% of all attacks in the region. India closely follows the 36 attacks.

Organizations that rely on outdated software have suffered the most severe consequences. Keeping their systems updated with the latest patches proves challenging, leaving them vulnerable to exploitation. Threat actors have capitalized on these vulnerabilities and the immense pressure organizations face to meet deadlines. They utilize this leverage to coerce organizations into swiftly and fully complying with their ransom demands.

Consequently, these attacks have led to significant financial losses due to operational downtime, resulting in the disruption of revenue streams. As a result, organizations find themselves compelled to yield to the demands imposed by these threats.

New Attack/Extortion Tactics Employed By Threat Groups

According to Unit 42 Ransomware and Extortion Report, threat groups frequently employ data theft and multi-extortion tactics, which have consistently demonstrated their effectiveness. Over the past 18 months, Palo Alto has indicated a 30% increase in the utilization of these strategies. These groups specifically target regulated data sets or highly sensitive information of commercial importance to maximize their leverage over their targets.

Once in possession of the stolen data, they resort to publicly threatening its release unless their demands are met. In 9% of the ransomware cases examined by Unit 42, harassment emerges as an extortion tactic. This involves threat actors leaving voicemails for corporate leaders and employees, sending emails to staff, or even exposing victims’ identities on leaked sites or social media platforms. The intention behind these tactics is to create a sense of unease within organizations and coerce them into capitulating to the demands imposed by the threat actors.

Why are Industries Such as Manufacturing and Education Being Targeted

The manufacturing industry is witnessing a growing adoption of automation and Internet of Things (IoT) solutions, which establish connections between factory equipment and supply chain partners, ultimately enhancing productivity. However, this increased integration also presents potential entry points for cyberattacks, rendering these industries susceptible to infiltration by cyber criminals. These attacks can encompass activities ranging from the theft of sensitive trade secrets and production information to the disruption of production lines. Similarly, educational institutions encounter comparable challenges, particularly when their legacy hardware and software fail to withstand the latest cyber threats.

Moreover, permitting students and teachers to utilize their devices, including laptops and mobile phones, further expands the attack surface and heightens the risk of cyberattacks. The limited allocation of resources toward implementing robust security systems and the inability to hire qualified personnel for the maintenance and updating of the IT infrastructure exacerbate these concerns. As a result, these institutions find themselves vulnerable to various types of attacks, including the ever-increasing threat of ransomware.

Ramifications of Ransomware Attacks

The consequences of ransomware can be extremely detrimental for organizations, encompassing significant financial losses, reputational harm, and data loss. Consequently, recovering from such attacks necessitates substantial financial resources. Moreover, organizations may find themselves subjected to fines, sanctions, the loss of operating licenses, and potential legal repercussions, as they fall under the purview of cyber regulations and data protection laws. The loss of credibility resulting from data loss can have long-term ramifications, impacting the organization’s financial stability and reputation profoundly.

The primary driving force behind ransomware threat groups revolves around financial gain and the acquisition of valuable information. Beyond simply demanding substantial ransoms, these groups actively seek opportunities to maximize their profits by searching for valuable data that can be sold to third parties. The stolen data holds the potential for identity theft, which can then be sold to criminals. Additionally, passwords can be traded to gain access to compromised networks or infiltrate an organization’s systems and networks.

The Rise of Lockbit 3.0 From The Russia-Ukraine Conflict

With events such as the Russian-Ukraine war and economic instability, ransomware groups are taking advantage of employees’ fear and curiosity to lure victims. One particularly notorious group in this regard is Lockbit 3.0, which is also recognized for its more modular and evasive variant called “LockBit Black”. This ransomware group has been targeting organizations at an unprecedented rate. In 2022 alone, LockBit posted information about 801 breached organizations on their leaked site, marking the highest victim count observed by Palo Alto in the last two years. This figure is significantly higher compared to the 409 victims reported in 2021, representing a staggering 95% increase in victim count.

According to Palo Alto’s reports, LockBit 3.0 might target organizations in the APAC region as a means of retaliation for escalated sanctions or other political measures against the Russian government. These cybercriminals are no longer driven solely by financial gain. Therefore, all organizations must remain vigilant and actively defend themselves against potential threats.

Expectations From Extortion Groups in The Coming Years

According to Palo Alto Networks’ 2023 Unit 42 Ransomware and Extortion Report, insider threats will be the driving force behind extortion attempts.

To carry out their schemes, attackers will first infect supply chains and victims’ source code, using ransomware as a diversionary tactic to draw attention away from the initial supply chain infection. As organizations become more adept at handling ransomware incidents, they may start treating such infections as routine occurrences. Exploiting this complacency, threat actors will leverage ransomware attacks to distract from the true objectives of their assaults. This disruption in operations will prompt threat actors to disassociate themselves from established groups and either join existing unknown groups or form new ones.

With the increasing reliance of many organizations on cloud services, a surge in cloud ransomware attacks can be anticipated. Unfortunately, organizations often overlook fundamental security controls and fail to utilize the advanced features offered by major cloud service providers or additional enhanced cloud security tools.

To break away from conventional methods of social engineering, cybercriminals are actively evolving their tactics to identify new avenues of initial access. This includes techniques such as SEO poisoning (through malvertising), call back phishing, exploiting vulnerabilities in externally facing assets, and deploying fake software installations or updates.