“Triple Extortion” Pressure Tactics – expansion of the threat actor’s play-book

The behaviour of ransomware groups of late has been indicative of those who seek the limelight. Ransomware gangs, such as REvil and LockBit appear to be more than willing to be interviewed so that they can boast about their powerful extortion threat tactics and their successful affiliate programs.

Threat actor groups are enhancing their approaches to ransomware, to expand upon the ever-familiar “double-extortion” tactics of 2020; data encryption and data exfiltration. However, 2021 is seeing the rise of ransomware groups utilising new sophisticated “triple-extortion” tactics to further pressurise their victims into paying increasing ransom demands, thus securing the profitability and reputational growth of their criminal practices.

What are the “triple-extortion” tactics?

Threat 1: Data encryption

Historically, a ransomware attack involved the encryption of an organisation’s data only. The threat actor would deploy malware across its victim’s IT network, which prevented it from being able to access files and servers due to encryption, thereby crippling the organisation’s business operations. The threat actor then offered the decryption key in exchange for payment of a ransom. If the organisation refused to pay the ransom, and in the absence of viable back-ups, all of its data would have been lost.

Threat 2 : Data exfiltration

In late 2019, threat actors were forced to evolve their tactics as their victims successfully managed to restore and recover their data, either by rebuilding from the ground up, and/or successfully utilising available back-ups. New tactics were required to increase the pressure on their victims and the probability of payoff. Prior to encryption, ransomware groups now often deploy covert tools to exfiltrate the organisation’s data and retain a copy for the purpose of further extortion.

In the event that the victim refuses to pay for the decryption key, the threat actor utilises its back-up plan; threatening to publish the organisation’s exfiltrated data online if the ransom is not paid. The threat to disclose sensitive commercial, financial and personal data, or indeed trade secrets, has proven to be an extremely effective pressure tactic. The company is not only forced to consider the commercial and reputational damage which disclosure might cause, but also the company’s legal and regulatory obligations given the risk that personal data relating to its employees, clients and key stakeholders may be compromised.

Threat 3: DDoS attacks and threatening calls

2021 has seen the emergence of a third extortion tactic being added to the threat actors’ play-book. If the organisation does not respond to the original demand for payment in exchange for a decryption key, or subsequent threat of a data leak, they may then fall victim to a distributed-denial-of-service (“DDoS”) attack where excessive external network traffic is used to render their systems inoperable.

A further tactic gaining traction in 2021, identified by cyber-security researchers, CyberPoint, is that ransomware groups will now place threatening calls to the organisation’s senior management, and also their business clients, key stakeholders and third party providers. Our recent experience has found that threat actors are exerting extra pressure on board members and executive officers through telephone calls or increasing the number of email recipients on ransom demands. We also understand that clients have been targeted where specific data has been located, with additional smaller ransoms being sought from those clients. All of this combined exerts further pressure on victims in what is already a testing situation.

It is paramount that an organisation has control over both internal and external communications to its employees and clients after falling victim to a ransomware attack, in order to mitigate damage and ensure consistency with its messaging. The threat of the ransomware group taking away that control and causing unnecessary panic amongst its staff and clients may be enough to bring its victims back to the negotiation table.

It is clear that ransomware groups will continue to evolve and develop new tactics to compel victims to pay increasingly expensive demands. Control over communications and bringing the right experts to the table early is integral to responding to these new developments effectively.

Read More:“Triple Extortion” Pressure Tactics – expansion of the threat actor’s play-book