A new report from Palo Alto Networks found that ransomware and extortion actors are utilising more aggressive tactics to pressure organisations, with harassment being involved 20 times more often than in 2021, according to Unit 42™ incident response cases. This harassment is typically carried out via phone calls and emails targeting a specific individual, often in the C-suite, or even customers, to pressure them into paying a ransom demand. The 2023 Unit 42 Ransomware and Extortion Report shares insights compiled based on findings from Unit 42’s incident response work from approximately 1,000 cases throughout the past 18 months.
Ransomware demands continued to be a pain point for organisations this past year, with payments as high as US$7 million in cases that Unit 42 observed. The median demand was US$650,000, while the median payment was US$350,000 indicating that effective negotiation can drive down actual payments. The highest ransom demanded in 2022 was as high as $50 million or ₹4.1 billion.
Ransomware and extortion groups are forcing their victims into a pressure cooker, with the ultimate goal of increasing their chances of getting paid. Harassment has been involved in one of every five ransomware cases investigated recently, showing the lengths that these groups are willing to go to coerce a payday. Many are going so far as to leverage customer information that has been stolen to harass them and try to force the organisation’s hand into payment, informs Wendi Whitmore, Senior Vice President and Head of Unit 42, Palo Alto Networks.
Key trends from the report include:
Attackers add pressure with multi extortion
Ransomware groups have been observed layering extortion techniques for greater impact, with the goal of applying more pressure on organisations to pay the ransom. Some of these tactics include encryption, data theft, distributed denial of service (DDoS) and harassment. Data theft, which is often associated with dark web leak sites, was the most common of the extortion tactics, with 70 per cent of groups using it by late 2022 — a 30 percentage point increase from the year prior.
Leak sites drip with data
Every day, Unit 42 researchers see an average of seven new ransomware victims posted on leak sites — equating to one new victim every four hours. In fact, in 53 per cent of Unit 42’s ransomware incidents involving negotiation, ransomware groups have threatened to leak data stolen from organisations on their leak site websites. This activity has been seen from a mix of new and legacy groups, indicating that new actors are entering the landscape to cash in as legacy groups have done. Established groups like BlackCat, LockBit and others contributed to 57 per cent of the leaks, with new groups trailing close behind with 43 per cent.
Ransomware groups attack society’s most vulnerable
There have been many notable attacks in the past year from ransomware groups, with a particular spike in attacks on schools and hospitals, demonstrating how low these actors are willing to stoop in their attacks. This includes the attacks from Vice Society, which was responsible for the data leaks from several major school systems in 2022. The group continues to be active in 2023, with nearly half of the incidents posted to their leak site impacting educational institutions.
The report also shares further insights into tactics threat actors use with increased frequency, industries, and regions most impacted, and ways organisations can protect themselves better:
- Organisations based in the U.S. were most severely publicly affected, with 42 per cent of the observed leaks in 2022. Followed by Germany and the U.K., accounting for nearly 5 per cent each.
- In 2022, 30 organisations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Since 2019, at least 96 of these organisations have had confidential files publicly exposed to some degree as part of attempted extortion.
- Manufacturing was the most targeted industry in 2022, with 447 compromised organisations publicly exposed on leak sites.
- At least 75 per cent of ransomware attacks fielded by Unit 42’s Incident Response team resulted from attack surface exposures.
India highlights:
- 2nd most targeted country in the Asia Pacific & Japan region; up from #3 in 2021
- Maharashtra most-targeted state with 36 per cent attacks; New Delhi at #2
- Manufacturing, construction, and professional and legal services the most targeted industries
- Most active ransomware groups include Lockbit 2.0, BianLian, and Stormous