kirill_makarov - Fotolia
Cyber criminals pivot away from ransomware encryption
Cyber breaches that saw data theft and extortion without an encryption or ransomware component account for more and more incidents, in a possible indication that ransomware gangs are changing up their business models
Cases of straight-up data theft and extortion now appear to be more widespread a threat than ransomware, becoming the single most observed threat in the second calendar quarter of 2023, according to data released this week by researchers working with Cisco Talos.
According to Cisco Talos’s incident response telemetry, incidents of data theft and extortion that did not involve any form of data encryption or deployment of a ransomware grew by 25% from 1 April to the end of June, accounting for 30% of incidents to which the organisation mounted a response. Ransomware was still the second most observed threat, accounting for 17% of engagements.
Many of these extortion incidents will likely have stemmed from various attacks mounted by the Clop cyber crime cartel, which has exploited zero-days in various managed file transfer (MFT) products – most recently Progress Software’s MOVEit Transfer – in 2023 to great effect.
But Clop is not the only group to be pivoting away from encryption and ransomware. The BianLian group also appears to have stopped conducting ransomware operations in favour of exfiltration-based extortion, and other groups including Karakurt and RansomHouse are also following the trend.
“Data theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially motivated threat actors are increasingly seeing this as a viable means of receiving a final payout,” wrote report author Nicole Hoffman.
“Carrying out ransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption efforts, as well as the implementation of defences such as increased behavioural detection capabilities and endpoint detection and response (EDR) solutions,” she said.
In the case of Clop’s attacks, Hoffman observed that it was “highly unusual” for a ransomware group to so consistently exploit zero-days given the sheer time, effort and resourcing needed to develop exploits. She suggested this meant that Clop likely has a level of sophistication and funding that is matched only by state-backed advanced persistent threat actors.
Read more about cyber crime trends
- One year after Microsoft started blocking VBA and XL4 macros by default, the cyber criminal ecosystem has all but stopped exploiting macros in their attacks. They’re instead innovating at an unprecedented rate.
- With the passing of the first anniversary of Russia’s invasion of Ukraine, we reflect on the ongoing cyber war, and ask what security leaders can learn from the past 12 months.
- The UK's NCSC has issued advice for those using the technology underpinning AI tools such as ChatGPT, but says some of the security doomsday scenarios being proposed right now are not necessarily realistic.
Given Clop’s incorporation of zero-days in MFT products into its playbook, and its rampant success in doing so – the list of MOVEit victims compiled and maintained by analyst Bert Kondruss of KonBriefing Research exceeds 510 as of 27 July – she said it was likely the gang would continue its targeting of such applications.
In the more traditional world of ransomware, Cisco Talos observed growth of new operations such as 8Base and MoneyMessage, in addition to established and prolific players such as LockBit – the group behind the January 2023 hit on Royal Mail and last year’s attack on Advanced Software that degraded NHS services – and Royal.
8Base, which emerged in March 2022, is a customised version of the Phobos ransomware that also steals data prior to encrypting it on the victim’s systems. Despite being nearly 18 months old, it has only really increased in prominence since June 2023.
In one 8Base attack that Cisco Talos responded to, the cyber criminals exploited the AnyDesk remote desktop app, and installed it in the Performance Logs directory in a possible attempt to avoid detection. In this attack, the threat actor was also seen dumping credentials from the Local Security Authority Subsystem Service memory, before creating new processes with an existing user token, escalating their privileges using the runas command, and then using the Windows command shell to execute malicious PowerShell scripts.
MoneyMessage, meanwhile, was first observed in the wild in March 2023, and continues to operate on the still-successful double extortion (encryption plus data theft) model. Coded in C++, it uses a number of encryption features beloved of ransomware gangs, including the Elliptic Curve Diffle Hellman key exchange and ChaCha stream cipher algorithm.
In one incident to which Cisco Talos responded, the gang’s encryptor was dropped in the victim’s Netlogon directory, which allowed them to deploy their actual locker across multiple hosts. The gang was also able to uninstall various security tools, such as EDR solutions, using PowerShell scripts.