cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Multi-extortion tactics and harassment on the rise as ransomware operations continue to evolve

A new ransomware report has shone a light on the evolving nature of the threats faced by companies compromised by such attacks.

user icon David Hollingworth
Wed, 22 Mar 2023
Multi-extortion tactics and harassment on the rise as ransomware operations continue to evolve
expand image

It appears that where once ransomware attacks were a relatively simple one-vector attack — encrypting important files and then demanding the key in return for payment (often in cryptocurrency) — threat actors are now adding more layers to their attacks.

In fact, some operators are now ditching ransom demands in favour of straight extortion, stealing data and threatening to publish it unless a victim pays up.

“The number one goal for many criminal threat actors is getting paid, and they’ll do whatever they can to improve the chances of that happening,” Unit 42 researchers said in its Ransomware and Extortion report.


“As such, we are seeing threat actors increasingly focus on extortion techniques — often layering them on top of each other.”

The use of multi-layered tactics has seen a sharp rise into 2022. In 70 per cent of cases, threat actors also stole the data they encrypted — a sharp rise from 40 per cent in the year before. More strikingly, 20 per cent of ransomware attacks now also include harassment of customers or employees, compared to less than 1 per cent previously.

The harassment is aimed at getting a company’s attention if the negotiation process seems to be flagging.

Distributed denial-of-service (DDoS) attacks have also been seen as a negotiation tactic, but only in 2 per cent of cases — static from 2021.

One of the key takeaways from this is that backups are no longer the ideal solution. Sure, a good backup regime is still essential for data security, but companies are increasingly finding that even if they can restore from backups and ignore ransom requests, threat actors are pivoting to extortion as their own backup plan.

Unit 42 recommends that companies have a playbook prepared for every facet of modern ransomware attacks. It’s also important to make sure that both security and legal teams are part of the process.

“During an active extortion incident, rapid support from your incident response partner and outside legal counsel is critical,” the report said. “From a mitigation perspective, having a comprehensive incident response plan with corresponding crisis communication protocols will greatly reduce uncertainty.”

Despite many law enforcement organisations — such as the FBI — recommending that ransoms should not be paid (as it encourages threat actors and funds further criminal activity), the report also suggests that companies make the decision to pay or not to pay a part of their own response policy.

Harassment awareness training should also be part of a company’s ransomware attack response playbook. Post mortems are also essential so that learnings can be properly recorded and acted upon and any possible backdoors from a successful attack addressed.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.