David is a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation. He runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. He has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Cyber-extortion: How ransomware attackers pressure their victims to pay up
Around 2018, the ransomware plague took a sharp turn. Rather than following a “spray-and-pray” approach to infect individuals and businesses indiscriminately, cyber extortionists shifted their focus toward targeted attacks against large enterprise networks.
Because organisations can afford to pay more to get their data back, this milestone in ransomware evolution became a game-changer. Ransom amounts skyrocketed, reaching millions of dollars per breached company in some cases. Unsurprisingly, victims are not willing to part with so much money, especially when there is no guarantee that the attackers will carry through with their promises.
As a result, malicious actors have been coming up with methods to coerce organisations to cooperate when faced with the harsh “to pay or not to pay” dilemma. In this article, we will explore the most common techniques used to pressure victims into coughing up ransoms for their proprietary files.
Posting stolen data on the Internet
When unauthorised encryption is not enough, crooks need extra leverage to take their blackmail to the next level. In late 2019, a ransomware gang called Maze paved the way for an intimidation mechanism like that. The hackers started stealing victims’ files as part of a compromise.
If a company refuses to engage in ransom negotiations, the cybercriminals threaten to leak exfiltrated sensitive data via publicly available resources like hacking forums or special “naming and shaming” sites. This can have serious reputational implications for the victim and give their business rivals an unfair competitive advantage. Therefore, the organisation is more likely to succumb to the original demands.
Double extortion that involves both encryption and data theft is an escalating threat. At this point, about two dozen ransomware groups, including the notorious REvil, LockBit, and Nemty, are using this tactic to pressure victims into doing what they want.
Flooding a target organisation’s computer network with a slew of rogue traffic packets to knock it offline is another devious scheme in cybercriminals’ repertoire. The logic is simple: an outage of a corporate website is an impactful quandary that may discourage customers and partners from dealing with the brand.
So far, three ransomware gangs have used this strategy to extract payments more efficiently. These are SunCrypt, RagnarLocker, and recently, a group dubbed Avaddon. With DDoS-for-hire dark web services being offered cheap nowadays, this trend will likely gain more traction in the cybercriminal underground.
Ransom notes printouts
In November 2020, operators of a ransomware strain called Egregor raided the IT network of Cencosud, a major Chilean retailer. To boost their extortion, they remotely ran commands to make POS receipt printers in the victim’s stores throughout the country print ransom demands non-stop. Predictably enough, a trick like that is a sucker punch that attracts unwanted publicity and may force any business to pay up faster to stop the embarrassment.
Facebook ad campaigns
As most victimised businesses try to keep security incidents secret, threat actors may use ads on social media to make those efforts go down the drain. Last year, crooks in charge of the Ragnar Locker ransomware launched a dodgy advertising campaign on Facebook to disseminate information about a previously executed assault against a large Italian beverage company called Campari Group. This shady marketing operation was conducted from a hacked account belonging to a DJ from Chicago, who eventually had to pay for the campaign. The foul play had generated more than 7,000 ad views and almost 800 clicks before Facebook identified the fraud.
Calling journalists and victims’ business partners
In early March 2021, the above-mentioned REvil (aka Sodinokibi) ransomware syndicate announced that they would extend their extortion through VoIP calls to news media agencies and companies that do business with the victims. To this end, they are allegedly hiring individuals to make voice-scrambled calls aimed at informing journalists as well as organisations’ partners about the attacks for additional pressure. To top it off, the gang claims to be launching a service that will allow its affiliates to unleash Layer 3 and Layer 7 DDoS incursions against non-paying victims.
Making customers nervous
When looking for more pain points of compromised brands, some cybercriminal groups turn to their customers. Felons behind the Clop ransomware took this route in late March 2021, contacting the clients of companies whose data was leaked in a massive Accellion breach perpetrated in mid-December 2020.
In this incident, crooks piggybacked on zero-day vulnerabilities in Accellion’s File Transfer Appliance (FTA) product to infiltrate the networks of dozens of companies that were using it, including such giants as energy company Shell, jet manufacturer Bombardier, and the Reserve Bank of New Zealand.
In the aftermath of this massive raid, the Clop group has been sending emails to customers of the affected companies. These messages say that the recipients’ financial details and other personally identifiable data have been stolen and will shortly appear on a leak site unless the organisation pays the ransom.
Obviously, this move urges privacy-minded users to reach out to the company and ask it to “protect its customers’ data.” It is hard to say whether this tactic alone suffices to make the breached businesses pay, but it can become a catalyst for making such a decision.
Causing disruptive outages for service providers’ clients
PrismHR, a US-based company that provides solutions for payroll, benefits, and associated services to more than 80,000 organisations, experienced a severe outage on February 28, 2021. This incident caused corporate customers to lose access to their dedicated portals and put some of their important HR management processes on hold.
Although the provider hasn’t disclosed specific details on what kind of an IT predicament it encountered, security analysts argue it was most likely a ransomware onslaught. This theory is mostly based on the fact that the quandary took place over the weekend, a period of idle business activity when most ransomware distributors quietly gain a foothold in enterprise networks.
As of early March, PrismHR was busy restoring its systems from unaffected backups and eventually got its staffing services back on track. However, in a situation like this, the dissatisfaction of numerous customers can play into attackers’ hands by pushing victims to cooperate.
The ransomware epidemic appears to be getting worse, with new extortion techniques incessantly stepping up criminals’ game. When confronted with an incident like that, businesses should keep in mind that each ransom paid to attackers fuels this disgusting cybercrime model. Moreover, there is no such thing as ethics in malicious actors’ modus operandi, and therefore they may never do what they promise even after getting their money.
With that said, the best strategy is to implement proactive defenses against unauthorised network infiltration and DDoS incursions while maintaining secure backups of critical data. Also, since many of these attacks occur because of employees’ slip-ups, the importance of a security awareness program for personnel should never be underestimated.