New tactics used by ransomware attackers – CyberCube report

Published on Mon, 21/06/2021 - 11:51

Cyber-crime gangs engaged in online extortion are increasingly resembling drug cartels in their collaborative tactics, according to a study from analytics firm CyberCube.

Cyber criminals engaged in ransomware attacks are switching tactics to thwart online security and law enforcement efforts, according to a report from CyberCube.

Ransomware attackers are increasingly collaborative in their approaches, mirroring aspects of the organised crime world of drug cartels, the San Francisco-based analytics firm said.

Cartels of loosely affiliated hacker groups have formed to execute attack campaigns more collaboratively, expanding the playbook used by hackers to include so-called ‘double-extortion’, data exfiltration and data modification, the study warned.

The report concludes that in 2021, cybercriminal cartels behind ransomware will be responsible for the majority of attritional losses in the insurance market, and potentially even aggregation events due to cyber-attacks. 

“Ransomware is now right at the top of the agenda for cyber insurers, reinsurers and brokers,” said Darren Thomson, CyberCube’s head of cyber security strategy and one of the report’s authors.

“This is because cyber criminals are continuing to adjust and improve their ransomware approaches in response to increasingly sophisticated cyber defence – and to reap as much reward as possible.” 

Some of the biggest companies are being targeted, with cartels researching the relative affordability of ransom payments by prospective targets when deciding which entities to strike, CyberCube said.

Ransomware attacks have risen up the risk agenda with a number of high-profile attacks in 2021, including against US energy infrastructure firm Colonial Pipeline, and attacks against insurers CNA and Axa.

Techniques used are also getting more sophisticated. So-called double extortion attacks first appeared in 2019 and have become more widespread, the report said.

Under this approach, hackers not only encrypt the victim’s data, but also copy it to one of their own servers. Once the victim has paid the ransom, the cyber cartel still has the data in its possession, which it can use for the purpose of further extortion.

There are now many prolific double-extortion ransomware cartels – Maze, REvil, Sodinokibi, DoppelPaymer, Nemty are known examples – creating their own websites to publish data from victims that do not pay ransoms, CyberCube said.

The number of ransomware attacks that have also resulted in data breaches has doubled within a year, according to IT security firm Security Boulevard, with 337 confirmed cases in 2019, rising to 676 in 2020.

In another twist, once an organisation’s security is breached and its data are compromised, hackers are modifying data in order to threaten its integrity.

These attacks are likely to become increasingly prevalent in the next few years and will focus on sectors utilising sensitive data such as healthcare and financial services, CyberCube warned.

Ransomware worms are another developing threat, the report warned, using malware that can spread without human interaction.

Another emerging focus is for attacks against so-called ‘single points of failure’ (SPoFs), which are systems and services common to a large number of users, with the potential to therefore affect large swathes of businesses.

Recent attacks on Microsoft Exchange are an example of this type of SPoF attack. CyberCube said.