Ransomware without Encryption: A new form of cyber threat

Ransomware attacks continue to be one of the biggest cyber threats facing businesses. In June 2022, there were 31 publicly disclosed attacks, the most recorded in a month this year. Traditionally, the threat actors worked by encrypting company files and then demanding a ransom in exchange for the decryption keys, but it appears they have found a new tactic.

New extortion technique

Now, cyber attackers just steal company data and threaten to leak it publicly or sell it if their demands are not met.

Sandra Joyce, the VP for Mandiant Intelligence agrees to have worked with multiple victims of this new attack. “That's exactly what's happening to a lot of the victims that we work with. We call it multi-faceted extortion. It's a fancy way of saying data theft paired with extortion,” She says.

The data thieves send screenshots or copies of the stolen data as proof and will even offer incentives to motivate companies to pay faster. The sooner you pay the less you pay and the longer you delay, the larger the ransom gets. If the criminals sense a lack of urgency from your side, they will start taking drastic measures such as leaking bits of information or using the stolen data to humiliate you publicly.

Karakurt is one such extortion group that has been put in the spotlight by CISA and is being investigated by the FBI. There have been no reports of the extortion gang encrypting a company’s sensitive data and yet they are demanding ransoms as high as $13 million. How? They exfiltrate the data with threats to leak or sell it if they are not paid.

The growth of ransomware as a business

It gets crazier. Sandra notes that some groups are even offering a “sliding-scale payment system” where you pay for what you get. So, you can start by paying to protect the most sensitive data and then pay to protect other data later on. The attackers will provide you with a control panel, customer support, and all the tools you need to make this possible.

This is evidence of just how ransomware has grown as a business. Cybercriminals have become very innovative and are working to develop more sophisticated attack tools and extortion techniques each passing day.

We have reached a point where ransomware groups are launching marketing campaigns to position themselves above other gangs. This has only served to stoke up the fire in an already growing ransomware-as-a-service market.

On its Tor website, the ransomware gang behind Lockbit claims to have the fastest ransomware. This prompted the Splunk security research team led by Ryan Kovar to investigate how long it takes for the 10 of the most popular ransomware to encrypt 1,000 files. Lockbit, REvil, and Conti were among the ransomware families being investigated. True to their word, Lockbit was the fastest.

“They're to the point where someone said, 'We're losing ground to other ransomware families. And we actually have to create marketing material to better position our ransomware as the choice du jour,'" Kovar said in an interview during the RSA conference. "The sophistication shows there's a competitive aspect to this beyond just 'we're good at converting ransoms to Bitcoin'," he further stated.

The Good News

On the upside, attack tools and extortion techniques may be advancing but, the attackers are still exploiting the same known vulnerabilities. Therefore, enterprises that have patched these common exploitable vulnerabilities are already a step ahead in the fight against ransomware.

Dmitri Alperovitch, former CTO at CrowdStrike Inc and current chair at Silverado Policy Accelerator, also notes that companies need to be honest with the public in the event of an attack. This is not only helpful in the fight against this massive threat but also critical in helping the company retain customers.

"Write a press release that you're going to put out in the event of a data leak, or a ransomware attack," Mike Sentonas, current CTO at CrowdStrike advises. “And don't lie. Eventually, corporations do recover from ransomware attacks – especially if they have good backups. But, they may not regain customers' trust if they aren't transparent about what happened.”

There also needs to be a continuous collaboration between businesses and key law enforcement to enable the prosecution of cybercriminals. This will make other groups think twice before launching an attack campaign.