Pressure to pay: the top 10 tactics employed by ransomware adversaries

Whether you’re a start-up or a multinational corporation, it’s important to understand the threat ransomware poses in the modern business landscape.

Unfortunately, for all of us, ransomware continues to thrive. Threat actors are quicker to evolve and change as the cybersecurity landscape advances. Attacks have grown significantly in both profile and impact, causing massive financial and operational damage to Australian businesses. In fact, there was a 15 per cent increase in ransomware cybercrime reports in the 2020-2021 financial year, with Australian businesses losing more than AU$33 billion to cyber-crime in this period. This increase has been associated with an increasing willingness of criminals to extort money from particularly vulnerable and critical elements of society.

As organisations become better at backing up their data and restoring encrypted files from backups, attackers have begun to incorporate additional extortion measures into their approach for demanding a ransom in return for decryption keys, to ramp up the pressure to pay.

Attackers have emailed or phoned organisations’ employees, calling them by their name and sharing personal details that have been stolen, such as details of any disciplinary action or financial or passport information, with the aim of scaring them into paying the ransom. This shows how ransomware attackers’ behaviour is shifting from technical attacks targeting systems and data, to targeting people and using coercion to force payment.

Sophos has compiled the top 10 pressure tactics used by adversaries in 2021, to help organisations improve their defences:

  1. Stealing data and threatening to publish or auction it online: Attackers are publishing stolen data online for competitors, customers, partners, the media, and others to see.
  2. Emailing and calling employees, including senior executives, threatening to reveal their personal information
  3. Notifying or threatening to notify business partners, customers, the media, and more of the data breach and exfiltration
  4. Silencing victims by warning them not to contact the authorities
  5. Recruiting insiders to help breach networks in return for a share of the takings.
  6. Resetting passwords after breaching the network, thereby blocking IT administrators from logging in to the network to fix the system.
  7. Phishing attacks targeting victim email accounts. In one incident investigated by Sophos, attackers targeted employees with phishing emails to trick them into installing an application that provided the attackers with full access to email accounts, even after they reset their passwords.
  8. Deleting online backups and shadow volume copies. During their reconnaissance of a victim’s network, ransomware operators will delete any backups connected to the network so the victim cannot rely on them to restore encrypted files.
  9. Printing physical copies of the ransom note on all connected devices, including point of sale terminals
  10. Launching distributed denial-of-service attacks against the target’s website: Avaddon, DarkSide, RagnarLocker, and SunCrypt have used distributed denial of service (DDoS) attacks when ransom negotiations have stalled, to force targets back to the table.

All of this may seem like a lot, but there are ways we can counter these threats. The strongest approach is to combine employee awareness with advanced security.

Businesses should implement employee awareness programs and establish a 24/7 contact point for employees so they can better identify and easily report approaches from attackers.

On top of this, constant monitoring of network security, and awareness of the five early indicators an attacker is present, helps stop ransomware attacks before they launch. Keeping regular back-ups of the most important and current data on an offline storage device and having an effective incident response plan in place and updating it as needed is also key for protecting organisations.