Ransomware attack trends in 2022 – Double Extortion

There is no question that ransomware attacks are on the rise and are wreaking havoc among enterprise organizations and their business-critical data today. This is in a large part due to the success that ransomware gangs are having using ransomware as a means to extort data from unsuspecting and unprepared organizations. Microsoft recently released its new Microsoft Digital Defense Report in October 2021 which details how attack trends, in particular ransomware attacks, are changing. Let’s take a look at the findings in the report related to ransomware and what it means for ransomware attack trends in 2022 – double extortion.

What is the state of ransomware attacks going into 2022?

Ransomware attacks are unbelievably successful in achieving the goal of a high-profit, low-cost malicious business model. While ransomware attacks in the old days were mainly focused on single-PC targets, it has grown into a large-scale varied attack that includes many extortion techniques that target entire organizations. Unfortunately, the extortion techniques of ransomware gangs today are evolving into double extortion tactics as we will describe a bit later.

The Microsoft Digital Defense Report in October 2021 notes ransomware attacks have evolved into human-operated ransomware, known as “big game ransomware.” Now, many threat actors work together to perform reconnaissance, deploy the ransomware, exfiltrate data, and extort payment from the victim. Ransomware syndicates and affiliates are all working together toward these interconnected threats. So, rather than a single person behind a ransomware attack, there are multiple groups of individuals, similar to a shared business model.

Ransomware has turned into a business model with many interconnected threat actors
Ransomware has turned into a business model with many interconnected threat actors (courtesy of Microsoft)

Ransomware attack trends in 2022 – Double extortion

The ransomware “business model” is evolving into an effective intelligence operation. Victim organizations are carefully researched so an optimal ransom demand can be acquired. Rather than a step later in the process, one of the first steps made by criminals is to infiltrate the victim network and exfiltrate financial documents and insurance policies. They may even take into account the penalties for local breach laws that may affect the organization.

Once the criminals understand all the various facets of the organization, their data, and associated penalties for a potential breach, they then formulate the ransom demand, deploy the ransomware, and execute the ransom demand against the business.

The extortion demand now commonly includes an amount to unlock their systems, but also an amount to prevent data leak of the exfiltrated data from the victim organization. This is a new kind of double extortion that is extremely effective.

The ransomware and extortion attack involves a threat actor deploying malware that encrypts and exfiltrates data and then holds that data for a ransom. This generally includes a ransom demand for payment in cryptocurrency. Rather than just encrypting a victim’s files and requesting a ransom in exchange for the decryption key, the threat actor also exfiltrates sensitive data before deploying the ransomware.

This workflow and new double extortion attack prevent victims from simply not paying the ransom and restoring from backup. It adds the new dynamic of the threat of damage to their business reputation due to intentional leaking of data as attackers will not only leave the victim’s data encrypted but also leak sensitive information.

Ransomware-as-a-Service (RaaS) has removed barriers to entry

The ransomware business model and technology itself have evolved into a “service-based” model that allows attackers without specialized code development skills to profit from ransomware, without the development skills needed in years gone by.

The new business model for Ransomware-as-a-Service opens the door to non-developers and criminals without any programming skills. Other cybercriminals may have the network experience to compromise environments on the network side. Ransomware developers then give a “cut” of the profits from the extortion to these other players in the overall attack.

Criminals can essentially “purchase” ransomware to attack a specific network, organization, or specific industry. Much like a crime syndicate, each player is paid based on their role in the overall compromise.

Deciding whether or not to pay the ransom

After the ransomware attack has been carried out, companies must decide whether or not to pay the ransom. In the resulting aftermath of a ransomware attack, businesses are generally incurring untold costs due to disrupted services, down payment systems, inability for employees to carry out business-critical tasks, and other fallout.

Even with the major disruption to business services after a successful ransomware attack, paying the ransom does not guarantee data can be recovered, nor does it prevent future attacks. If you are struggling with whether or not to pay a ransom after a ransomware attack, below are some points to consider:

  • When ransoms are paid, the business modle of the cybercriminals is reinforced, attracting more threat actors to the ransomware strategy. It also gives ransomware gangs the financial means to carry out further research and development to improve the ransomware itself, the tooling, and gives them funds to buy breach access to organizaitons from the dark web.
  • With funds to work with, ransomware tools become more automated and effective, allowing even greater attack scale and accelerated attacks that are more sophisticated and effortless.
  • Organizations who pay ransoms got back only 65% of their data with 29% of organizations only getting back half their data
  • Ransom decryptors are buggy and regularly fail to decrypt the largest, most critical data files (files 4 GB+ in size).
  • Decrypting data files is a slow and laborintensive process, most customers decrypt only their most critical of data files and restore the rest from backup.
  • Restoring data does not undo any tampering performed by the attackers.
  • Restoring data does not secure systems to prevent future attacks.
  • Organizations must understand the legality of making payments in their country. Governments across the globe are instituting ransomware payment reporting requirements, may have penalties for payments that are made to sanctioned parties, and are considering laws that could make ransom payments illegal

Without good backups, there aren’t many options

For businesses who have suffered a ransomware attack and who had either their backups encrypted as part of the attack, or had no backups of their data at all, there aren’t many good options. Recovering your data from backup is the best option for recovering from a ransomware attack as it puts you in control of your data and your recovery rate should be near 100% or as good as your data protection solution offers.

Without backups your options are generally limited to:

  • Relying on a decryptor tool for the specific ransomware variant if one exists
  • Paying the ransom
  • Doing nothing – starting from scratch (generally not an option)

Cloud SaaS is quickly becoming a ransomware target

When discussing the threat of ransomware, it is common to see these discussions only referring to on-premises environments with target networks existing on-premises. While it is true that the majority of ransomware attacks that make headlines are still targeting enterprise environments that exist on-premises, cloud SaaS ransomware is evolving and will become a major threat in the next 1-3 years.

There are already ransomware variants that use OAuth authorization scams via phishing emails to lure unsuspecting end-users into installing what they think to be legitimate cloud SaaS applications when it is ransomware in disguise. Once the OAuth token is granted to a malicious application on behalf of a user, it has all the permissions it needs to start encrypting all the data the user has access to, including their own personal email inboxes.

Companies need to enlist the help of third-party solutions that can proactively prevent a widespread ransomware attack in their cloud SaaS environments. Solutions like SpinOne Ransomware Protection provide really great protection against cloud ransomware variants that aim at compromising your cloud data.

SpinOne backs up your entire cloud SaaS environment in either Google Workspace or Microsoft 365 and then uses artificial intelligence (AI) powered intelligence to invoke a proactive ransomware defense when ransomware is detected, including:

  1. It scans the cloud SaaS environment for the signs of ransomware
  2. If a ransomware attack is detected, it blocks the ransomware process at the network layer
  3. Once the ransomware attack is blocked, Spin scans the file estate to see which files are affected
  4. It then proactively restores all affected files in the cloud SaaS environment (configurable)
  5. Admins are proactively notified of the ransomware event

SpinOne significantly reduces downtime by providing a 2-hour Incident Response SLA and zero hidden costs by over 90%, saving millions of dollars per ransomware attack. It saves SecOps teams a significant amount of time by automating Security operations and helping organizations prepare for zero-day attacks.

What I really like about the SpinOne interface is that it is simple and intuitive. The ransomware protection just works and provides immediate benefits to your cloud SaaS environment. With ransomware attack trends in 2022, including double extortion, businesses need this kind of proactive ransomware protection guarding their cloud SaaS environments and business-critical data.

SpinOne proactive ransomware detection
SpinOne proactive ransomware detection

You can sign up with SpinOne for a free, fully-featured 30-day trial version and test out the features in your own cloud SaaS environment. Learn more about the trial and additional features of the solution here:

Other SpinOne topics:

Back to top button