New harassment tactics and double and triple extortion make the traditional advice about maintaining backups insufficient

In 2022, 30 organizations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Since 2019, at least 96 of these organizations have had confidential files publicly exposed to some degree as part of attempted extortion. At least 75% of ransomware attacks fielded by Unit 42’s Incident Response team resulted from attack surface exposures.

Every day, Unit 42 researchers see an average of seven new ransomware victims posted on leak sites – equating to one new victim every four hours. In fact, in 53% of Unit 42’s ransomware incidents involving negotiation, ransomware groups have threatened to leak data stolen from organizations on their leak sites.

This activity has been seen from a mix of new and legacy groups, indicating that new actors are entering the landscape to cash in as legacy groups have done. Established groups like BlackCat, LockBit and others contributed to 57% of the leaks, with new groups trailing close behind with 43%. 

The 2023 Unit 42 Ransomware and Extortion Report highlighted these findings and more, and CybersecAsia had the opportunity to discuss regional findings with Vicky Ray, Director, Unit 42 Cyber Consulting & Threat Intelligence, Asia Pacific & Japan, Palo Alto Networks.

How has ransomware attacks impacted organizations in the Asia Pacific region?
(Customer impact, business disruption and examples of ransomware attacks in key sectors)

Vicky Ray: Based on both Unit 42’s data and dark web leak site data, high technology, manufacturing, professional & legal services, and public sector organizations remain the most targeted sectors across the APAC region.

While Australia took up the top spot with 45 reported ransomware attacks (almost 15% of all attacks in the region), India ranked a close second with 36 attacks. Industries in which organizations run on systems with out-of-date software have been more heavily impacted.

When it’s difficult for organizations to regularly update or patch, threat actors have gained an opportunity to take advantage of old vulnerabilities to initiate their exploits. The groups have also taken advantage of the pressure organizations in the region face to meet deadlines and produce deliverables, hoping this will lead them to pay quickly and in full. Lost revenue streams from operational downtime have pushed organizations to concede to threat actors’ demands.

What are some new attack/extortion tactics, techniques, and procedures employed by threat groups to pressure organizations into payment of ransoms?

Vicky Ray: Data theft and multi-extortion are tactics used by threat groups, due to their high efficacy. According to our report, this tactic grew by 30% within an 18-month period. They will target regulated data sets or highly commercially sensitive information for maximum leverage while threatening victims to post the stolen data publicly.

Harassment is an extortion tactic in at least 9% of Unit 42’s ransomware cases. Threat actors would call and leave voicemails for corporate leaders and employees, send emails to staff, or disclose victim identities on leak sites or social media. These tactics serve to make organizations uncomfortable and pressure them to give in to the demands of threat actors.

Why are we seeing industries such as manufacturing and education being targeted excessively?

Vicky Ray: Manufacturing industries are increasingly automating their processes and integrating Internet of Things (IoT) solutions that would interconnect factory equipment with supply chain partners. Although this would increase productivity, it also leaves potentially vulnerable entry points open within their network to cyberattacks. Cybercriminals infiltrate manufacturing organizations’ IT networks for several reasons – from stealing sensitive trade and production secrets to disrupting production lines.

Challenges such as allocating resources to security systems and solutions have led to many educational institutions that have legacy hardware and software rendered unable to withstand the latest cyberattacks.

Having students and teachers bring their personal devices such as laptops and mobile phones has also widened the attack surface. These personal devices are risks to the educational organizations’ network infrastructure as they are potential entry points for threat actors.

Being unable to hire qualified staff in maintaining and updating the IT infrastructure is another factor that leaves schools vulnerable to attacks such as ransomware.

Vicky Ray, Director, Unit 42 Cyber Consulting & Threat Intelligence, Asia Pacific & Japan, Palo Alto Networks

What are some far-reaching ramifications of a ransomware attack? Besides ransom payments, what else are ransomware threat groups after?

Vicky Ray: The consequences of a ransomware attack include financial, data and reputation loss for organizations. Most attacks also cause disruptions to your organizational workflows, by restricting access to the stolen data. After paying a substantial ransom, organizations may not recover all their lost data. To recover from such attacks, financial resources would be needed to investigate and remediate.

Organizations that are bound by cyber regulation and data protection laws would also be subjected to fines, sanctions, loss of operating licenses, and even imprisonment of the people involved. Data loss would also make the organization seem less credible to consumers or businesses working with them. In the long run, a confluence of financial and reputational factors may cripple an organization.

Financial gains and valuable information are the core motivations for ransomware threat groups. Apart from demanding high ransoms, they are also looking for ways to multiply their payday. With the information they have stolen, they would also search for useful information that could be valuable and sold to third parties.

For instance, the data stolen could be used in identity thefts, which could be sold to criminals. Passwords could also be sold to access compromised networks or used to infiltrate the inner sanctums of an organization’s systems and networks.

How has the Russia-Ukraine conflict catalyzed the rise of Lockbit 3.0 in APAC?

Vicky Ray: As uncertain geopolitical times continue – the Russia-Ukraine war, economic instability, etc. – ransomware groups are using these events to exploit the fear and curiosity of employees to lure victims. Among the beneficiaries is Lockbit 3.0 also known as “LockBit Black,” a more modular and evasive variant than its previous versions. To date, it is the most successful ransomware group, compromising targets at an unprecedented pace. As per our report, in 2022, the extortion group posted information about 801 breached organizations on their leak site, the highest victim count we have observed in the last two years from any one group. LockBit posted 409 victims in 2021, meaning that in 2022, we saw a 95% increase in victim count compared to last year’s entries.

We had already observed an increase in Lockbit’s aggression against the backdrop of Russian cyber activity. Our recent report further asserts that future attacks from Lockbit 3.0 may target organisations in the APAC region, in retaliation for increased sanctions or other political measures against the Russian government. These cybercriminals are no longer focused solely on chasing money. We recommend that all organisations proactively prepare to defend against this potential threat.

What can we expect from extortion groups for the rest of the year?

Vicky Ray: Based on Palo Alto Networks’ 2023 Unit 42 Ransomware & Extortion Report, insider threats will lead to extortion attempts.

Attackers will infect supply chains and the source code of victims before using ransomware to distract them from the supply chain infection. As more organizations learn how to deal with ransomware, they may begin to treat a ransomware infection as routine. Threat actors will take advantage of this by deploying ransomware to distract from the true purposes of their attacks.

This would disrupt their operations, causing threat actors to leave known groups and join existing unknown groups or form new groups.

An increase in cloud ransomware attacks is to be expected as many organizations shift their operations to the cloud. Organizations often neglect basic security controls and don’t take advantage of security features offered by the major cloud service providers or additional enhanced cloud security tools.

Threat actors will identify new means of initial access. In a bid to move away from known methods of social engineering efforts, cybercriminals are evolving their tactics. This includes SEO poisoning (through malvertising), callback phishing, exploiting external facing vulnerable assets and fake software installs or updates.