Ransomware, business email compromise (BEC) and data loss have more in common than you might think.
It’s safe to say that ransomware has progressed beyond its epidemic stage and is now endemic. It’s having more of an impact on everyday lives than ever before, and no organisation is immune. The 2022 State of the Phish report from Proofpoint found that 68% of global organisations dealt with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery (malware dropped after a computer is already infected) or other type of compromise. If you use the internet, you’re a potential ransomware victim.
And just as the net of potential ransomware victims has widened, so too have the threat actors’ business models. Double- and even triple-extortion techniques are now prevalent. Exfiltrating large quantities of sensitive data and maintaining persistent access provide the opportunity to attackers to increase both the cost and type of their demands.
Many ransomware groups, wary of attribution and the associated criminal indictments, have abandoned locker malware altogether. Instead, they’re stealing massive quantities of data and offering prices for both its sale and destruction (buyer beware of the latter, especially).
Threat actors might evolve their business models, but their goal remains the same: to abuse access to your environment. The move away from locker malware to data theft is still extortion, and BEC actors moving from payroll and tax fraud to business-to-business (B2B) cyber-enabled financial fraud is still BEC. Even more notably, a BEC actor looking for an unpaid invoice and a ransomware (or perhaps we should say “cyber extortion”) group trying to steal data are going to rely on many of the same techniques, regardless of their monetisation strategy.
These tools and techniques have been similar for years—compromising credentials, impersonation, user-activated malware, data theft and so on. Regardless of where the threat landscape goes next, it’s clear that viewing the main risk categories of ransomware, data extortion, BEC and data loss as separate risk categories isn’t optimal. Put another way, the advantage defenders have is that making those tools and techniques tougher for an adversary to use can make things equally difficult for multiple types of adversaries.
Meet the new foe, same as the old foe
New foe: ransomware as data theft
Virtually 100% of ransomware incidents involve data theft, making it the most dominant form of extortion. In fact, many ransomware groups now focus solely on data theft and don’t encrypt or try to destroy any information.
This makes for an incredibly problematic attack method. With data already outside your defences, there’s no guarantee you’ll get it back. Even if you do, it may already have been sold, exposed or leveraged against your organisation in some other way—increasing the headache over whether or not to pay.
Increasingly, organisations are opting not to pay, but this comes with obvious drawbacks. Most notably, fewer organisations paying ransoms means cyber criminals will look to monetise attacks in other ways. Cyber insurers are increasingly refusing to pay out for ransomware attacks.
For that reason, most threat actors will follow the same playbook: Steal a lot of data and sell it on the dark web while demanding a ransom to not communicate the data breach more publicly.
In the short term, the best possible defence is to detect a potential attack as it’s occurring and prevent successful data exfiltration.
Notable threat actors using double or treble extortion tactics:
- BlackCat/ALPHV tools have developed the capability to corrupt or destroy exfiltrated files—leaving the attackers with the only functional copy of the data.
- Black Basta use double extortion to encrypt confidential data and threaten to leak the data if demands aren’t met.
- LockBit use triple extortion techniques to put more pressure on victims to pay a ransom.
- BlackByte use extortion techniques on the dark web to allow the victim to pay to remove their data, and for other threat actors to purchase it.
Yanluowang (associated with LAPSUS$) compromised an employee’s virtual private network (VPN) account and claimed to have stolen up to 55 GB of data.
Old foe: Ransomware and BEC
Traditionally, BEC actors and ransomware actors have been viewed as two distinct groups. However, by doing so, we’re in danger of complicating an already complex threat landscape.
Yes, certain groups have specialities, skill sets and infrastructure that lend themselves to either style of attack. But for the most part, the basic tactics and techniques used are the same.
So, while ransomware and BEC threat actors may display slightly different characteristics, from a defensive standpoint, there’s a lot of overlap.
In almost all cases, these types of cyber criminals will gain or buy initial access into an environment using a few methods:
- Email phishing
- Remote Desktop Protocol (RDP) that allows attackers to take remote control of a computer
- Stealer malware that can collect authentication tokens, cookies and credentials
BEC and ransomware actors also often use thread hijacking to insert themselves into legitimate communications.
But whatever the tactics of the day, the fact that there’s so much similarity offers organisations a huge advantage when building a defence strategy.
Ultimately, you’re trying to stop the same activities, regardless of how a threat actor monetises an attack in the aftermath.
Once we understand this, threat protection and information protection are no longer two distinct challenges with unique control sets. By rethinking our defences, we can detect and deter today’s biggest cybersecurity challenges—BEC, ransomware and data theft—much more effectively.
Building a defence for every attack
Legacy threat and data loss prevention solutions can’t solve today’s threat scenarios where actors compromise accounts to steal data. Tools that look for indicators of compromise using data classification rules are no longer fit for purpose on their own.
Defenders should instead look for detection signals that map to attackers’ current behaviour. For example, identifying multiple logins with the same session cookie can flag an attacker leveraging compromised credentials. If that same user’s endpoint then sees the installation of an unusual archive tool, such as 7zip or WinRAR, the creation of a gigantic multipart archive, or a large amount of data going to cloud file-sharing sites often used by attackers (such as Mega), you can safely say it’s time to roll incident response.
Today’s ransomware operators are opportunists. Whatever their endgame, they will always look for organisations with weak security controls, and they use techniques that work over and over again. They’ll seek out vulnerable VPN devices connected to the internet, an open RDP port, or people who are going to click a link or download an attachment in a phishing email. And they know that the latter is by far the easiest to find.
That’s why defending against all ransomware, data extortion and BEC attacks—which all leverage the same techniques of compromising credentials, impersonation, user-activated malware and data—comes down to people. Malicious payloads are almost always delivered through social engineering, and human interaction is essential for these attacks to succeed. When you protect your people, you strengthen cyber resiliency and reduce the chances of a multitude of cyber attacks seeing success.
If cyber criminals can’t get inside your organisation, they can’t encrypt files, steal data and interrupt business as usual. So, while there may be no silver bullet in cybersecurity, arming and protecting your people by keeping threats at bay and defending your data is as close as it gets.
Defend against ransomware with Proofpoint
Our comprehensive, integrated platforms reduce the risk of ransomware attacks by layering controls to prevent initial access and defend against data loss.
Learn more about how Proofpoint defends against ransomware.
Discover New Perimeters—Protect people. Defend data.
Want to read more articles like this one? Access the latest cybersecurity insights in our exclusive magazine, New Perimeters. This publication is available to browse online, download to read later or receive in print directly to your door.
You can get your free copy of New Perimeters, the exclusive magazine from Proofpoint, here.