The prospect of financial gain is a major driver of cyber-attacks. Even state-backed cybercriminals, better known for their cyber espionage or disruption of rival governments, have discovered how lucrative and relatively easy it is to extort foreign enterprises over the internet.
But as organisations are becoming increasingly adept at blocking cyber incidents and forgoing the necessity to pay a ransom, malicious hackers are evolving their tactics. As hackers look to extract their pound of flesh, we’re seeing some interesting twists on traditional attack methods.
Ransomware attacks are a classic example. This attack, which relies on data encryption to force organisations to pay for a recovery key, has long been a very successful strategy for entrepreneurial cybercriminals. However, as businesses became better at restoring their systems from backup, the urgency to pay the ransom demand began to erode.
In response, the cybercriminals began to change their modus operandi. Rather than locking up systems immediately, cybercriminals began to take their time to explore a victims’ network, searching for the most valuable data they can find – perhaps a database of personal information, or confidential commercial documents. Only once a download of this information has been taken do the hackers make their presence known, accompanied with a threat to release sensitive information to the public or sell it on the dark web if the ransom is not paid.
This dual hit approach puts additional pressure on the victim to comply with the demands, as the potential exposure of confidential data heightens the risk of reputational damage, regulatory fines, and legal consequences.
Kordia’s security analysts are seeing an industry wide shift, to the point where double extortion should be considered the norm. This approach has been particularly prevalent over the last year, with ransomware groups becoming more sophisticated and organised in their operations – in fact security researchers have noted a 72% quarter on quarter increase last year of these double extortion attacks.
Potentially worse, there have been observations of cybercriminals taking the harm down to an individual level by targeting the customers or patients of these victim organisations.
The devasting hack on a Finnish psychotherapy centre is an example of this type of ruthless strategy. After illegally downloading a database of 33,000 patient records, the hacker then contacted patients of the Vastaamo centre directly, threatening to distribute sensitive information and mental health records unless they paid a blackmail demand. Beyond financial impacts, the data breach had profound effects on the victims, with reports from the Finnish media noting that some affected individuals ended their own lives in response to exposure of such sensitive information.
Other examples have seen cybercriminals attempting to turn regulation on its head, by reporting victims to the authorities where there is mandatory reporting in place.
While ransomware and data theft may not be new, used in conjunction with one another this presents a new challenge of re-victimisation to compromised organisations, heightening the need for a solid incident response and recovery strategy.
The old style of cyber-attack may well have been viewed as an IT issue, but when customer and company data starts being entangled into threats, the issue blows out into a company wide risk issue.
Yielding to demands and paying off cybercriminals is not an advisable solution, at least in the long term. Assuming that the hackers do deliver relief as promised, paying simply fuels cybercrime, and once your organisation is known as a victim that surrenders to demands, you may be retargeted down the track. Also as the recent takedown of Lockbit showed, the attackers don’t always delete any of the data they hold, they just keep it for their own use.
Not only that, but there is also an ethical and political element to consider. Earlier this year, the United Nations announced it was investigating Northen Korean cyber-attacks suspected to be used to fund the country’s nuclear weapons programme. Cyber crime has even been linked to human trafficking and slave labour, with reports of thousands of vulnerable people in areas like South East Asia forced into work as scammers for industrial-scale criminal enterprises.
The financial, reputational, legal and regulatory consequences of failing to manage a cyber incident properly can have severe ramifications for the future of your business. If cyber security isn’t high on your priority list, you’re taking a big gamble. Don’t make it easy for the cybercriminals.