According to new analysis the cybersecurity technology company released today, threat actors are increasingly stealing data and threatening to leak it, without bothering to encrypt victims’ files. The number of such ransomware-free extortion campaigns rose 20 percent year over year in 2022, per CrowdStrike’s 2023 Global Threat Report.
More and more organizations have adopted strong backup strategies that ease the pain of data encryption, better enabling them to resist extortion.
But these provide little defense against the reputational damage and possible privacy law and regulation violations that could come if attackers leak sensitive data. The cost of those damages “could very quickly outpace the ransom demand,” Meyers said.
Ransomware actors in the past several years often used encryption to pursue victims in state and local government, manufacturing and health care, where any disruption to operations is costly. The attacks are particularly effective against “organizations who could measure downtime in dollars and cents,” Meyers said.
Meanwhile, the newer, data leak-focused approach works well against any organization holding large stores of sensitive data — like government, law firms, PR firms and business processing firms.
Sometimes ransomware attacks result in several of a victim’s machines encrypting the same files simultaneously — which can be tricky for attackers to unwind when trying to restore files for victims who have paid up. Threat actors have to piece together which machine encrypted what file, in which order, and with which encryption key, Meyers said.
“One of the things that a lot of threat actors ran into was, if a network share was mapped by multiple computers that were all running this ransomware, then the file could be encrypted multiple times, and you don’t know necessarily which sequence it was encrypted in,” Meyers explained.
Extortion without locking up files can be a faster, easier way for threat actors to strike.
“Cryptography is hard,” Meyers said. “If you just steal the data and threaten to disclose it, you don’t have to deal with all that.”
The U.S. Cyber Safety Review Board is currently studying the work of one such group, Lapsus$ (also known as SLIPPY SPIDER), with hopes of creating recommendations for better defending against the group’s techniques. Lapsus$ stole data and attempted to extort major companies like Microsoft and Okta at a time when the group’s alleged leader was just a teenager. CrowdStrike notes that it “has no evidence to suggest” Lapsus$’s ransom demands were met, however.
Lapsus$ may be a reminder that not all serious threats are high-tech: the group is known for using methods like bribery and social engineering to gain access to victims’ systems.
SOCIAL ENGINEERING, CREDENTIAL THEFT
Threat actors still frequently use malware but have increasingly turned to different methods for gaining initial purchase in victims’ systems.
Seventy one percent of the cyber attacks detected in 2022 saw perpetrators gain initial access using a method other than malware, per the report. That’s a consistent and growing trend: 62 percent of 2021 cyber attacks did not use malware for initial access, either, up from 51 percent in 2020 and 40 percent in 2019.
Rather than send malicious files, for example, bad actors often use social engineering and credential theft. One group, SCATTERED SPIDER (also known as Roasted Oktapus), for example, used phishing pages to capture credentials, as well as methods to thwart organizations’ multifactor authentication (MFA). Those included tricking employees into sharing the one-time passwords (OTP) used to verify their identities and overwhelming employees with MFA notifications until staff let down their guard and clicked an approval.
“When every app requires multifactor authentication, users get lazy and care less,” Meyers said.
Vishing, or phishing conducted via phone calls, is another popular method.
Attackers also appeared to frequently turn to access brokers. These brokers discover and exploit vulnerabilities in victims’ systems to gain footholds, and then sell the entry methods to ransomware actors and other attackers. These could be vulnerabilities discovered in “VPN concentrators or other edge-facing appliances,” Meyers said.
Access brokers are increasingly promoting their services: CrowdStrike saw 2,500 advertisements of access-for-sale posted in 2022, a 112 percent increase compared to 2021.
Pairing MFA with other measures — like monitoring for suspicious network activity and policies for “conditional risk-based access” — can help reduce threats, per the report. Phishing awareness training can also keep employees alert to potential manipulation.
EVADING PATCHES
Patching a vulnerability isn’t always a permanent fix. Hackers are frequently finding ways around a once-patched vulnerability, CrowdStrike found.
A patch “can be super thorough and can be comprehensive and really fix the problem, or it can just be a Band-Aid,” Meyers said. In the latter case, “threat actors are finding ways to step around it.”
Organizations applying patches typically lack capabilities to determine whether the patch is an effective one.
Doing so would require reverse-engineering the patch to uncover the code issue being targeted, then analyzing the patch’s approach to resolving it, Meyers said.
Organizations cannot ensure their vendors deliver high-quality patches, but they can reduce their risks by using several different software vendors rather than relying on just one, Meyers said. That can mean using one company for an identity security solution and a separate one for the operating system.
Security means “having not just layers of tools but layers of vendors to help ensure you’re not at the whim of one vendor making one bad decision that impacts all of your stack,” he said.