The shifting sands of the war against cyber extortion

Ransomware and cyber extortion attacks aimed at organizations are not letting up. Occasionally, they even come in pairs.

The often large and sometimes massive ransomware recovery costs companies incur when they decide not to meet the demands deter many other victims from taking that path.

In the end, many organizations decide to pay to get their data back, get it decrypted, or to stop the attackers from leaking it online, even though there’s no guarantee the attackers will keep their word.

Barriers for attackers are popping up

Ransomware gangs and their affiliates use various tricks to force the targets’ hand: from DDoS attacks to filing a complaint with the US Securities and Exchange Commission to push them to negotiate. (SEC’s new cybersecurity incident disclosure rule for companies will go in effect mid-December 2023.)

For the attackers, the success of an attack hinges on their ability to extort a ransom payment. Ransomware-as-a-service (RaaS) operator LockBit has been dealing with a related problem: some of its affiliates are not very good at making victims pay up.

According to Analyst1 researcher Anastasia Sentsova, LockBit recently had to impose new rules for negotiations for their affiliates, “aimed at securing larger ransom amounts and increasing the likelihood of payout.”

But other things are also in motion that may slowly make life more difficult for threat actors engaged in ransomware and cyber extortion attacks.

Since the start of the year, law enforcement agencies have hit the HIVE and DoppelPaymer ransomware operations. The FBI has noted the alliance between the AlphV/BlackCat ransomware-as-a-service operator and Scattered Spider, a cybercriminal group that gained prominence for its effectiveness in social engineering and SIM swapping attacks, and seems to be working on an upcoming crackdown.

The Biden-Harris Administration has recently released the National Cybersecurity Strategy, and one of its pillars is combating ransomware through its Joint Ransomware Task Force.

And though the International Counter Ransomware Initiative (CRI) has limited itself to “discouraging” companies from paying ransomware demands, 50 member countries have pledged that their governmental institutions would not pay ransomware extortion demands and that they will work towards regulating virtual assets and related service providers, to “help stem the illicit flow of funds and disrupt the ransomware payment ecosystem.”