The Evolution of Cyber Threats: Unpacking Extortion-Only Attacks
The digital landscape is continually evolving, becoming increasingly complex and interconnected. This expansion, however, comes with a corresponding growth in cyber threats. One significant emerging issue is the rise of “extortion-only” attacks, a departure from traditional ransomware attacks that presents unique challenges for organizations worldwide.
Compared to traditional ransomware attacks, extortion-only attacks focus solely on stealing sensitive data and threatening its publication unless a ransom is paid. One prominent example of an extortion-only attack is the BianLian ransomware group, which has been actively targeting US and Australian critical infrastructure since June 2022. A joint advisory from the FBI, CISA, and the Australian Cyber Security Centre has been published to inform organizations about this new threat and help them fortify their defenses.
Understanding Extortion-Only Attacks
Extortion-only attacks differ from traditional ransomware attacks in that they do not involve the encryption of a victim’s systems. Instead, the attackers exfiltrate sensitive data and threaten to publish it unless a ransom is paid. This tactic is compelling because the incidents are essentially data breaches that come with reputation damage, undermining customer trust, and introducing legal complications. The BianLian group is a notable example of such a threat. Initially, they employed a double-extortion model, encrypting systems after stealing private data. However, when Avast released a decryptor for their ransomware in January 2023, the group switched to extortion-only attacks.
The Rising Threat and Success of Extortion-Only Attacks
Extortion-only attacks are becoming more prevalent. These attacks are often easier and more lucrative than the traditional ransomware attack process, which involves encryption and negotiation. By forgoing the complexity of cryptography and instead focusing on data exfiltration, malicious actors can avoid the need for intricate malware supported by backend infrastructure, as well as the hassle of managing and selling decryption keys, among other steps involved in traditional ransomware. The process of data theft and extortion is simply more straightforward and less cumbersome.
Extortion-only attacks are effective primarily because of their stealthy approach. They commonly involve techniques such as breaching systems using valid Remote Desktop Protocol (RDP) credentials, possibly purchased from initial access brokers or acquired through phishing. They can then use a custom backdoor, commercial remote access tools, and command-line scripts for network reconnaissance. To evade detection from security software, they will often leverage PowerShell and the Windows Command Shell to disable running processes associated with antivirus tools and manipulate the Windows Registry to neutralize tamper protections.
Impact of Extortion-Only Attacks
The potential consequences of these attacks are substantial, including financial, reputational, and operational impacts. When a breach occurs, not only is the immediate cost of the ransom a concern, but also the long-term impact on the organization’s reputation and the trust of its customers.
Extortion-only attacks apply a unique set of psychological pressures on targeted organizations. Unlike traditional ransomware attacks that mainly threaten data loss and operational disruption, extortion-only attacks also risk public exposure. These attacks can result in customers, partners, analysts, and even the media learning about the breach if the data is publicly dumped online. Moreover, attackers can directly reach out to the victims’ customers and partners, pressuring them to encourage the victim to comply with the extortion demand. This not only escalates the situation to a customer support issue, but it can also affect investor relations and public relations.
The remediation approach for ransomware and extortion-only attacks also differs significantly. While organizations can plan to restore data or pay the ransom in the case of a ransomware attack, dealing with an extortion-only attack can lead to a public relations crisis. Once the data is stolen, it’s nearly impossible to undo the damage. Paying the extortion fee doesn’t necessarily guarantee that the criminals will delete the stolen data. Moreover, even if the ransom is paid and the data isn’t leaked, the organization still suffers reputational damage and potential legal liability.
How to Mitigate the Risk of Extortion-Only Attacks
To mitigate the risk of extortion-only attacks, organizations are advised to limit the use of RDP and other remote desktop services, disable command-line and scripting activities, and restrict the use of PowerShell on critical systems. Regular audits of administrative accounts and adherence to NIST standards for password management are also recommended. Organizations are also advised to develop a recovery plan with multiple copies of data stored securely and offline, regularly update software and firmware, segment networks for improved security, and actively monitor network activity.
But since these attacks differ from traditional ransomware in that data can’t simply be restored from backup, extorsion-only attacks must be stopped before data is harvested. This requires leveraging tools such as XDR for early detection of attacks. This is done through:
- Behavioral Analysis: XDR uses machine learning to establish a baseline of normal behavior for users, endpoints, and applications. This allows it to detect deviations from the norm that may be indicative of a security threat.
- Anomaly Detection: Machine learning algorithms are used to identify anomalous patterns in network traffic, system logs, and other data sources, which may indicate a security threat.
- Threat Hunting: XDR uses machine learning to automate the process of threat hunting, allowing security analysts to focus on investigating and responding to the most critical threats.
- Predictive Analytics: Machine learning algorithms are used to predict the likelihood of a security threat based on historical data, enabling proactive threat prevention and remediation.
The nuances of extortion-only attacks are crucial for security teams as they strategize their defenses. By distinguishing the different outcomes for ransomware and extortion-only attacks, organizations can better understand the threats, risks, and potential consequences. This, in turn, helps them develop more focused and effective plans to mitigate these cyber threats.