The Evolution of Cyber Threats: Unpacking Extortion-Only Attacks

Posted June 13, 2023

The digital landscape is continually evolving, becoming increasingly complex and interconnected. This expansion, however, comes with a corresponding growth in cyber threats. One significant emerging issue is the rise of “extortion-only” attacks, a departure from traditional ransomware attacks that presents unique challenges for organizations worldwide.

Compared to traditional ransomware attacks, extortion-only attacks focus solely on stealing sensitive data and threatening its publication unless a ransom is paid. One prominent example of an extortion-only attack is the BianLian ransomware group, which has been actively targeting US and Australian critical infrastructure since June 2022. A joint advisory from the FBI, CISA, and the Australian Cyber Security Centre has been published to inform organizations about this new threat and help them fortify their defenses.

Understanding Extortion-Only Attacks

Extortion-only attacks differ from traditional ransomware attacks in that they do not involve the encryption of a victim’s systems. Instead, the attackers exfiltrate sensitive data and threaten to publish it unless a ransom is paid. This tactic is compelling because the incidents are essentially data breaches that come with reputation damage, undermining customer trust, and introducing legal complications. The BianLian group is a notable example of such a threat. Initially, they employed a double-extortion model, encrypting systems after stealing private data. However, when Avast released a decryptor for their ransomware in January 2023, the group switched to extortion-only attacks.

The Rising Threat and Success of Extortion-Only Attacks

Extortion-only attacks are becoming more prevalent. These attacks are often easier and more lucrative than the traditional ransomware attack process, which involves encryption and negotiation. By forgoing the complexity of cryptography and instead focusing on data exfiltration, malicious actors can avoid the need for intricate malware supported by backend infrastructure, as well as the hassle of managing and selling decryption keys, among other steps involved in traditional ransomware. The process of data theft and extortion is simply more straightforward and less cumbersome.

Extortion-only attacks are effective primarily because of their stealthy approach. They commonly involve techniques such as breaching systems using valid Remote Desktop Protocol (RDP) credentials, possibly purchased from initial access brokers or acquired through phishing. They can then use a custom backdoor, commercial remote access tools, and command-line scripts for network reconnaissance. To evade detection from security software, they will often leverage PowerShell and the Windows Command Shell to disable running processes associated with antivirus tools and manipulate the Windows Registry to neutralize tamper protections.

Impact of Extortion-Only Attacks

The potential consequences of these attacks are substantial, including financial, reputational, and operational impacts. When a breach occurs, not only is the immediate cost of the ransom a concern, but also the long-term impact on the organization’s reputation and the trust of its customers.

Extortion-only attacks apply a unique set of psychological pressures on targeted organizations. Unlike traditional ransomware attacks that mainly threaten data loss and operational disruption, extortion-only attacks also risk public exposure. These attacks can result in customers, partners, analysts, and even the media learning about the breach if the data is publicly dumped online. Moreover, attackers can directly reach out to the victims’ customers and partners, pressuring them to encourage the victim to comply with the extortion demand. This not only escalates the situation to a customer support issue, but it can also affect investor relations and public relations.

The remediation approach for ransomware and extortion-only attacks also differs significantly. While organizations can plan to restore data or pay the ransom in the case of a ransomware attack, dealing with an extortion-only attack can lead to a public relations crisis. Once the data is stolen, it’s nearly impossible to undo the damage. Paying the extortion fee doesn’t necessarily guarantee that the criminals will delete the stolen data. Moreover, even if the ransom is paid and the data isn’t leaked, the organization still suffers reputational damage and potential legal liability.

How to Mitigate the Risk of Extortion-Only Attacks

To mitigate the risk of extortion-only attacks, organizations are advised to limit the use of RDP and other remote desktop services, disable command-line and scripting activities, and restrict the use of PowerShell on critical systems. Regular audits of administrative accounts and adherence to NIST standards for password management are also recommended. Organizations are also advised to develop a recovery plan with multiple copies of data stored securely and offline, regularly update software and firmware, segment networks for improved security, and actively monitor network activity.

But since these attacks differ from traditional ransomware in that data can’t simply be restored from backup, extorsion-only attacks must be stopped before data is harvested. This requires leveraging tools such as XDR for early detection of attacks. This is done through:

Behavioral Analysis: XDR uses machine learning to establish a baseline of normal behavior for users, endpoints, and applications. This allows it to detect deviations from the norm that may be indicative of a security threat.
Anomaly Detection: Machine learning algorithms are used to identify anomalous patterns in network traffic, system logs, and other data sources, which may indicate a security threat.
Threat Hunting: XDR uses machine learning to automate the process of threat hunting, allowing security analysts to focus on investigating and responding to the most critical threats.
Predictive Analytics: Machine learning algorithms are used to predict the likelihood of a security threat based on historical data, enabling proactive threat prevention and remediation.

The nuances of extortion-only attacks are crucial for security teams as they strategize their defenses. By distinguishing the different outcomes for ransomware and extortion-only attacks, organizations can better understand the threats, risks, and potential consequences. This, in turn, helps them develop more focused and effective plans to mitigate these cyber threats.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.