Jacques de la Riviere, CEO at Gatewatcher, takes a look at the intersection of new technologies and tactics transforming the shadowy world of ransomware.

Having evolved from a basic premise of locking down a victim’s data with encryption, then demanding a ransom for its release, research now suggests that ransomware will cost around $265 billion (USD) annually by 2031, with a new attack (on a consumer or business) every two seconds.

Against such a pervasive threat, businesses have sought to better prepare themselves against attacks.  They have developed an array of tools, including better backup management, incident recovery procedures, business continuity and recovery plans. Together, they have all made the encryption of victims’ data less profitable.

In addition, security researchers together with national bodies such as the Cybersecurity and Infrastructure Security Agency (CISA) have made substantial progress in identifying the weaknesses in the methods used by attackers, in order to develop decryption solutions. No More Ransomware, promoted by Europol, the Dutch police, and other stakeholders lists approximately one hundred such tools.

In response to these developments, attacker groups are reconsidering their strategy. Rather than risk detection by encrypting valuable data, they now prefer to extract as much information as possible. Then, they threaten to divulge it. Ransomware has become extortion.

Re-energising the threat of publication

The potential public disclosure of sensitive information is the core of leveraging fear to pressure victims into paying a ransom. The reputational damage and financial repercussions of a data breach can be devastating. 

Ransomware gangs have recognised the potential for damage to a brand or group’s reputation simply by being mentioned on the ransomware operators’ sites. A study found that the stock market value of the companies named in a data leak falls by an average of 3.5% within the first 100 days following the incident and struggles to recover thereafter. On average, the companies surveyed can lose 8.6% over one year.

This threat of loss based on association, now quantified and in the hands of cybercriminals has become an effective tool.

Operational disruption and revenue loss

Modern businesses rely heavily on digital systems for daily operations. A ransomware attack can grind operations to a halt, disrupting critical functions like sales, customer service, and production.

 This disruption translates to lost revenue, employee downtime, and potential customer dissatisfaction. The longer the disruption lasts, the greater the financial impact becomes. Attackers exploit this vulnerability, pressuring victims to pay the ransom quickly to minimize their losses. And they do this most effectively by recognising key operational data. 

This then evolves as a ransomware attack on one company can ripple through its entire supply chain. Suppliers and distributors may be unable to access essential data or fulfil orders. This leads to delays and disruptions across the supply chain. 

Knowledgeable attackers now target a single company as a gateway to extort multiple entities within the supply chain, maximising their leverage and potential payout.

Brand Damage at the regulatory level

Brazen ransomware groups have already realised the value in making direct contact with

end-users or companies that are the customers of their targets as it enables the operators to increase pressure.

However, one new avenue of this direct attack on brand reputation is for the gangs to connect with the authorities.  In November 2023, the ALPHV/BlackCat ransomware gang filed a complaint with the United States Securities and Exchange Commission (SEC) regarding their victim, MeridianLink.

In mid-2023, the SEC adopted new requirements for notifying data leaks effective from September 2023. One of these rules requires notification within four business days of any data leak from the moment it is confirmed. Not only did ALPHV/BlackCat take control of the trajectory of the extortion, but they also even circulated the complaint form among specialist forums as part of a promotional campaign.

Targeting the most vulnerable 

Ransomware gangs are not above using sophisticated, customised extortion strategies on the most vulnerable sectors. Healthcare has long been a key target – there is a step change in urgency when critical medical procedures may be delayed if ransom is not paid. 

Just a few months after the international Cronos Operation, the Lockbit group claimed a new victim in the healthcare sector. The Simone-Veil hospital in Cannes suffered a data compromise, adding to the extensive list of attacks conducted in recent months by other ransomware players against the university hospitals of Rennes, Brest and Lille.

Once the data had been extracted from the hospital on April 17, 2024, an announcement concerning their compromise was made on Lockbit’s showcase site on April 29, 2024. According to the cybercriminals’ terms, the hospital had until midnight on May 1, 2024, to pay the ransom.

The lesson here is that attackers exploit the vulnerabilities and pain points specific to each industry, making their extortion tactics more potent. And they do so with no consideration for the victims.

Ransomware attacks are now more than just data encryption schemes. They are sophisticated operations that exploit a range of vulnerabilities to extract maximum leverage from victims. By understanding the multifaceted nature of ransomware extortion, businesses and individuals can develop a more robust defence against this growing threat.

  • Cybersecurity

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.