The Top 10 Ways Ransomware Operators Ramp Up the Pressure to Pay

Ransomware has been around for decades and continues to thrive, largely because its operators are quick to evolve and adapt as the cybersecurity landscape advances. As organizations have become better at backing up their data and being able to restore encrypted files, attackers have begun to supplement their approach of demanding a ransom in return for decryption keys, with additional extortion measures designed to ramp up the pressure to pay. To help organizations improve their ransomware defenses, Sophos’ Rapid Response team has compiled the top 10 pressure tactics that adversaries used in 2021:

1. Stealing data and threatening to publish or auction it online

The list of ransomware groups that now use, have, or host a public “leak” website for exfiltrated data is long. The approach is now so common that any victims of a sophisticated intrusion need to assume that an attack with ransomware means they’ve also experienced a data breach.

Attackers are publishing stolen data on leak sites for competitors, customers, partners, the media, and others to see. These websites often have social media bots that automatically publicize new posts, so there is little chance of keeping an attack secret. Sometimes, the attackers put the data up for auction on the dark web or among cybercriminal networks.

2. Emailing and calling employees, including senior executives, threatening to reveal their personal information

REvil, Conti, Maze, SunCrypt, and other ransomware families have used this intimidation tactic, which can be extremely distressing for recipients. They also claimed to have set up a free service providing voice scrambled VOIP calls for their affiliate customers to use.

3. Notifying or threatening to notify business partners, customers, the media, and more, of the data breach

This tactic involves emailing or messaging people or organizations whose contact details the attackers found in stolen files and telling them to demand that their target pays the ransom to protect their privacy. REvil, Clop and other ransomware families use this approach.

4. Silencing victims

Conti and RagnarLocker have started threatening victims with messages saying the victim should not contact law enforcement or share details of ransom negotiations. This could be to prevent victims from getting third-party support that might help them to avoid paying the ransom. It also suggests that ransomware brands are becoming more concerned about drawing attention to their activities, particularly from law enforcement.

5. Recruiting insiders

Another recent and unusual tactic ransomware operators are using is trying to recruit insiders to enable a ransomware attack in return for a share of the takings. In one, widely reported example, the operators behind LockBit 2.0 included a recruitment ad for insiders to help them breach and encrypt the network of “any company” in return for a substantial payout.

6. Resetting passwords

After breaching the network, many ransomware attackers create a new domain admin account and then reset the passwords for the other admin accounts. This means that the IT administrators can’t log in to the network to fix the system. Instead, they must set up a new domain before they can even begin trying to restore from backups.

7. Phishing attacks targeting victim email accounts

In one incident investigated by Sophos Rapid Response and involving Lorenz ransomware, the attackers targeted employees with phishing emails to trick them into installing an application that provided the attackers with full access to the employees’ email, even after they reset their passwords. The attackers then used the compromised email accounts to email the IT, legal, and cyber insurance teams working with the targeted organization to threaten further attacks if they didn’t pay.

8. Deleting online backups and shadow volume copies

During their reconnaissance of a victim’s network, most ransomware operators will look for any backups connected to the network or the internet and delete them so that the victim cannot rely on them to restore encrypted files. This can include uninstalling backup software and resetting virtual snapshots.

9. Printing physical copies of the ransom note on all connected devices, including point of sale terminals

A flood of printed threats is not just a nuisance in terms of paper supply, but unsettling for people in the office. Ransomware operators including Egregor and LockBit have applied this tactic.

10. Launching distributed denial-of-service attacks against the target’s website

Avaddon, DarkSide, RagnarLocker, and SunCrypt have used distributed denial of service (DDoS) attacks when ransom negotiations have stalled, to force targets back to the table. Adversaries also use DDoS attacks as distractions to tie up IT security resources while the main ransomware attack activity is taking place elsewhere on the network, or as standalone extortion attacks.

The following steps may help organizations deal with threatening attacker behaviors:

Establish a 24/7 contact point for employees, so they can report any approaches claiming to be from attackers and receive any support they need

Introduce measures to identify potential malicious insider activity, such as employees trying to access unauthorized accounts or content

Monitor network security 24/7 and be aware of the five early indicators an attacker is present to stop ransomware attacks before they launch

Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If users need access to RDP, put it behind a VPN or zero-trust network access connection and enforce the use of Multi-Factor Authentication (MFA)

Educate employees on what to look out for in terms of phishing and malicious spam and introduce robust security policies

Keep regular backups of the most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline, and test the ability to perform a restore

Prevent attackers from getting access to and disabling security: choose a solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights

Remember, there is no single silver bullet for protection, and a layered, defense-in-depth security model is essential – extend it to all endpoints and servers and ensure they can share security-related data

Have an effective incident response plan in place and update it as needed. Turn to external experts to monitor threats or to respond to emergency incidents for additional help, if needed