Positive Technologies: ransomware gangs threaten to publish victims' data

Double listing and "lawful extortion": ransomware operators' new tactics

Positive Technologies experts have presented a study of the Q3 2023 cybersecurity threatscape. The share of malware attacks remained unchanged from Q2 at 45%. The advent of decryption tools reduced the effect of encryption malware, causing its share to shrink. Ransomware gangs now threaten to publish stolen information without encrypting the compromised systems or data. Experts are recording new methods employed by ransomware operators, including some unconventional social engineering techniques.

According to our analysis, Q3 2023 saw a slight decrease in the total number of cyberincidents from the previous quarter. With 37% of total incidents, exploitation of vulnerabilities remained a popular method for attacking organizations. Bad actors continued to take advantage of flaws in popular IT solutions, providing further evidence of the importance of regular updates and software security.

The share of malware attacks in Q3 2023 remained unchanged from the previous quarter at 45%. Throughout the quarter, cyberextortionists continued to demand ransoms for not disclosing information, while in several cases refraining from encrypting the data in the targeted systems.

"Encryption malware remains the most frequently used type of malware in attacks on organizations, but its share dropped by 6 percentage points from the previous quarter," says Alexey Novikov, head of the Positive Technologies Expert Security Center. "We believe that this drop can be attributed to the wider access to decryption tools and the fact that extortion gangs gradually forgo system and data encryption in favor of threatening to publish victims' data. In some cases, if the organization refuses to pay the ransom, the hackers reach out to its affected customers directly, trying to coerce them into paying for their data to be deleted. Double posting is another notable trend, where two ransomware gangs announce that they have successfully breached the same organization, and each demands a ransom."

Novikov also noted a unique tactic used by the ransomware group Ransomed.vc. The group, which presents its malicious activities as a pentesting service, is abusing the European Union's General Data Protection Regulation (GDPR): should the victim refuse to pay up, the hackers publish the data they stole from the organization, which results in it being fined for failure to protect the data. The expert named this tactic "lawful extortion".

According to Positive Technologies, the share of spyware attacks on individuals in Q3 increased to 65%. Spyware infections were detected in 20% of successful attacks on organizations, a figure that remains unchanged since Q2. More than half (57%) of all corporate infections with various types of malware occurred through email. Websites remained the main source of malware used to attack individuals at 49%, up 9 percentage points from Q2.

To protect devices against malware infection, experts recommend using sandboxes that allow analysis of file behavior in a virtualized environment, thereby detecting any malicious activity, and acting in time to prevent damage to the company. To protect against encryption attacks, regular backups are a must.

Social engineering remained the biggest (92%) threat to private individuals and a major (37%) threat to organizations. Phishing scams continued to exploit the themes of employment, political turmoil, and making a quick buck (for example, by investing in cryptocurrencies), and also masqueraded as delivery services.

Positive Technologies experts highlight the fact that social engineering techniques never stop evolving. Bad actors used highly elaborate tactics to give their victims a false sense of security. Scammers used modular tools to craft convincing phishing sites and email reply chains; they also launched multi-stage attacks combining different cyberfraud techniques. Several attacks relied on compromised corporate IT systems to attack customers and business partners, as in the case of an attack on hotels listed on Booking.com. Positive Technologies predicts that AI-powered attacks will grow in number as more cybercriminals add the tool to their arsenals.

The experts recommend remaining vigilant online and refraining from opening suspicious links or downloading attachments from unverified sources. Users must treat with suspicion any urgent requests and offers that are too good to be true.

As in Q2, a data breach was the most common consequence of successful attacks on organizations (56%) and individuals (61%). Direct financial losses led as the second most common consequence (35%) for attacks on individuals. For organizations, disruption to core business functions was the second most frequent (36%) consequence of an attack, although its share decreased by 8 percentage points from Q2 as the use of data encryption by ransomware gangs declined. That being said, the experts recommend that companies continue treating encryption attacks a risk, as these tend to cause severe consequences, such as the loss of three months' worth of email history in the case of the attack on governmental agencies in Sri Lanka.

The full version of this study is available on the Positive Technologies website.