While all businesses continue to adjust to the remote work environment, it’s business as usual for cybercriminals. Although there are reports of phishing schemes tied to the COVID-19 pandemic, we are not really seeing different types of incidents or new tactics from the threat actors. Incident volume has increased slightly, but we are not seeing the surge that many expected as governments around the world instituted stay-at-home orders.
One recent trend in ransomware attacks is threat actors stealing data and threatening to publicize it to increase their leverage to extort money from the victims. If a business encounters one of these groups in a ransomware incident and has explored paying the ransom to unlock its files, we are now seeing threat actors support the demand by claiming they stole data and will make it public if the ransom is not paid. We are also seeing instances when an organization is able to recover without paying the ransom, but the threat actor reaches out and claims that it stole data, and demands a ransom to return or destroy the files. Often, short timelines will be attached to this threat, forcing an organization to quickly assess its credibility through forensics or by mining the threat actor for whatever information it will share. This has been widely reported, and even the FBI has issued a warning about ransomware groups utilizing this tactic. Gone are the days when data exfiltration in a ransomware event was rare. Hello, new normal.
While this move should have been predictable, given that cybercriminals are in the business of making money, any lever that can be pulled to ensure payment should be considered when planning for and responding to any data security incident. Consider that in 2019, the FBI received reports of ransomware incidents affecting businesses to the tune of ~$9 billion (see FBI IC3 Report for 2019). This is almost three times the reported ransomware losses businesses incurred in 2018 (see FBI IC3 Report for 2018), which totaled ~$3.6 billion. Unfortunately, threat actors are not providing “discounts” to victims that are able to recover without paying the ransom – the demand for the decryption tool is typically the same as the demand to return or destroy the data that a threat actor exfiltrated from the environment.
The ransomware groups utilizing this tactic have all incorporated data exfiltration and a threat to make data public in order to pressure companies to pay the ransom, even if companies have viable backups. This trend is likely to continue. The data that companies are concerned about isn’t limited to financial, customer or personal information. Intellectual property, R&D, acquisition targets and business plans are all potentially lucrative. Corporate espionage has always been an issue, and now there’s a new player involved that is stealing data and offering it for sale on the dark web.
The most common form of data security incident we respond to is a business email compromise (BEC). The financial impact of BECs also continues to grow, but at a slower rate than that of ransomware. In 2018, the FBI reported that the total losses as a result of BECs was ~$1.3 trillion. That figure grew in 2019 to ~$1.8 trillion. We know from our investigations that threat actors frequently synchronize or download a mailbox. The BEC groups, just like the ransomware groups, have found another way to commoditize the data they obtain.
In the past, a BEC would typically result in some sort of financial fraud by redirecting upcoming wire transfers (real estate, venture capital, etc.), invoice fraud, payroll fraud or the always popular “get an employee to buy gift cards” fraud. Now, threat actors are selling this information or using it themselves to extort the business.
The scam works like this: A C-suite executive or HR employee receives an email with identification documents (Social Security card, passport image, driver’s license image, etc.) of current or former employees. The email threatens to publish or sell the documents of the employees if payment isn’t made. This scam is different from the “embarrassing video” sextortion attempts because the threat actor provides samples of the data it is threatening to publish; the sextortion emails usually do not include evidence that the threat actor has an embarrassing video at all.
The demands typically range from one to two bitcoins and are becoming more prevalent. They present a real challenge for investigators and attorneys in the incident response space because the extortion attempts typically do not provide information about how the data was acquired. We have even seen some cases in which the business was not compromised at all, but rather the data was obtained in some other breach and the threat actor had linked the individual to a particular business.
The need to secure data will continue to grow, and if the recent trends continue, cyber liability will be one of the greatest risks that businesses face in the 2020s.