Mandiant: Cyberextortion schemes increasing pressure to pay

SAN FRANCISCO -- Enterprises are facing multilayered cyberextortion campaigns that combine data theft, public shaming and system encryption, which are increasing the pressure on victims to pay ransoms.

During an RSA Conference 2022 session Wednesday, David Wong, vice president at Mandiant, and Nick Bennett, vice president of professional services at Mandiant, provided case studies and anecdotal data that compared the outcomes of two clients that each suffered a ransomware attack and various cyberextortion attempts. While one client was more prepared to deal with a successful attack than the other, the examples highlighted an increasing persistence from attackers that pays off if the victim is ill-equipped.

Bennett highlighted some of the newer cyberextortion tactics that ransomware gangs and cybercriminals are using to pressure victims to pay. Encrypting data and demanding payments for decryption keys is only one of the tactics used by threat actors, he said.

"We see them reaching out directly to the victim's customers and antagonizing those customers," Bennett said. "We see them reaching out to the media to get more heat on the victim. We see them sometimes even reaching out to regulators that have jurisdiction over the victims."

The first case study involved a company that had relative success, despite it being the client's first incident response situation, because of some key factors in place. The client had implemented multifactor authentication across all remote access technologies, kept aggregated logs, understood its Active Directory environment, was ready to issue public statements and had a clear plan of whom to contact during all attack stages.

Bennett said that enabled Mandiant to react more swiftly and effectively in its incident response investigation.

"The client's team was confident, they were motivated, and importantly, they were authorized by leadership to make decisions and execute," Bennett said during the session.

On the other hand, the second client did not have confidence in bringing its environment back online, Bennett noted. The company was also worried about encryption starting again and feared public leaking of its data. Overall, the client just wanted to get the attacker to back down. Subsequently, Bennett said, it ended up paying a hefty ransom in the million-dollar range.

Wong also provided an example of an incident response case where the company had a policy against paying. While he said Mandiant agrees with that approach, sometimes they start ransom negotiations with the threat actor to stall and gain additional information on the attack, with no intention of paying. However, this company refused to engage in negotiations at all.

In return, the threat actor got nervous and followed through with posting the company's data on a public leak site, Wong said. That alerted the victim's customers, which caused further problems.

"The attacker started DDoS campaigns, they started calling customers because of that multifaceted extortion ransomware attack where they keep trying to put pressure on you, and you don't have much time to respond because you didn't prepare, and now you've got customers calling you," Wong said. "You need to think about those types of strategies, and it's not anything the IT can do -- it's your lawyers, communication teams and the business folks."