The rapid evolution of ransomware extortion tactics continued this week with the Alphv ransomware gang's launch of a website where employees and customers of a victim organization can check if their personal data was compromised.
In just the last year, groups have employed increasingly dangerous extortion schemes such as DDoS attacks, media shaming and even reaching out to victims' customers directly. On top of double and triple extortion methods, operators behind Alphv, a relatively new ransomware-a-as-service group that's also known as BlackCat, are now pressuring victims into paying by intimidating their employees and customers.
Emsisoft threat analyst Brett Callow revealed the existence of the site on Twitter on Tuesday and compared it to Haveibeenpwned, a widely used free service that allows individuals to enter their email addresses and track which breaches have exposed them. While most ransomware leak sites are located on the dark web, Alphv's is a clearnet site and accessible without a Tor browser.
"This is a new but unsurprising evolution in extortion tactics," Callow wrote on Twitter. "Alphv will likely use stolen email addresses to send a link to the site to impacted individuals. Other gangs have used similar strategies."
Callow told SearchSecurity that if this strategy works for Alphv, it will be adopted by other ransomware operations, just as groups copied Maze after its success with encrypting and exfiltrating data.
Matthieu Garin, partner at security consulting firm Wavestone, also addressed the new technique on Twitter. Like Callow, he was not surprised by the shift in extortion tactics.
"For years, this scenario has been played on exercises. We will see more attacks of this kind on sectors with super-powerful clients (wealth banking, luxury…)," Garin wrote on Twitter.
While time will tell how this tactic plays out, Ryan Olson, vice president of threat intelligence at Unit 42, said it signals a market force change.
He referred to it as an innovation that may help actors be more successful in increasing a payment amount, the speed or likelihood that an organization pays the ransom.
"Innovation is the right word. It's uncomfortable to think of cybercriminals as people who are innovative or people who are running a business, but that's how they treat it," Olson told SearchSecurity.
While talking with organizations that had been compromised in the past, Olson said he found that CISOs may look at stolen data and determine it's not sensitive. The main concern often centers on reputation and the fact that a data breach happened in the first place. It can give the impression that enterprises can't protect data, Olson said, even if the data isn't that sensitive.
"By flipping it around so that an employee can learn its own data has been impacted introduces the possibility that the employees themselves start putting pressure on their leadership," Olson said. "Typically, the full employee set is not involved in payment discussions after a ransomware attack, but now if their data is directly involved, they may feel like they have a right or need to have their voice heard, which may make it more complicated for the company to respond."
Ransom payment increases
Palo Alto Networks recently published its 2022 Ransomware Threat Report, which highlighted significant increases in both payment amounts and extortion tactics. One problem with multi-extortion is its effect on backups, which organizations in the past used to recover from a ransomware attack, according to the report.
Alphv, which is a successor to the infamous BlackMatter ransomware gang, was noted in the report for having the seventh-largest number of victims listed on their leak site in 2021, as well as being one of the first to apply triple extortion tactics. These trends are continuing into this year, with the potential to become worse.
"Ransomware is a problem that continues to increase in severity as ransoms go up, and it's one of the largest, from a volume perspective as well, cybercrime operations," Olson said.
The report and recent data were compiled from Unit 42's incident response cases, as well as information gathered from tracking ransomware leak sites. In just the first four and a half months of 2022, Olson said they've observed just north of 1,000 victims listed on leak sites. Effectively, that breaks down to one ransomware victim every four hours, he said.
However, the biggest takeaway he noted was around payments, which have risen 71%. While the average demand has increased to $2 million, the average ransom paid by a customer is around $925,000. It follows the same trend as last year where the initial ransoms came in high and were negotiated down. Olson said it's important for enterprises to know they can negotiate.
However, as groups like Alphv employ increased pressure, that could change.
"We'll invariably see other strategies emerge in the months ahead, as like legitimate enterprises, gangs constantly innovate and test new strategies in order to maximize their conversion rates and payouts and respond to market conditions," Callow said.