CISA updated its "StopRansomware Guide" this week to reflect a changing threat landscape that has seen a shift from double-extortion tactics as attackers rely solely on data theft and leaks to pressure victims into paying.
Double-extortion, where threat actors exfiltrate and threaten to leak stolen data as well as encrypt victims' systems, saw a significant uptick among ransomware groups beginning in 2019 because it successfully pressured organizations into paying ransoms. However, recent attacks, vendor reports and government advisories illustrate how attackers are now returning to a single-extortion approach and choosing new targets such as VMware ESXi hypervisor servers to claim victims at scale.
The transition led CISA to make the first update to its "StopRansomware Guide" since the guide was published in 2020. On Tuesday, CISA, along with the FBI and National Security Agency, added new recommendations for backups, warnings about third parties and MSPs, and best response practices for ransomware and data extortion attacks.
CISA first introduced the "StopRansomware Guide" in 2020, following up with a dedicated website in 2021. In the updated guide, the agency emphasized how ransomware and data extortion attacks cause financial and reputational concerns for organizations of all sizes and have led to prolonged business disruptions.
"Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful and have also exfiltrated victim data and pressured victims to pay by threatening to release the stolen data. The application of both tactics is known as 'double extortion,'" CISA wrote in the guide. "In some cases, malicious actors may exfiltrate data and threaten to release it as their sole form of extortion without employing ransomware."
Data extortion attacks aren't necessarily less dangerous than traditional ransomware attacks, as threat actors have embraced increasingly aggressive tactics. Not only are ransomware gangs using their public data leak sites to pressure victims into paying, but they're also contacting victims' family members and competitors to strong-arm organizations. On top of that, some ransomware operators demand payments by threatening to leak sensitive photos and video footage.
In addition to ruthless extortion techniques, targets are also changing as gangs use vulnerabilities to commit broad attacks. For example, the Clop ransomware group exploited a zero-day in Fortra's GoAnywhere managed file transfer software in January that caused significant fallout through April. Through one target and without deploying ransomware, the group claimed a high number of victims including some prominent companies.
As part of the "StopRansomware Guide" update, CISA issued a warning about another ongoing target: VMware ESXi servers. In February, operators using a new ransomware variant dubbed ESXiArgs exploited outdated vulnerabilities in unpatched hypervisor servers that led to a widespread campaign. Due to these attacks, CISA urged enterprises to update all VMs and hypervisors.
Earlier this month, CrowdStrike documented a new ransomware-as-a-service group it called MichaelKors that is actively targeting ESXi hypervisors.
"New ransomware tactics target VMWare ESXi servers, which enables fast encryption of the infrastructure at scale," the guide read.
Another warning addressed third parties and MSPs, which CISA said attackers target to gain initial access into an enterprise environment through remote access. The guide emphasized that "MSPs have been an infection vector for ransomware impacting numerous client organizations."
CISA's security recommendations are changing to adapt to the ransomware evolution. While maintaining sufficient backups is still critical to the recovery process, there are new caveats when it comes to securing data in the cloud. CISA emphasized the importance of maintaining offline, encrypted backups of critical data because ransomware variants will encrypt accessible backups to increase the pressure to pay.
"Automated cloud backups may not be sufficient because if local files are encrypted by an attacker, these files will be synced to the cloud, possibly overwriting unaffected data," the guide read.
CISA recommended using infrastructure as code to deploy and update cloud resources and keep backups of template files offline.
Vendors observe ransomware changing
The infosec community has observed similar trends in the ransomware landscape that support CISA's updated guidance.
Jen Miller-Osborn, director of threat intelligence at Palo Alto Networks' Unit 42, saw a significant increase in extensive harassment employed by ransomware groups. She told TechTarget Editorial that a concerning uptick is how ransomware operators will go after children to put pressure on victim organizations.
"Why bother [with ransomware deployment] if the extortion part is working? It really is faster," Miller-Osborn said.
Another new consistent theme Unit 42 observed is ransomware groups starting to look more like nation-state attackers, particularly when it comes to exploiting software vulnerabilities. Over the last two years, ransomware groups have increasingly focused on software flaws, she said, and some groups even had their own zero-days. Miller-Osborn referred to the zero-day activity as "unprecedented."
"Ransomware groups are getting monetary resources to get the zero-days or people that have that skill set are stepping in. Groups are now focused on weaponizing CVEs," she said. "Ten years ago, you had two to three weeks to patch a perimeter. Now, we see 24 to 36 hours if you're lucky. There's a level of unawareness of how the landscape has shifted. We have to advise customers on response times."
Ryan Kovar, distinguished security strategist at Splunk, told TechTarget Editorial that while extortion tactics are increasing, he's still seeing ransomware deployment. In general, he said ransomware operators are adapting to improved defenses and national policy updates. Specifically, he's observed the LockBit ransomware gang adapting and trying new methods to get around defenses.
Ian McShane, vice president of strategy at Arctic Wolf, said there are increasing ways in which ransomware groups will convince victims to pay, but their threats are not always legitimate. In some cases, operators will use data exfiltration as a bluff, and it can be difficult for organizations that don't have systems or incident response plans in place to verify if sensitive data was indeed exfiltrated.
While many vendors, including Arctic Wolf, observed a decrease in ransomware attacks over the past year, McShane said some of it can be attributed to a lack of reporting.
"We saw 26% less ransomware attacks over the past year. In the grand scheme of things, so few organizations actually put their hands up and say, 'We've had a ransomware attack,' so it's probably growing now," he said. "Ransomware isn't the worst thing though. The reality is, it's not always something that happens overnight, so if you're prepared and can use defenses, that's going to help."
Arielle Waldman is a Boston-based reporter covering enterprise security news.