Risk & Repeat: Are data extortion attacks ransomware?

Shifts in the threat activity landscape have altered ransomware in significant ways.

Ransomware looks extremely different today than it did in the WannaCry days. The classic attack -- in which threat actors encrypt a victim's environment to hold it hostage for a payday -- still exists, but this format quickly gave way to double-extortion campaigns. In these attacks, a threat actor would both encrypt and steal an enterprise victim's data, threatening to publicly leak it unless the victim paid up.

This format became especially prominent in big-game attacks, in which specialized gangs would focus on victims who could potentially pay ransoms in the range of millions of dollars. And, in the last few years, some threat actors have tried incorporating DDoS into double-extortion attacks, creating the uncommon-but-observed triple-extortion attack.

But, due to such factors as increased law enforcement action and improved cyber defenses, the ransomware landscape has shifted somewhat in the last year or so toward attacks in which threat actors steal data for extortion purposes but don't encrypt the victim's network. Clop's immense MoveIt Transfer-focused campaign that began in May is the most recent example of these types of data extortion attacks.

These data extortion attacks are in many ways an extension and evolution of ransomware threat activity, but they typically cause less disruption to IT and business operations. This has led to discussion within the infosec community regarding how to categorize the extortion-only attack format.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright, Alex Culafi and Arielle Waldman discuss the changing ransomware landscape and whether data extortion attacks should be considered ransomware.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a writer, journalist and podcaster based in Boston.