Haggle, extort, or simply ask: how ransomware gangs make their money


When it comes to holding organizations to ransom, there is a gulf between the asking price and what actually gets paid out, according to fresh insights from Palo Alto Networks.

While the average ransom demand has risen steadily in the first half of 2022, with the highest demand seen by cyber analyst Palo topping $30 million, the maximum payout was just over a quarter of that – suggesting that cybercriminals are at least willing to haggle with their victims.

ADVERTISEMENT

It wasn’t the only discrepancy noted by Palo in its annual cybercrime report. While the finance, legal, and manufacturing sectors were the top-three targeted industries, they weren’t necessarily the easiest to negotiate with.

“The average ransom demand we observed in the past year for the finance industry was nearly $8 million,” said Palo. “However, the average payment was only about $154,000 – representing about 2% on average of the demand in cases where organizations decided to pay the ransom.”

"The average ransom demand we observed in the past year for the healthcare industry was over $1.4 million."

Palo Alto Networks

By contrast, healthcare organizations, though initially asked to pay much less on average, tended to cough up most of what cyber gangs demanded of them.

“The average ransom demand we observed in the past year for the healthcare industry was over $1.4 million,” said Palo. “And the average payment was $1.2 million, representing about 90% on average of the demand in cases where organizations decided to pay the ransom.”

And while real estate companies were far from being favored targets, failing to make Palo’s top eight list, when ransom gangs did go after them, they typically demanded a high rate of extortion – in excess of $5 million, second only to the median price tag imposed on the finance sector.

Why encrypt when you can extort?

With further regard to extortion, that appears to be a growing tactic used by cybercriminals, with 4% dispensing altogether with the more conventional encryption – by which a threat actor renders the victim organization’s crucial data unusable until a ransom is paid – as a means of coercing the target to pay up.

ADVERTISEMENT

Of course, many threat actors are using a combination of both methods, but there is evidence from Palo to suggest that extortion could increasingly become the sole means by which ransomware gangs make their illicit money.

Multi-extortion techniques, including double extortion, occur when attackers not only encrypt the files of an organization, but also name and shame the targets or threaten to launch additional attacks such as distributed denial of service (DDoS) to encourage organizations to pay more quickly,” said Palo. “Many ransomware groups maintain dark web leak sites for the purpose of double extortion.”

But it added: “Our incident responders and threat intelligence analysts note that extortion without encryption is likely to rise. The efficacy of extortion tactics has even led some prominent threat actors associated with the Conti ransomware group to publicly state that they envision focusing their future efforts on attacking organizations through extortion alone.”

Palo believes that part of this is due to the increased uptake of ransomware-as-a-service (RaaS) models by less skilled crooks who “to put it bluntly [...] don’t seem to know what they’re doing.”

“Even threat actors who seem to have the basics down are beginning to resort to the simpler versions of attacks, for example, using extortion without encryption rather than executing a full-blown ransomware attack,” said Palo. “Cloud incidents could also rise since threat actors in the current environment often need to discover carelessly guarded credentials rather than demonstrate advanced technical skill.”

Ask and ye shall receive

Indeed, such laxly protected credentials are proving to be manna from heaven for enterprising cyber miscreants who need to break past a target organization’s defenses prior to extorting it.

“Forms of social engineering, such as phishing, offer an easy and cost-effective way to gain covert access while maintaining a low risk of discovery,” said Palo. “In many cases, cybercriminals are simply asking their unwitting targets to hand over their credentials – and getting them.”

Known as business email compromise (BEC) attacks, these enable crooks to get the coveted access without having to deploy complex or laborious technical methods involving sophisticated malware or brute-force password-guessing tactics. “Once they have access, the median dwell time for BEC attacks was 38 days, and the average amount stolen was $286,000,” said Palo.

ADVERTISEMENT

The dwell time is the period spent within a target’s system before launching an attack, which Palo says is typically used by crooks to engage in what it calls “lateral movement.”

“An attacker gains initial access to a specific part of a network,” it said. “Similar to opening doors to get from a foyer into other parts of a house, lateral movement is the process attackers use to move into and control other systems on a network. Doing this expands the impact an attacker can have in a compromised environment.”

Crooks who do their research

One of the handy pieces of data a cybercriminal might use their dwell time to get eyeballs on is a victim company’s insurance policy – because knowing how much they are covered for can help with those crucial negotiations when it comes to the haggling part of the operation.

“Threat actors increasingly mention cyber insurance during ransomware negotiations as a reason why a victim organization can afford to pay a ransom,” said Palo. “This is sometimes just a negotiation tactic, as we have observed this even with clients who are uninsured. Even so, threat actors do attempt to access financial information when they have unauthorized access to a victim organization and calculate ransom demands based on the (perceived) revenue of the organization being extorted.”

"Threat actors increasingly mention cyber insurance during ransomware negotiations as a reason why a victim organization can afford to pay a ransom."

Palo Alto Networks

That said, Palo does recommend that organizations at risk of being ransomed have an insurance policy, as this can mitigate losses should the worst happen and also be integrated into an emergency response plan.

Overall, it would appear that a combination of human and digital error is responsible for most successful ransomware attacks, with phishing and software vulnerabilities responsible for seven in ten incidents observed by Palo. More specifically, poor oversight of patching the latter form of weakness contributed to threat actor success in 28% of cases.

When it comes to software vulnerabilities, Palo has a top list for those as well. ProxyShell accounted for over half of exploits used by cybercriminals to gain access to target systems, with Log4J (14%,) and SonicWall (7%) distant seconds.

ADVERTISEMENT

An inside job

Further to human error, organizations would perhaps be best advised to make sure their workers are content – because Palo identified that three in four “insider cases” involved a disgruntled former employee with a score to settle.

All in all, suspected inside jobs accounted for one in twenty of breaches observed by Palo – a small but significant proportion of cyberattacks.

“Insider threats were not the most common type of incident we handled, but they can be significant because they involve a malicious actor who knows exactly where to look to find sensitive data,” it said. “Seventy-five percent of our insider threat cases pertained to a disgruntled ex-employee who left with company data, destroyed company data, or accessed company networks after their departure.”

"Insider threats can be significant because they involve a malicious actor who knows exactly where to look to find sensitive data."

Palo Alto Networks

Palo added: “However, our consultants note that many attacks that appear initially to be insider threats turn out to come from cybercriminals who, for instance, purchased stolen credentials [on the dark web]. With mature markets for illicit initial access available, differentiating between legitimate and malicious user access is becoming more challenging.”

Insider threats often involved the theft of intellectual property, and in some cases even entailed “using inside knowledge to locate and hire the same contractors and support staff, who then may have access to privileged information.”

Quality not quantity

The Palo report’s contributors are urging organizations at risk to carefully scrutinize and evaluate their data, so they can put in place a protection program that is nuanced enough to shield them from the worst of a ransomware attack.

“The quantity of stolen data does not directly correlate to the negative impact of its theft,” explained Dan O’Day, consulting director of Palo’s specialized cyberdefense team Unit 42. “Unauthorized acquisition of a single spreadsheet containing a list of individuals’ personally identifiable information (PII) could result in a large data breach, even though the file size itself may be very small. Companies should avoid storing such repositories of sensitive information in unencrypted files, and should be cognizant of where this information is located in their environment.”

ADVERTISEMENT

He added: “Asset inventory is a critical part of cybersecurity. You likely won’t secure what you aren’t aware of, and you have zero visibility into assets you don’t manage or know about.”