Criminal groups are continually changing tactics to gain the upper hand in cyber extortion. One recent tactic is to email their victim’s customers directly. The email explains that a company they work with or buy from has suffered a breach, and their personal data is now at risk of being published or sold on the dark web.
Applying third party pressure
Clop is one criminal group applying this cyber extortion method to pressure the victim organisation into paying a ransom. Clop1 targets organisations affected by the December 2020 Accellion FTA that affected Royal Dutch Shell, Flagstar Bank, University of Colorado, and an unnamed online maternity clothing store.
Clop exfiltrates and threatens to publish data by contacting a store’s customers by email, explaining what data was stolen and the risk the recipient is facing. The email goes a step further with a call to action for customers to “Call or write to this store and ask to protect your privacy!!!!”. The goal is to drive large numbers of customers to pressure the store into paying the ransom.
Another criminal group, REvil, applies similar pressure tactics. In February 2021, the group was observed recruiting people to perform DDoS attacks and make VOIP calls to victims and their partners. The following month, REvil announced they would use DDoS attacks and phone calls to journalists to inform them of the data at risk of exposure and to further pressure victims into paying up.
Bullying and blackmailing individuals in the target organisation
In a separate but related development, cyber criminals are now attempting to extort organisations by revealing embarrassing items found on individual employees’ workstations, including files that appear to contain pornographic material and, in one case, an employee’s username and password for a members-only porn site.
In December 2020, REvil attacked a well-known cosmetic surgery group with several high-profile patients (‘The Hospital Group’ a.k.a. ‘Transform Hospital Group’). It threatened to publish patients’ ‘before and after’ photographs unless their ransom demand was met.
REvil’s modus operandi is to call the victim’s business partners, journalists, and its CEO / Founder and use personal information (“Personal OSINT”) to bully the individuals concerned. It comes with the warning that “the more effort required to secure payment from the victim, the greater the ransom will be:
“[…] victims need to understand that the more resources we spend before your ransom is paid—all this will be included in the cost of the service”.
Clop ransomware also targets the computers of senior executives. A ransomware gangs’ ability to make their victims pay the ransoms depends on its ability to locate and exfiltrate proprietary or sensitive information. This is probably why Clop deploys ransomware specifically to search computers used by the target organisation’s most senior executives.
Exploiting cyber insurance coverage
Recently, ransom demands are based on the victim’s maximum cyber insurance policy cover against extortion. Criminal groups research their targets’ finances to determine the extent of its insurance cover against extortion. They use this information to assess the ‘affordability’ of ransom demands.
In January 2021, the Conti group attacked British retailer FatFace, initially demanding a US$8.5 million payment to stop the publication of stolen customer and employee data, including banking details. The breach apparently first took place through a phishing attack earlier in the month. The attackers used this early foothold to gain admin rights before spreading laterally through FatFace’s network. Over 200GB of data was exfiltrated from the victim’s systems before the systems were encrypted by the ransomware.
When the negotiator representing FatFace tried to reduce the ransom demand by explaining the company could not afford it, Conti rejected this reasoning because they knew that the organisation’s cyber insurance policy covered up to £7.5 million against extortion. The criminal group eventually agreed to accept a reduced payment of US$2 million after FatFace argued its revenue had fallen when high street stores shut during the pandemic lockdown.
Screenshots from negotiations between Conti and FatFace reveal this criminal group targets organisations that have acquired cyber insurance:
“Most of our attacks are covered by the insurance companies when the demands cannot be handled by other reasons […] Our demands are lower than your insurance coverage. I have no idea how this can break you when you are insured for 7,500,000 GBP. I suppose it’s time to contact your insurance company.” - ‘Support’ from Conti group.
Using professional negotiators
A representative of the REvil group (going by the alias of ‘Unknown’) claimed they not only engage intermediaries for negotiation but also recommend them to victims to help speed up the process. When the victim negotiates with aggressively low offers (for example, by responding to a $1 million ransom with a $15,000 offer), REvil regards this as making negotiations more difficult than necessary and begins publishing the stolen data on their leaks site. The aim is to increase pressure on the victim, so they pay in full or at least offer a higher sum:
“70% are just there to knock down the price. Very often they make it harder […] Nobody likes hagglers, especially show-offs. So, more often than not, they are likely to do more harm.” (REvil’s experience with professional ransomware negotiators engaged by victims)
Unknown claims that REvil likes to work with preferred intermediaries. The group informs an intermediary who the victim is so they can make contact and offer their negotiation services. In return, REvil provides “good discounts to decent intermediaries so that they can make a bit of profit and the companies [i.e. victims] pay less”.
At Threat Essentials, we rapidly detect when customers’ data has been leaked before it attracts widespread public attention. We help customers respond proactively to the situation and set their ransomware incident run books in motion.
What are our top 5 recommendations for mitigating risk of a ransomware attack?
#1 Determine your current risk level from external ransomware groups to ensure you can
identify relevant sector, geography and market-specific ransomware groups and
understand your third party, key suppliers and partners’ susceptibility to ransomware attacks. You should also know how effective your mitigating controls are.
#2 Ensure your actual ransomware risk level is below the organisation’s current risk appetite.
#3 Maintain ongoing monitoring and alerting for new and emerging ransomware groups relevant to you.
#4 Proactively reduce ransomware risk for upcoming key business activities.
#5 Consistently and rigorously report on and socialise ransomware risk trends within your key stakeholder groups.
To find out more about how Threat Essentials can support your cyber defences, get in touch with a Threat Essentials analyst at firstname.lastname@example.org