Cybercriminals often change their hacking tactics to get access to users’ sensitive information. Earlier ransomware operators only focused on encrypting critical systems and demand ransom to decrypt them. But now several some of these operators are leveraging new tactics like double-extorsion to threaten victims in two ways – ransom demand and data leak. In a double extortion approach, ransomware operators initially steal data before encrypting it and demand ransom. Later, they threaten victims by leaking the stolen data on the dark web for additional ransom.
Hack and Leak
An investigation by dark web intelligence profiling platform DarkTracer revealed that around 34 ransomware gangs have exposed sensitive information of over 2,155 victim organizations on the dark web.
[Intelligence Report on Ransomware Gangs on the Darkweb]
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) May 11, 2021
According to DarkTracer, the 34 ransomware groups include Avaddon, DarkSide, Team Snatch, Maze, Conti, NetWalker, DoppelPaymer, NEMTY, Nefilim, RansomEXX, Sekhmet, Pysa, AKO, Sodinokibi (REvil), Ragnar_Locker, Suncrypt, CL0P, LockBit, Mount Locker, Egregor, Ranzy Locker, Pay2Key, Cuba, Everest, Ragnarok, Babuk locker, Astro Team, LV, File Leaks, Marketo, N3tw0rm, Lorenz, Noname, and Xing Locker.
Out of these 34 groups, the top five active ransomware operators are Conti (338 data leaks), Sodinokibi/REvil (222 data leaks), DoppelPaymer (200 data leaks), Avaddon (123 data leaks), and Pysa (103 data leaks).
Double Extortion – A Rising Threat
Double extortion technique has become a lucrative approach because threat actors cash in on victims’ fear of data leak. The trend seems to be attracting several ransomware groups globally.
While organizations pay ransom to prevent a data leak or decrypt critical data, there is no guarantee that cybercriminals will decrypt the data or will not leak it on the dark web.
A similar analysis from F-Secure revealed that double extortion ransomware attacks increased drastically in 2020. Researchers observed over 15 different ransomware families using a double-extortion approach to target organizations. Besides, nearly 40% of ransomware families discovered last year utilized this method. The major active ransomware families using the double-extortion method include Ragnar Locker, Doppelpaymer, Clop, Conti, and ChaCha.
Upwork, the largest work marketplace, also revealed that 36.2 million Americans will be working remotely by 2025, an 87% increase from pre-pandemic levels. This new normal of working remotely broadens the opportunities for ransomware operators to target and exploit the small, medium, and large businesses, making them gullible to pay ransom more than ever.