Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise

This post is also available in: 日本語 (Japanese)

Introduction

While much attention has been paid to ransomware in recent years, modern threat actors increasingly use additional extortion techniques to coerce targets into paying—or dispense with ransomware altogether and practice extortion on its own.

Organizations, in turn, need to evolve defenses to address the various methods threat actors use to apply pressure. Incident response plans today need to involve not only technical considerations but also safeguards for an organization’s reputation and considerations for how to protect employees or customers who may become targets for some of extortionists’ more aggressive tactics.

Our 2023 Unit 42 Ransomware Threat Report explores recent incident response cases, as well as our threat intelligence analysts’ assessment of the larger threat landscape. It also offers predictions for how we believe threat actors will use ransomware and extortion tactics going forward.

Key Findings From the 2023 Unit 42 Ransomware and Extortion Threat Report

Multi-Extortion Tactics Continue to Rise.

In Unit 42 ransomware cases, as of late 2022, threat actors engaged in data theft in about 70% of cases on average. Compare this to mid-2021, and we saw data theft in only about 40% of cases on average. Threat actors often threaten to leak stolen data on dark web leak sites, which are increasingly a key component of their efforts to extort organizations.

Harassment is another extortion tactic we see being used in more ransomware cases. Ransomware threat actor groups will target specific individuals in the organization, often in the C-suite, with threats and unwanted communications. By late 2022, harassment was a factor in about 20% of ransomware cases. Compare this to mid-2021, when harassment was a factor in less than 1% of Unit 42 ransomware cases.

Extortion Gangs Are Opportunistic–But There Are Some Patterns in the Organizations They Attack.

Based on our analysis of dark web leak sites, manufacturing was the most targeted industry in 2022, with 447 compromised organizations publicly exposed on leak sites. Unit 42 believes this is due to the prevalence of systems used by this industry running on out-of-date software that isn’t regularly or easily updated or patched—not to mention the industry’s low tolerance for downtime.

Organizations based in the United States were most severely affected, according to leak site data, accounting for 42% of the observed leaks in 2022.

Large, Multinational Organizations Can Be Lucrative Targets for Threat Actors

Attacks on the world’s largest organizations represent a small but notable percentage of public extortion incidents. In 2022, 30 organizations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Since 2019, at least 96 of these organizations have had confidential files publicly exposed to some degree as part of attempted extortion.

Predictions for What to Expect From Extortion in the Coming Year

Unit 42 experts have put together predictions for what we expect to see from extortion groups in the coming year. Our predictions for 2023 include:

• A large cloud ransomware compromise
• A rise in extortion related to insider threats
• A rise in politically motivated extortion attempts
• The use of ransomware and extortion to distract from attacks aimed to infect the supply chain or source code

Recommendations to Improve Ransomware and Extortion Preparedness

Prepare a Playbook for Multi-Extortion

During an active extortion incident, rapid support from your incident response partner and outside legal counsel is critical. From a mitigation perspective, having a comprehensive incident response plan with corresponding crisis communication protocols will greatly reduce uncertainty. It’s important to know which stakeholders should be involved, and the process to make decisions promptly (e.g., whether or not to pay, or who is authorized to approve payments).

The crisis communication plan should also cover what to do (or avoid doing) in the event that employees or clients are being harassed. Ransomware harassment awareness training should be delivered to an organization’s staff to equip them with tools and processes to follow during an active harassment incident.

Organizations should conduct a post-mortem compromise assessment to validate that any remnant backdoors or other indicators of compromise (IoCs) (e.g., scheduled tasks or jobs) have been removed. This ensures that the threat actor cannot easily conduct a follow-up attack after an initial breach.

How Unit 42 Can Help

Get the full 2023 Unit 42 Ransomware and Extortion Threat Report for more ransomware and extortion insights, trends and recommendations for best practices.

If you think you may be subject to an active ransomware or extortion attack or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America Toll-Free: 866.486.4842 (866.4.UNIT42)
• EMEA: +31.20.299.3130
• APAC: +65.6983.8730
• Japan: +81.50.1790.0200

Additional Resources

• 2023 Unit 42 Ransomware and Extortion Report
• Mitigating Cyber Risks With MITRE ATT&CK
• The Changing Face of Ransomware, live webcast Thursday, April 20 9:00 a.m. to 10:00 a.m. PT

Updated March 22, 2023, at 1:30 p.m. PT.