Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly
E-Mail vvv

Ransomware? Let's Call It What It Really Is: Extortionware

Just as the targets of these attacks have shifted from individuals to corporations, so too has the narrow focus given way to applying force and pressure to pay.

No one needs reminding that ransomware has reached incredible proportions; one widely reported statistic from Purplesec suggests that $20 billion was paid out in 2020. That's almost double its $11.5 billion estimate from 2019, with a commensurately huge increase in the number of attacks, while Bitdefender suggested a 715% increase in the first half of the year.

The "crews" have multiplied, adopted tactics that are reminiscent of nation-state attacks, and developed partnerships and relationships with a speed and efficiency that put many of our business practices to shame. New tactics are constantly appearing both to gain access and to apply pressure on victims to pay.

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: AI and APIs: The A+ Answers to Keeping Data Secure and Private

What hasn't changed is what we call it: ransomware. That's a mistake, since it ties it in too many people's minds to the past, and to a much less threatening form of the attack, the attack form that started in 1989 with the AIDS Trojan (distributed on 20,000 floppy disks and looking for a payment of around $500). The attack returned in the mid-2010s, but as individual threats. Attacks such as CryptoWall, Cryaki, TeslaCrypt, and CTB-Locker impacted individual users and forced the victim to approach the attacker to recover. Attackers also took rapid advantage of cryptocurrencies, using the relative anonymity and easy transferability of Bitcoin to protect them as they monetized their efforts.

These attacks were distributed by multiple means, or vectors. Phishing, pop-ups from malvertising, and even messaging on platforms like Facebook Messenger were common vectors. The code base was different, the attack vector was different, but the goal was the same. Land on a user's computer, encrypt that computer and network-accessible data, and demand payment. The attack was against the individual, and corporate damage was a bonus (in terms of payment), not the objective. The ransom was to decrypt the locked data, and defensive tactics focused on limiting access to data — least privilege, user-awareness training, and host-based malware prevention.

This model slowly shifted toward corporate targets, as the bad guys followed the money. 2020, however, saw a series of seminal shifts in the landscape, and a change in tactics. This series of shifts is why we should change the naming — from ransomware, a serious attack but one with a relatively narrow scope, to extortionware, where every pressure is being applied to force payment.

The first shift was in the maturity of the attacker. Ransomware was a wide net, and encryption was an early part of the attack. With extortionware, the attacking crews have adopted advanced tactics or have purchased access from initial access brokers in order to fully monetize a compromise. Rather than land and encrypt, the model is what you'd expect in a data breach: perform an initial compromise, expand laterally, escalate privilege, locate important data (and backups), and only when holding a commanding position does the attacker execute the coup de grâce and encrypt the data.

This alone isn't enough to change the name of a class of attack. The biggest change is that this type of attack is no longer just a demand for a ransom to decrypt data. Starting with the Maze crew in May 2020, the attackers started to exfiltrate the data before encrypting it. A victim was placed in double jeopardy; even if the target were able to recover from backup or brute-force encryption, confidential data could be leaked.

By the start of 2021, this tactic was being widely adopted with at least Revil, Netwalker, and Mespinoza adopting it. Attackers added distributed denial-of-service to their arsenal by October 2020, and even started pressuring victims via social media to up the stakes. Finally, toward the end of 2020, threats were made to deliberately disclose compromising and damaging information that executives had divulged internally.

Calling this ransomware ties it in too many people's minds to the older attacks and downplays the current threat. We have to change perception and the branding. We can label the trend as what it is — not just a ransom to get your data unencrypted, but extortion by all means. We should call it something more threatening. Whether we call it extortionware or something else, we cannot continue to treat it just as a data availability issue.

Our approach to the threat must change — the reason for changing how we refer to it. Data protection is going to remain imperative, and immutable backup is a key part of that protection strategy. But it cannot be the only part. We have to ensure that we are using the whole security suite to detect these attacks before we need to restore, and to limit the scope of damage if it occurs. We have to start with a strategy and our security must be adaptive because the attack is adapting. For now, key controls will be strong and contextual identity, microsegmentation, and robust vulnerability management programs. None of these are new, but their relevance and importance are.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...