As if encrypting data isn't leverage enough to extract money from organizations, ransomware operators are increasingly adding double, triple, and even quadruple extortion models to their campaigns these days.

Researchers from Trend Micro recently analyzed threat data from the first six months of 2021 and, predictably enough, discovered ransomware to be one of the most significant threats for enterprise organizations, as it has been for the past several quarters.

What was different, however, was the increase in ransomware attacks and groups using multiple extortion methods, including data theft, denial-of-service attacks, and, more recently, by directly harassing customers and stakeholders of victim organizations.

As of mid-June, Trend Micro counted at least 35 ransomware families that employed double extortion methods — a tactic that the Maze ransomware operation pioneered in late 2019. In these attacks, the threat actors not only encrypted critical data but also stole it and used the threat of publicly leaking the data as additional leverage to get victims to pay up.

Trend Micro also observed an increase ransomware attacks that added distributed denial-of-service attacks to the mix. The tactic was first employed by the operators of the SunCrypt and RagnarLocker families late last year but has been more recently adopted by others, including a group called Avaddon. Meanwhile, the operators of Cl0p and DarkSide, the group behind the crippling ransomware attack on Colonial Pipeline, have been observed adding yet another layer in some of their attacks — directly contacting customers of victim organizations, via email and call centers, Trend Micro says.

Also different on the ransomware front was increased collaboration between threat actors on gaining access to victim networks and the use of tools and techniques associated with advanced persistent threat (APT) actors in ransomware campaigns.

"Multiple extortion techniques are allowing [modern ransomware gangs] to maximize their ability to profit from their attacks," says Jon Clay, vice president of threat intelligence at Trend Micro. "Double, triple, and even quadruple extortion efforts cause major challenges for their victims." The other concerning trend is the collaboration among cybercriminal gangs in attacks, Clay says. Access-as-a-service actors sell their services to ransomware gangs while the ransomware-as-a-service (RaaS) gangs themselves are improving their offerings to entice more affiliates to join them.

The main takeaway for enterprise organizations is the shift in tactics by cybercriminals, such as ransomware gangs, that are adopting nation-state APT tactics for use in their campaigns, Clay notes. "Our data shows a drop in total ransomware detections, but that is mainly due to WannaCry infection sources being eliminated due to patching efforts," he says. Most ransomware families — especially RaaS families such as REvil, Cl0p, and Comti — saw increased use compared with a year ago, he says. "Without significant efforts on the part of law enforcement and nation-states in addressing this issue and helping to target ransomware gangs, they will continue to flourish without concerns of being shut down," he says.

Ransomware-related activity accounted for a substantial proportion of the 40.9 billion malicious emails, files, and URLs that Trend Micro blocked for customers in the first half of 2021. The number represented a 47% year-on-year increase in threat volumes — an increase that numerous other vendors have noted and described as resulting at least partly from the shift to a more distributed work environment caused by the COVID-19 pandemic.

Increase in Other Attacks
In addition to ransomware threats, Trend Micro observed an increase in attacks involving business email compromise and the installation of cryptocurrency mining tools on enterprise systems and networks. Clay attributes the increase in illegal cryptocurrency mining on the overall rise in crypto valuations over the last year. "[Threat actors] will not invest in their own mining infrastructure due to costs, so [they] will continue to attempt to utilize others’ infrastructure for their mining efforts."

APT groups continued to be as active as ever, as well, many of them backed by state actors and motivated by different objectives, including theft of financial information, stealing sensitive data, and installing cryptominers. Among the most active APT groups that Trend Micro observed were Team TNT, Water Pamola, Earth Wendigo, and Earth Vetala.

Team TNT was notable for its activities against cloud environments, Clay says. Last year, the group was observed targeting Docker APIs with an XMrig cryptocurrency miner. In June, the group was seen engaged in a campaign to steal Amazon Web Services credentials. Other groups, such as Iran-based Earth Vetala (aka MuddyWater), were seen targeting organizations in the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan in a cyber-espionage campaign. APT groups are attempting to increase the attack surface they target, Clay says, and regularly changing their tactics to improve their infection success as well as their ability to stay resident within a victim’s network.