The report found that government and education sectors saw a rise in double extortion attacks, in which ransomware actors both encrypt files and threaten to publish sensitive data. The report also marked a continued trend of encryption-free extortion, in which attackers just steal data and demand money in exchange for not publishing it.
The study examined events from April 2022 through April 2023. It drew on data about threats monitored by Zscaler’s security cloud as well as on outside information sources, including open source research, law enforcement reports and threat intelligence feeds. The research team also analyzed ransomware samples and attack data. The report provides insights into trends, but does not capture the full picture of the threat, because some attacks go unreported or undetected, it notes.
Overall, the volume of ransomware attacks globally was up nearly 38 percent year over year, based on Zscaler cloud data. An examination of victims listed on data leak sites during the time period found most were from the manufacturing sector, with education sector victims being the ninth most common and government 13th.
The report also marked some cyber extortionists shifting to different coding languages that may be harder to reverse engineer and making use of leaked ransomware code.
ENCRYPTION-FREE EXTORTION
The trend of encryptionless extortion began being observed in 2021, per the Zscaler report. Zscaler said such attacks increased in 2022 and early 2023, but it could not say by how much.
Encryption-free extortion can be enticing to criminals for several reasons, including that data exfiltration can often be conducted via living-off-the-land style attacks that use legitimate tools for ill purposes which can better avoid detection by security tools, Zscaler suggests.
This report isn’t the only one detecting a trend toward such attacks, and CrowdStrike’s February Global Threat Report found ransomware-free extortion campaigns rose 20 percent year over year in 2022.
DOUBLE EXTORTION
Not all cyber attackers are following CL0P’s seeming transition away from double extortion, however.
Globally, double extortion attacks against the education sector grew 121.79 percent year over year, while such attacks against the government sector grew 33.33 percent, per the report. That increase, while notable, is smaller than what Zscaler observed in last year’s report. The earlier report considered how the quantity of double extortion attacks seen in 2021 compared to 2020; it found a 225 percent year over year increase of such attacks facing the education sector and 37 percent year over year increase in those facing government entities.
From April 2022 to April 2023, just over 40 percent of double encryption attacks impacted entities in the United States, distantly seconded by entities in Canada which were affected by 6.75 percent of such attacks, per the report.
“It’s definitely economically driven. … so that makes the U.S. a high target, as it’s the world’s largest economy,” said Ian Milligan-Pate, Zscaler area vice president for state, local and education.
Criminals may find double extortion more impactful than traditional, single extortion attacks in which criminals only locked up files and demanded ransom, instead of also threatening to leak data.
“Double extortion attacks are often more successful than the old encryption-only extortion attacks as most organizations have now adopted good data backup hygiene (since WannaCry, Bad Rabbit ransomware outbreaks) allowing them to quickly recover the encrypted files,” a Zscaler spokesperson said.
RANSOMWARE EVOLVES
The developers behind ransomware have been changing their approaches, with 2022 and 2023 seeing some abandoning traditional programming languages like C and C++ in favor of newer ones like Golang and Rust. Notable ransomware group BlackCat, for example, switched to Rust in late 2021, per the report.
Zscaler says such programming languages are more memory safe, harder to reverse engineer and offer “robust cross-platform code compilation capabilities,” enabling “attackers to target multiple operating systems, including Windows and Linux, and multiple architectures such as x86, x64 and ARM, using a single code base.”
Hackers have also used leaked source code from other ransomware groups. For example, major ransomware group Conti — now disbanded — saw its source code publicly posted in May 2022; since then “numerous threat groups,” including LockBit, have used the code in some of their own attacks.
Allan Liska, an intelligence analyst at threat intelligence platform provider Recorded Future, previously commented on this trend during a May event, noting the increasing emergence of new ransomware variants that use other ransomware groups' code. Liska dubbed these variants “Franken-ransomware” and said such code recycling can make it difficult to accurately attribute the attacks.
It’s not all about the new: Zscaler’s Milligan-Pate noted that older ransomware is still being put into play.
“The other thing we’re seeing is, there is innovation within ransomware and there are new variants emerging. There’s also just a rebranding of malware that’s been around for several years now. We're seeing just a repackaging, or marketing rebrand, of some of these original ransomware kits, and then they’re being funneled back through those affiliate networks,” Milligan-Pate said. Ransomware-as-a-service (RaaS) models see "operators" lease or sell ransomware and related tools or supports to other actors, called affiliates, who then deploy it against victims.
ZERO TRUST AND MONITORING
A variety of steps can help with cyber defenses. For organizations not already doing so, this can include measures like regularly patching software and regularly making data backups, establishing cyber incident response plans and giving employees ransomware awareness training, per the report. Additionally, it recommended organizations take steps toward zero-trust security.
A zero-trust security approach seeks to limit how much access a bad actor could get to victims’ data or other resources, should they manage to infiltrate a network. It involves ideas like requiring users and devices to authenticate themselves when seeking access to data and services. Measures like multifactor authentication (MFA) are one initial step that can help.
Milligan-Pate also recommended adopting solutions aimed at detecting and combating potential data exfiltration. That can include automated tools that monitor data leaving the organization, then respond to halt transmission of sensitive information and alert the organization. Other sandboxing tools can isolate unknown files and analyze them for signs of threats, before permitting them to be downloaded.
