Professional Documents
Culture Documents
2023 Unit42 Ransomware Extortion Report
2023 Unit42 Ransomware Extortion Report
What You Can Expect From an Attack: An Example Ransomware Incident ................................ 25
Methodology ............................................................................................................39
While in many cases the motivation is financial, In our review of incident response cases, as well
Unit 42 also sees indications that extortion can as our threat intelligence analysts’ assessment of
happen in service of a group’s larger goals— the larger threat landscape, we noted some
sometimes simply to fund other activities, but key points:
other times to distract from them.
M
Multi-extortion tactics continue to rise. Harassment is another extortion tactic we
In Unit 42 ransomware cases, as of late 2022, see being used in more ransomware cases.
threat actors engaged in data theft in about 70% Ransomware threat actor groups will target
of cases on average. Compare this to mid-2021, specific individuals in the organization, often
and we saw data theft in only about 40% of cases in the C-suite, with threats and unwanted
on average. Threat actors often threaten to leak communications. By late 2022, harassment was
stolen data on dark web leak sites, which are a factor in about 20% of ransomware cases.
increasingly a key component of their efforts to Compare this to mid-2021, when harassment was
extort organizations. a factor in less than 1% of Unit 42
ransomware cases.
L
Large, multinational organizations can organizations on the Forbes Global 2000 list
be lucrative targets for threat actors. were publicly impacted by extortion attempts.
Attacks on the world’s largest organizations Since 2019, at least 96 of these organizations
represent a small but notable percentage have had confidential files publicly exposed to
of public extortion incidents. In 2022, 30 some degree as part of attempted extortion.
A
Advanced threat groups may use extortion Other threat groups, including some from Iran or
and ransomware to fund other activities — China, seem to have a different objective when
or hide them. Threat groups from countries using ransomware. Threat actors can gain more
under economic embargoes or sanctions have than money from deploying ransomware —it also
been observed using ransomware and extortion has potential for both destruction and espionage.
to fund their operations.
P
Predictions for what to expect from extortion • A rise in extortion related to
in the coming year. Unit 42 experts have put insider threats.
together predictions for what we expect to
• A rise in politically motivated
see from extortion groups in the coming year.
extortion attempts.
Our predictions include:
• The use of ransomware and extortion
• 2023 will be the year we see a large
to distract from attacks aimed to infect
cloud ransomware compromise.
the supply chain or source code.
• Data Theft:
Threat actors acquire an organization’s data
and threaten to disseminate it unless they are
paid. This often involves dark web leak sites.
Threat actors increasingly target information
that may be particularly sensitive, such as files
containing personally identifiable information
(PII), customer financial data, protected health
information (PHI), etc.
Prepare a Playbook
for Multi-Extortion
Important files on your network was ENCRYPTED and now they have “[REDACTED]” extension.
In order to recover your files you need to follow instructions below.
Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Private financial information including:citizens data, courts data, bills,
budgets, annual reports, bank statements, etc
Samples are available on your personal web page linked below.
>> CAUTION
Ransomware groups have threatened to leak data many threat actors target regulated data sets or
stolen from victims in about 53% of ransomware highly commercially sensitive information for
incidents involving negotiation between mid-2021 maximum leverage.
and late 2022. Due to the efficacy of this tactic,
There are many journalists asking questions about us and our attacks.
If you are a journalist and want to ask some questions you should write:
How did you decide to team up and start a dedicated ransomware group? How was ViceSociety born?
-Group of friends that were interested in pentest. We decided to try.
What do you do if the law says that someone can’t pay you? Does that matter? What happens if the customer doesn’t respond?
-We don’t care about laws. If someone doesn’t pay or doesn’t contact us, we will publish their documents.
Has Vice Society published all the data it took from “company name” or does Vice Society have additional data that still has not been published?
-We always publish everything.
©2021 Copyright Vice Society. All rights reserved. Emails: V.society.official@onionmail.org. Vice Society@onionmail.org
About 10% of Unit 42’s incident response We’ve also investigated several incidents
matters involving extortion do not involve related to the Luna Moth/Silent Ransom Group.
encryption. Often, these extortion attempts These threat actors are known for an extortion
rely on data theft. campaign targeting businesses in multiple
sectors, including legal and retail. Rather than
However, in a small number of cases, threat encryption, the campaign relies on social
actors have deleted organizations’ data engineering to convince targets to provide
altogether. This is particularly prevalent in remote access to systems. They then use that
matters involving databases that were vulnerable access to exfiltrate data and follow up with
and directly exposed to the internet. There extortion attempts.
are several automated threats that delete the
database contents, claim to have exfiltrated
them, and leave behind an extortion message in a
new database table for the victims to find.
Using data theft as an extortion tactic without
encryption was most frequently seen in Unit 42
cases involving the Karakurt ransomware group.
Every day, our threat researchers see information It’s also worth mentioning that when we track
about seven new victims posted to dark web organizations whose information was posted
leak sites—averaging out to about one publicly on a leak site, we are typically looking at those
posted new extortion target every four hours. In who chose not to pay the criminal group’s
2022, names and proof of compromise for 2,679 original demand. Therefore, the actual global
victims were posted on leak sites, about 4% impact of gangs who maintain leak sites is higher
higher than the number observed in 2021. than what we can observe there—presumably,
some organizations choose to pay to keep their
information off the dark web.
organizations on their leak site, the highest extortion strategy, such as Conti and REvil,
victim count we have observed in the last dissolved in 2022. However, we expect other
two years from any one group. LockBit criminals to continue making heavy use of
posted 409 victims in 2021, meaning that this approach to extortion. As noted above,
in 2022, we saw a 95% increase in victim cybercriminals threatened to leak stolen data
count compared to last year’s entries. in about 70% of ransomware cases involving
By comparison, Conti posted 511 victims negotiation in late 2022. The cybersecurity
Karakurt, named the “Extortion Branch of Conti,” Other groups try to make a name for themselves
was responsible for various notorious incidents by attacking the world’s most recognizable
in 2022. For example, they attacked one of the organizations. For example, Lapsus$, a
largest Chinese investment holding companies, cybercrime group that emerged in mid-2021, was
allegedly stealing 320 GB of corporate data. responsible for compromising organizations such
as NVIDIA, Samsung, Microsoft, and LG.
This group gains access to corporate networks
either through their own expertise or by paying To accomplish this, Lapsus$ mostly used
initial access brokers (who sell access to social engineering (including phishing and SIM
breached networks). Karakurt forgoes encryption swapping) for initial access. This group also tried
in favor of other methods of extortion, such to entice disgruntled employees to provide them
as contacting victims’ employees, business with inside information in exchange for payment.
partners, and clients with harassing emails and Even well-defended organizations can struggle to
phone calls to pressure the victims to cooperate. prevent attacks targeted at insiders in
They often exacerbate the situation by using the this manner.
organization’s own data against them.
While the group extorted some victims, they
sometimes appeared more interested in the
notoriety of compromising high-profile targets.
Implement a Threat
Intelligence Program
Based on both Unit 42’s data and dark web leak This gives the threat actors a rapidly expanding
site data, the manufacturing industry was one attack surface through which they can deploy
of the most impacted by extortion attacks in their attacks. The bigger the scale, the bigger
2022, with 447 victims listed on various sites. the payout.
Following this sector was the professional and
legal services industry, with 343 victims. Criminals often seek targets in industries where
it’s critical for business operations to be able to
Industries in which organizations often run provide certain products or services in a timely
on systems with out-of-date software can be manner. The groups aim to take advantage of the
more heavily impacted. When it’s difficult for pressure these organizations are under to meet
organizations to regularly update or patch, threat deadlines and produce deliverables, hoping this
actors gain an opportunity to take advantage of will lead them to pay quickly and in full. Lost
old vulnerabilities to initiate their exploits. revenue streams from operational downtime
can also push organizations to concede to threat
actors’ demands.
Figure 4. Industries most heavily impacted by extortion attacks (leak site data, 2022)
Leak site data indicates the Americas region Germany and the U.K., accounting for
was hit the hardest by extortion attempts in nearly 5% each.
2022, followed by Europe, the Middle East,
and Africa (EMEA), and the Asia Pacific Threat actors, due to their financial goals,
region (JAPAC). often focus on profitable organizations based
in the United States. However, despite the
When looking at organizations posted on leak concentration of attacks in the U.S., criminal
sites by country, the United States is still the gangs have a global presence and have been
most severely impacted, accounting for 42% of observed impacting organizations in 107
the observed leaks in 2022. This is followed by countries in 2022.
Figure 5. Top countries impacted by extortion attempts (leak site data, 2022)
Implement Enterprise-Wide
Zero Trust Architecture
When APTs
Use Ransomware
Security leaders at large organizations with While it makes sense to be concerned about
mature security programs sometimes assign a determined and highly skilled threat groups—
lower risk level to ransomware incidents. These the sorts of threat actors who can circumvent
organizations generally have sufficient security even a mature organization’s security controls—
tools, robust cyber liability insurance, and dismissing the threat of ransomware can overlook
strong data recovery programs or operational the infrequent but impactful ransomware attacks
redundancy. Instead of ransomware, these that are now run by APT groups.
organizations are often more concerned about
defending against nation-state attackers and
advanced persistent threat (APT) groups.
• Strategic risk
• Reputational risks
• Operational issues
• Financial risks
• SOC Transformations
SUPPORT &
SCOPE INVESTIGATE SECURE TRANSFORM
REPORT
Define engagement Fully understand the Contain and eradicate Findings and response Improve your security
scope incident assistance posture
We remove the
Assess the breadth, Our experts use threat with custom Get a detailed Use lessons learned
severity, and nature of advanced tools for eradication strategies investigation report and apply specific
the security incident. evidence collection, and provide 24/7 as well as guidance improvements to your
detection and analysis in implementing security approach to
monitoring against new
to flag IoCs, TTPs and additional security protect against future
malicious activity.
other clues. controls while you get and similar attacks.
back on your feet.
Threat Intelligence
Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace cyberthreats,
so organizations can embrace technology with confidence. We provide next-gen cybersecurity to
thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and
services are backed by industry-leading threat intelligence and strengthened by state-of-the-art
automation. Whether deploying our products to enable the Zero Trust Enterprise, responding
to a security incident, or partnering to deliver better security outcomes through a world-class
partner ecosystem, we’re committed to helping ensure each day is safer than the one before.
It’s what makes us the cybersecurity partner of choice.
At Palo Alto Networks, we’re committed to bringing together the very best people in service
of our mission, so we’re also proud to be the cybersecurity workplace of choice, recognized
among Newsweek’s Most Loved Workplaces (2021), Comparably’s Best Companies for
Diversity (2021), and HRC’s Best Places for LGBTQ Equality (2022). For more information,
visit www.paloaltonetworks.com.
About Unit 42
Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident
responders and expert security consultants to create an intelligence-driven, response-ready
organization that’s passionate about helping you proactively manage cyber risk. Together,
our team serves as your trusted advisor to help assess and test your security controls against
the right threats, transform your security strategy with a threat-informed approach, and respond
to incidents in record time so that you get back to business faster.Visit paloaltonetworks.com/unit42.
Main +1.408.753.4000 © 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered
trademark of Palo Alto Networks. A list of our trademarks can be
Sales +1.866.320.4788 found at www.paloaltonetworks.com/company/trademarks.html.
Support +1.866.898.9087 All other marks mentioned herein may be trademarks of their
respective companies. 2023 Unit 42 Ransomware and Extortion
www.paloaltonetworks.com Report 03/2023.