Jan 13, 2023 - Technology

Ransomware gangs are starting to ditch encryption

Illustration of a mouse in a bear trap

Illustration: Sarah Grillo/Axios

Criminal gangs are using a new method to guarantee a ransomware payout: They're ditching the part where they lock up a target firm's systems by encrypting them and are skipping straight to holding the company's precious data for ransom.

The big picture: As law enforcement attention on ransomware grows, gangs are constantly looking for less-flashy, but still efficient ways to keep their ransomware attacks going.

How it works: A ransomware attack typically starts with hackers installing file-encrypting malware onto an organization's networks and then displaying a ransom note on every screen.

  • In recent years, ransomware criminals have added another layer to their schemes: They steal data before locking an organization out, then demand a second payment to stop them from dumping all the data in public online.

Details: Experts explained to Axios how the new streamlined ransomware attacks work.

  • Rather than seeing a pop-up note on their screens, an organization will now get an email from hackers saying they've stolen a certain amount of data and plan to leak it if they don't get a payment.

Between the lines: Focusing solely on data extortion allows hackers to carry out their attacks more quickly and eliminates their reliance on encryption tools that sometimes fail mid-attack.

  • Law enforcement is also keener on investigating attacks that involve encryption, seeing as it causes more damage, Drew Schmitt, a principal threat analyst at GuidePoint Security, told Axios.
  • Critical infrastructure organizations, like hospitals and schools, might be more willing to pay to prevent data leaks because their information is so sensitive, Crane Hassold, director of threat intelligence at Abnormal Security and a former FBI cyber analyst, told Axios.

Zoom in: The LockBit gang, one of the most active ransomware rings in the last year, has urged members to stop using encryption in attacks on critical infrastructure, Schmitt noted. The group even changed its rules to ban the tactic.

  • Rulebreakers get banned from using LockBit's tools — including the hackers who used LockBit ransomware to encrypt some systems at the Toronto-based Hospital for Sick Children last month.

The intrigue: As companies have gotten better at backing up their data to defend against encryption-based ransomware, more victims have just been paying up to keep the data from getting released, Kurtis Minder, CEO of ransomware negotiation firm GroupSense, told Axios.

  • In turn, ransomware gangs realized they could still get paid the same with half as much work, Minder added.

Yes, but: Ransomware gangs are far from giving up altogether on the encryption maneuver.

  • Most ransomware victims are small to medium-sized businesses that don't have the resources or time to build data backups that they can lean on when a ransomware gang locks up their files, Hassold said.
  • Other hackers are still chasing the opportunity for a double payday — one for the decryption key and the other for not releasing the data.
  • But some gangs might enlist a data-extortion-only tactic if the encryption tools fail halfway through an attack, Minder said.

Be smart: Companies that have solid endpoint security tools and firewalls, along with constant monitoring and security plans that limit employees access to internal files, are the ones that will best be able to foil most varieties of ransomware attack, Schmitt said.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper