04/08/2022 · 5-minute read
The last few months have shown indications that the ransomware landscape may be shifting. The first is a change in tactics from threat actors, who are increasingly moving away from encrypting data to exfiltrating it. Concurrently, there are signs that victim organisations are becoming less likely to pay ransoms.
However, as the cyber threat landscape constantly changes, perhaps the only certainty is that cybercriminals will look for new ways to threaten businesses for financial gain.
As regulations and cybersecurity measures evolve, so do the tactics and technology of cybercriminals. In recent years, threat actors’ dominant method has been double data extortion, where they encrypt an organisation’s data and threaten to release it to the public unless it pays a ransom. But in recent months, some cybercriminals are modifying that approach.
Since the end of 2021, a number of groups have employed ransomware-free extortion methods. For example, the group Lapsus$ gained infamy following a number of high-profile attacks on targets ranging from governmental bodies to large corporations. Lapsus$ did not encrypt, but focused solely on the theft of confidential data. Following in their footsteps, a new group called Karakurt emerged. The US Cybersecurity and Infrastructure Security Agency (CISA) recently released advice on Karakurt, which similarly steals victim data and demands a ransom payment under the threat of releasing stolen information online.
There are a number of potential reasons for this shift in tactics. An optimistic view could be that encryption no longer represents the threat it once did, as organisations have improved their backup solutions, reducing the need to pay a ransom to decrypt data. It may also be that threat actors want to fly under the radar after high-profile attacks on critical infrastructure, such as on the Colonial Pipeline, which attracted a significant law enforcement response. Alternatively, it could simply be that it is cheaper, easier, and perhaps equally effective to skip encryption and move straight to extortion.
This trend could have a profound effect on the types of cyber insurance claims made. A move away from encryption would likely result in fewer business interruption losses. Without encryption, the day-to-day operations of a company can continue. However, system infiltration, data theft, and extortion will likely still result in significant financial losses that a cyber insurance policy would respond to, depending on policy specifics.
As cybercriminals focus on theft, they are more likely to hunt for data that would be particularly embarrassing if leaked. The more sensitive and harmful the data, the greater risk of the victim company becoming a target of litigation by data subjects and their lawyers, as well as potentially facing regulatory action.
Despite these apparent changes, the need for robust incident response is undiminished. Organisations will still need to investigate and contain the compromise and assess the data that has been stolen and its potential impact on data subjects, the company, and clients. Where personal data is involved, it may be necessary to make regulatory notifications, particularly with sensitive data.
Organisations facing ransomware or data extortion need to make a number of key decisions quickly, including whether to pay the ransom, which has become increasingly complex in the last 12 months.
The vast majority of ransom payments are made to Russia-based cybercriminals. Therefore, the wave of sanctions following the invasion of Ukraine by Russia has heightened concerns among businesses, including cyber insurers, that they could potentially breach sanctions by paying or facilitating the ransom. Organisations considering paying ransoms need to ensure they seek expert advice and conduct extensive due diligence to ensure they do not fall foul of terrorist financing laws, anti-money laundering rules, or sanctions.
The UK Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) recently released a joint letter to the legal profession regarding ransom payments. They stressed that paying ransoms to release locked data or obtain a promise that it will not be published online does not reduce the risk to affected individuals, is not an obligation under data protection law, and would not be considered a reasonable step to safeguard data.
The ICO and NCSC stressed that regulators’ focus is on cyber hygiene and measures in place to protect data, as opposed to whether ransoms were paid. The message from the ICO and NCSC is clear: They wish to discourage ransom payments.
This statement is a positive development because many businesses that do not want to pay a ransom may ultimately do so due to a misplaced concern that the ICO may interpret non-payment as a failure to take all necessary steps to prevent publication of stolen personal data. It looks like this conundrum will now be a thing of the past.
Will the move to data theft signal the end of encryption-based ransomware? Unlikely. Cybercrime is a quickly adapting landscape, and cyber criminals form part of a highly profitable ecosystem which rapidly evolves to ensure continued revenues. It remains critical to bolster defences and prepare for all eventualities.
Cyber insurance has never been more important. The apparent change in threat actors’ tactics may alter the types of cyber insurance claims submitted, but risk transfer will remain a critical pillar of cyber resilience.
The recent clarity provided by the ICO on ransom payments should make clearer the question of whether to pay. However, to pay or not to pay remains a complex legal, operational, reputational, and strategic decision. Organisations need to actively prepare and discuss how to react to a ransom demand before an event occurs.
While every case is unique, the decision to pay a ransom is sometimes made alongside a false expectation that it is the fastest route to recover — or the best way to protect — stolen information. Stress testing these assumptions through simulations and implementing ransomware playbooks and incident response plans can help to identify the organisation’s priorities and the practicalities of incident response.
Head of Cyber Incident Management
Head of Cyber Claims Advocacy