Instances of encryption-less attacks have seen a sharp uptick in recent years, allowing threat actors to extort businesses without the added step of encrypting data.
That’s according to Zscaler’s 2023 Ransomware Report, which highlighted a 40% increase in encryption-less ransomware attacks over the past year.
Encryption-less ransomware attacks, also known as extortion-only attacks, are a streamlined form of the classic ransomware strategy. In conventional ransomware attacks, the threat actor first infiltrates an organization’s data, encrypts the data, and then demands a ransom in exchange for the decryption key. Encryption-less attacks, meanwhile, focus solely on compromising the data without encryption.
In encryption-less attacks, cybercriminals typically steal large volumes of data, including business contacts, financial records, employee and client databases, intellectual property, and other sensitive information, explained Deepen Desai, global CISO and head of security research and operations at Zscaler. The approach allows cybercriminals to avoid having to use expensive and sophisticated decryption tools. It also pressures victims to pay quickly to prevent data disclosure, often resulting in larger and faster payouts.
Why Are Extortion-Only Attacks on the Rise?
The uptick in encryption-less attacks might be due, at least in part, to efforts made by the Cybersecurity Infrastructure Security Agency (CISA) following the Colonial Pipeline incident in 2021. The Colonial Pipeline attack was a pivotal event, not only because attackers successfully extorted nearly $5 million, but also because it triggered public alarm by raising fears about fuel shortages.
The high-profile success of the Colonial Pipeline attack led to a crackdown on ransomware groups. In response, more extortion-only groups, such as Lapsus$ and Karakurt, entered the scene. Encryption-less attacks are believed to attract less attention and scrutiny compared to traditional ransomware attacks.
The proliferation of cryptocurrencies has also popularized a tactic known as “double extortion,” which combines data compromise and encryption with a threat to sell or publish data on the dark web if a ransom is not promptly paid. NCC Group has seen a 67% rise in both double-extortion and encryption-less attacks over the past year.
According to Ian Usher, deputy global head of threat intelligence at NCC Group, a driving force behind the expansion of ransomware attacks is the heightened activity of initial access brokers. Initial access brokers sell access to organizations’ infrastructure to threat actors on the dark web.
What Can IT Pros Do To Protect Organizations?
The most effective defense is to understand your organization from an attacker’s perspective. When a chief information security officer can spot vulnerabilities and anticipate the routes attackers might use to target their organization, they can prioritize patching and reinforce defensive measures accordingly.
In addition, organizations must assess their data and identify the potential impact of a breach. Usher advised that organizations follow these guidelines:
- Take inventory of all assets and data.
- Implement a recovery plan and test it.
- Maintain offline backups.
- Limit the use of remote desktop services.
- Enable multifactor authentication.
- Prioritize patching and stay vigilant with updates.
To prevent compromise, organizations must establish and maintain consistent security policies that begin at the source code level, Desai stressed. By implementing extensive SSL inspection capabilities, browser isolation, inline sandboxing, and policy-driven access control, organizations can prevent access to malicious websites, block channels of initial compromise, and detect unknown threats from reaching users.
In addition, organizations should conduct regular cybersecurity audits, even when there may not be an immediate perceived threat. Audits not only give IT professionals a rundown of potential vulnerabilities but also assess compliance adherence and help identify security awareness gaps within the organization.
What Might the Future Bring?
Given the success of extortion-less attacks, they are likely to continue in the coming months. However, a new SEC ruling may diminish the effectiveness of some of these attacks. The ruling mandates that public companies must disclose material breaches within four days. While businesses can still pay ransoms to protect their data, the enforced transparency will shine a light on threat actors, potentially reducing attacks.
Legislative measures have proven to be a successful deterrent to certain cybercriminal activities, but regardless, the dark web’s economy for compromised credentials remains lucrative. “[Stolen data] can often provide an initial access broker with the access they need before selling on to the next attacker for further monetization,” Usher said. “As such, staff should be educated around the perils of browsing unsafe websites or using pirated software.”