44CON 2023 – London – Cyber attackers are becoming less reliant on ransomware to get victims to pay — instead using social engineering skills to extort money, according to a top official from the UK’s National Cybersecurity Centre (NCSC).
Speaking at 44CON in London, NCSC’s operations director Paul Chichester said ransomware remains a major concern for the agency and for businesses as the number of ransomware incidents continue to increase. But a lot of attackers often do not use the encryption malware anymore: They just steal data, put it on a leak site, and solicit for a payment in exchange for taking it down.
“We’ve seen criminals move from only encrypting data, to double extortion — encrypting it and threatening to leak it, to now, on some occasions, simply threatening to leak the data. It feels like they are keen to be as efficient as possible, or perhaps making it less painful for the victim, because generally people still pay to avoid their data being leaked,” he said.
Double extortion is where the attacker steals data and demands a payment from an organization to have it returned, and also often deploys ransomware to encrypt networks and desktops as well. However, attackers increasingly are moving away from using encryption malware, and toward pure data-theft extortion tactics.
Addressing a cyber extortion attack is more than just having backups to restore their systems and data. Organizations also should consider best practices on passwords and multifactor authentication, ensure efficient patch management, and provide security training for employees, experts say.
Who Is Paying Ransom?
NCSC’s Chichester said the UK has a policy that recommends organizations do not pay ransom because the payments fuel the criminal ecosystem. Even so, some companies do pay in order to reassure their customers that their data is safe, he noted.
Sharing a story about a company that was attacked, Chichester said the attacker set the ransom payment to be a lower amount than a GDPR fine, so that it would appear that the company was paying less with the ransom rate than a regulatory fine and therefore saving money.
“That’s not true by the way: You still have to pay a GDPR fine for a data breach, but that’s the way that actors are socially engineering a victim,” he explained.
Chichester said he has empathy for companies that are hit, as he has seen incidents where everything is encrypted and the victim is locked down and they feel they have no choice but to pay the ransom.
Fines for GDPR violations have ranged from £20 million, or $24 million, to $425 million. The UK Information Commissioner’s Office in its guidance on penalties states that the maximum fine is £17.5 million, or four percent of the total annual worldwide turnover in the preceding financial year — whichever is higher.
Ransomware payments, meanwhile, have been reported as reaching up to eight figures, while the average payment by UK organizations in 2023 was $2.1 million.
Chichester praised collaboration with the UK industry sector, especially when organizations alert the NCSC to a ransomware attack. That way, the agency is able to study the malware and work with threat intelligence providers and research communities to help the victim — and sometimes act as a broker between the victim and the attacker.
“I’d much rather stop an incident than actually be responding to one,” he says. “But we respond to and work closely with all of those organizations [that are hit].”
