A new trend is emerging among ransomware groups where they prioritize stealing data from workstations used by top executives and managers in order to obtain "juicy" information that they can later use to pressure and extort a company's top brass into approving large ransom payouts.
ZDNet first learned of this new tactic earlier this week during a phone call with a company that paid a multi-million dollar ransom to the Clop ransomware gang.
Similar calls with other Clop victims and email interviews with cybersecurity firms later confirmed that this wasn't just a one-time fluke, but instead a technique that the Clop gang had fine-tuned across the past few months.
Making the extortion personal
The technique is an evolution of what we've been seen from ransomware gangs lately.
For the past two years, ransomware gangs have evolved from targeting home consumers in random attacks to going after large corporations in very targeted intrusions.
These groups breach corporate networks, steal sensitive files they can get their hands on, encrypt files, and then leave ransom notes on the trashed computers.
In some cases, the ransom note informs companies that they have to pay a ransom demand to receive a decryption key. In case data was stolen, some ransom notes also inform victims that if they don't pay the ransom fee, the stolen data will be published online on so-called "leak sites."
Ransomware groups hope that companies will be desperate to avoid having proprietary data or financial numbers posted online and accessible to competitors and would be more willing to pay a ransom demand instead of restoring from backups.
In other cases, some ransomware gangs have told companies that the publishing of their data would also amount to a data breach, which would in many cases also incur a fine from authorities, as well as reputational damage, something that companies also want to avoid.
However, ransomware gangs aren't always able to get their hands on proprietary data or sensitive information in all the intrusions they carry out. This reduces their ability to negotiate and pressure victims.
This is why, in recent intrusions, a group that has often used the Clop ransomware strain has been specifically searching for workstations inside a breached company that are used by its top managers.
The group sifts through a manager's files and emails, and exfiltrates data that they think might be useful in threatening, embarrassing, or putting pressure on a company's management — the same people who'd most likely be in charge of approving their ransom demand days later.
"This is a new modus operandi for ransomware actors, but I can say I'm not surprised," Stefan Tanase, a cyber intelligence expert at the CSIS Group, told ZDNet in an email this week.
"Ransomware usually goes for the 'crown jewels' of the business they are targeting," Tanase said. "It's usually fileservers or databases when it comes to exfiltrating data with the purpose of leaking it. But it makes sense for them to go after exec machines if that's what's going to create the biggest impact."
Clop already uses this tactic, REvil too, but scarcely
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told ZDNet that, so far, they've only seen tactics like these in incidents involving the Clop ransomware.
"This style of blackmail may be the modus operandi of a particular [Clop] affiliate, and that affiliate could also work for other [ransomware] groups," Callow told us.
The Emsisoft analyst described this evolution in extortion tactics as "not at all surprising" and "a logical and inevitable progression."
"Over the last couple of years, the tactics used by ransomware groups have become increasingly extreme, and they now use every possible method to pressure their victims," Callow said.
"Other tactics include harassing and threatening phone calls to both executives and customers and business partners, Facebook ads, press outreach, and threats to reveal companies' 'dirty laundry'."
But in a similar interview with Evgueni Erchov, director of incident response and cyber threat intel at Arete IR, it appears that an affiliate of the REvil (Sodinokibi) ransomware-as-a-service operations has already adopted this technique from the Clop gang (or this might be the same Clop affiliate which Callow mentioned above).
"Specifically, the threat actor was able to find documents related to ongoing litigations and the victims' internal discussions related to that," Erchov told ZDNet.
"Then the threat actor used that information and reached out directly to executives over email and threatened to release the data of the alleged 'misconduct by the management' publicly," Erchov said.
Allan Liska, a senior security architect at Recorded Future, told ZDNet that they've only seen this tactic with Clop attacks, but they don't rule out other ransomware actors adopting it as well.
"Ransomware gangs are very quick to adopt new techniques, especially those that make ransom payment more likely," Liska said.
"It also makes sense in the evolution of extortion tactics, as ransomware gangs have gone after bigger targets they have had to try different ways of forcing payment.
"Leaking stolen data is the one everyone is aware of, but other tactics, such as REvil threatening to email details of the attack to stock exchanges, have also been tried," Liska said.
Not always truthful
However, Bill Siegel, the CEO and co-founder of security firm Coveware, said that in many cases, the data used in these extortion schemes aimed at a company's management aren't always truthful or living up to expectations.
"They [the ransomware groups] make all sorts of threats about what they may or may not have," Siegel told ZDNet.
"We have never encountered a case where stolen data actually showed evidence of corporate or personal malfeasance. For the most part, it is just a scare tactic to increase the likelihood of payment," Siegel said.
"Let's remember these are criminal extortionists. They will say or claim all sorts of fantastical things if it makes them money."
ZDNet would also like to thank security firm S2W Lab for their help on this article.