Hackers Swap Extortion Tactics as Police Bring the Heat

Criminal hacker groups have a new favorite strategy to bilk innocent companies out of cryptocurrency.

So-called ransomware gangs are deploying fewer strains of ransomware in favor of data theft. They still demand a payment, in exchange for not publishing a victim’s sensitive data. But they’re deploying less malicious code — ransomware — that encrypts computer files, essentially locking them up and sometimes bringing businesses to a halt.

The shift in strategy comes after years of relentless ransomware attacks against schools, hospitals, businesses and government organizations. Among the most notorious was the Colonial Pipeline attack in 2021 that curtailed fuel supplies on the East Coast and another that same year on Ireland’s public health system that hobbled hospitals and slowed patients’ treatments.

“The shift in cyber extortion from ransomware encryption towards pure data theft has been gradually building for the last two years but has certainly picked up speed,” said Lizzie Cookson, senior director of incident response at the cyber extortion incident response firm Coveware.

The shift by hacking groups coincides with an increased effort by law enforcement to crack down on ransomware. Some hacking groups have adjusted by changing their tactics.

For instance, the hacking gang LockBit laid out rules for affiliates — essentially people who rent their malware for attacks. They are prohibited from encrypting files for critical infrastructure and medical facilities but they can steal their files.

That shift allows a hospital, business or organization to continue operating even if the fallout from the leaked data can be terrible for the company, customers or patients whose personal information is leaked.??????

Incidents in which attackers rely on data theft without encryption have increased by more than 50% since last year, Cookson said. Arecent Coveware report found that 70% of attacks against companies with over 10,000 employees were limited to data theft only. 

The Clop extortion gang has resorted to such behavior in recent months, according to cybersecurity researchers.  

The group exploited a flaw in MOVEit, a file transfer product from Progress Software Corp., to compromise data from a range of organizations. Victims included IAG SA’s British Airways, the British Broadcasting Corp. and the state of Minnesota’s Department of Education. 

Clop said it would give victims until Wednesday to pay its extortion demand, otherwise it would publish the information it stole from affected firms.

Cybercriminal groups have also made such a shift in recent years because security defenses have improved, making it more difficult for hackers to impact operations with an encryption-based attack, Cookson said. 

“Encryption is not consistently crippling companies in the way that it used to, so rather than expend resources on getting around these defenses, some threat groups have abandoned the encryption approach altogether and opted to focus purely on data theft,” she said. 

Hackers recently tried a similar strategy against cybersecurity from Dragos. After stealing data, the hackers harassed the family members of the company CEO and other employees. The company said it refused to pay the hackers.

That doesn’t mean hackers aren’t still deploying ransomware. Sometimes hacker groups do what’s called ”double extortion,” where they demand separate payments for the keys to unlock their computer and a promise that they won’t leak stolen data.

“Cyber criminals ultimately want to make money, and incorporating data theft into their operations increases their potential to get paid,” said Kimberly Goody, head of criminal analysis at Mandiant.

What We Learned This Week

A US court sentenced a 39-year-old Romanian to three years in prison for his role in a “bulletproof” web hosting site that enabled hackers to distribute malware throughout the internet.

Mihai Paunescu, who pleaded guilty on Feb. 24 to hacking-related charges, operated a website that afforded anonymity to cybercriminals, shielding their digital footprint via an array of IP addresses and computers servers, according to the US Justice Department

Hackers used Paunsecu’s service to spread the notorious Zeus trojan, the Gozi virus and the SpyEye trojan, among others. The Gozi virus, an early kind of destructive malware, breached more than 1 million computers worldwide, including 400,000 machines in the US, and helped hackers breach NASA, the Justice Department said. 

What We’re Reading

France detected a Russian disinformation operation involving fake websites and a network of inauthentic social media accounts.

Crypto hacks continue rippling through social media, forcing investors to start paying more attention.

Ukrainian cops raided a facility that they say was a Russian troll farm

A former Samsung executiveaccused of stealing blueprints to make a copycat semiconductor plant in China.

Two Russians allegedly stole roughly 647 Bitcoins in a heist at Mt. Gox, the early crypto exchange that collapsed amid widespread suspicion.

Google updated its email authentication after a vulnerability expert pointed out flaws in the protocol

US officials used an anti-porn appspy on the family of a man who was released on bond, resulting in him being arrested again.

Gone Phishing

You can reach Jeff Stone at jstone183@bloomberg.net. Margi Murphy is mmurphy500@bloomberg.net. You can also send us files safely and anonymously using our SecureDrop

More from Bloomberg

Get Tech Daily and more Bloomberg Tech newsletters in your inbox:

• for a playthrough of the video game business
• Power On for Apple scoops, consumer tech news and more
• Screentime for a front-row seat to the collision of Hollywood and Silicon Valley
• Soundbite for reporting on podcasting, the music industry and audio trends
• Hyperdrive for expert insight into the future of cars