Why Cybercrime Groups are Shifting Focus Towards Small-scale Extortion

Small government agencies and healthcare clinics are high-value targets in the latest wave of extortion-based cyberattacks.

During the COVID-19 pandemic, high-profile ransomware attacks made international headlines. The world was shifting to remote work, and cybercriminals extracted huge payoffs from unprepared organizations.

However, these attacks did not go unnoticed. When DarkSide was pinpointed as the threat actor responsible for the Colonial Pipeline attack, it brought extreme pressure and scrutiny to the group. They had attracted the attention of one of the world’s best-equipped national security organizations, and the risk was simply no longer worth it.

Today, many of these large, enterprise-level organizations have hardened their systems against ransomware attacks. The number of large government agencies reporting successful data breaches has slowed down since the pandemic era.

But the number of government institutions under attack overall has increased. According to the Verizon 2023 Data Breach Investigation Report, more than 20% of security incidents reported involved government agencies and public administration. Almost one out of every four of these incidents involved ransomware.

This is because cybercriminals have chosen new targets. Smaller government agencies and health clinics don’t have the robust security controls of a national organization, but they deal with the same kind of confidential data that attackers can exploit for cash.

Attacks Against Small Agencies and Clinics Often Go Unnoticed

When cybercriminals target major critical infrastructure providers, it makes global news and sparks a national emergency. When cybercriminals target the public IT infrastructure of a small town with less than 30,000 residents, the story stops at the local level.

There is no crisis when this kind of attack happens, and little interest from law enforcement and national security agencies. These agencies are already swamped with bigger cases that require their attention and resources. Professional cybercrime syndicates understand what this means – they’re more likely to get paid.

Tens of thousands of these kinds of attacks can happen every year, and the majority of them would go largely unreported. Instead of taking tens of millions of dollars from one large victim, cybercriminals can now take smaller amounts from a much larger number of small victims.

This explains why cybercrime groups are targeting smaller victims, but not why they’re moving away from ransomware and towards extortion. Explaining that requires deeper insight into the costs of running a cybercrime business.

Threat Actors Prefer to Use Fewer and Cheaper Tools, if Possible

It’s a well-known fact that the preferred organizational structure of the cybercrime industry is ransomware-as-a-service. Threat actors with specialist talent group together and offer other threat actors specific solutions for their cyberattacks.

Sometimes these groups ask for compensation through subscription payments made via cryptocurrency. Sometimes they demand a percentage of any earnings made using their software. Some may have more complex, alternative payment structures.

A professional cybercrime syndicate targeting large victims can afford to pay out a decent percentage of its earnings to each partner it relied on to carry out the attack. A multi-million-dollar payout can be split in many different ways without causing too much disruption.

This is not true of multiple small-scale payouts. If a group of cybercriminals wants to earn profit by exploiting local government agencies, health clinics, and other small institutions, they need to cut costs. There is tangible economic pressure to use fewer, cheaper tools and to save time and effort when conducting attacks.

Less Elaborate Attacks are Just as Dangerous

In June 2023 a plastic surgeon in Los Angeles suffered a data breach that led to the exfiltration of sensitive patient data. More than 70 patients had their private medical data compromised, and attackers threatened to publish the data online if their demands were not met.

In this case, the data included photographs of patients before and after their esthetic operations, as well as financial data and medical records. Many of the clinic’s patients were high-profile social media influencers and celebrities. The attackers carefully chose the target they knew would be most vulnerable to an extortion-based attack.

This kind of attack makes adding an additional ransomware encryption layer redundant. The damage that cybercriminals are threatening to do is focused entirely on the people who entrusted the victim with their most sensitive and personal parts of their lives.

It’s clear there is no need to add ransomware to the equation and that adding a ransomware element would add to the cost of carrying out the attack. As a result, this group of cybercriminals skipped the ransomware step and went straight to extortion.

How attackers steal sensitive data from victims:

Unlike typical ransomware attacks, extortion attacks require cybercriminals to exfiltrate sensitive data from the victim’s network. That means they must find a way to sneak important data off the network and receive it on a device they control. There are several ways to do this:

• Automated Exfiltration uses third-party software to steal data from the network. Attackers may use black hat methods like unauthorized traffic duplication, or they may simply install a commercial FTP app on the victim’s server and point it at their own.
• Traffic duplication sends sensitive data through compromised servers and devices using mirroring. Many devices support mirroring for activities like network traffic analysis. Threat actors can manipulate mirroring to send confidential data off the network.
• Data Transfer Size Limits can export data to an external source in discrete packets of limited size. This creates the impression of lower overall traffic volume, avoiding detection from security tools configured to detect high-volume data transfers.
• Scheduled Transfers rely on scheduling data transfers at specific times, such as during normal business hours. This can camouflage outgoing data with regular network traffic, making it more challenging for the victim’s security tools to detect unauthorized activity.
• Exfiltration Over the C2 Channel is the simple transfer of data to an already established C2 channel. The data can be encoded into regular traffic using the same protocol, which may mask the data transfer process.
• Exfiltration Over Other Network Media lets threat actors use Wi-Fi or Bluetooth for data exfiltration. Attackers that use local devices to extract data from victims can often circumvent Internet-focused security controls.

Some of these attacks require cybercriminals to leverage additional resources and bypass security tools like firewalls. However, since threat actors may be reluctant to add new technologies to their stack in response to every obstacle, organizations can dramatically improve their exposure to extortion risks by adopting a multi-layered security posture.

Organizations that strengthen their anti-data exfiltration capabilities are better equipped to block unauthorized transfers and keep their data safe from cyber extortionists. Find out more about how your organization can protect itself from opportunistic threat actors with PRODAFT.