Hackers increasingly use phone and email harassment to extort ransom payments

SECURITY

A new report out today from Palo Alto Networks Inc.’s Unit 42 finds that ransomware and extortion actors are using more aggressive tactics to pressure organizations, with harassment involved 20 times more often in ransomware attacks than in 2021.

The 2023 Unit 42 Ransomware and Extortion Report found that ransomware harassment is typically carried out via phone calls and emails. The target of phone calls is usually specific individuals, often in the C-suite or even customers, to pressure companies into paying a ransom demand.

The report found that ransomware demands continued to be a pain point for organizations over the last year, with payments as high as $7 million in cases that Unit 42 observed. The median demand was $650,000, while the median payment was $350,000, indicating that effective negotiation can drive down actual payments.

“Ransomware and extortion groups are forcing their victims into a pressure cooker, with the ultimate goal of increasing their chances of getting paid,” explained Wendi Whitmore, senior vice president and head of Unit 42. “Harassment has been involved in one of every five ransomware cases we’ve investigated recently, showing the lengths that these groups are willing to go to coerce a payday. Many are going so far as to leverage customer information that has been stolen to harass them and try to force the organization’s hand into payment.”

The researchers describe the harassment as “multi-extortion,” with ransomware groups layering extortion techniques for greater impact to apply more pressure on organizations to pay the ransom. Some of these tactics include encryption, data theft, distributed denial-of-service attacks and harassment.

Data theft, often associated with dark web leak sites, was the most common of the extortion tactics, with 70% of groups using it by late 2022, a 30-percentage-point increase from the year prior. Unit 42 researchers now see an average of seven new ransomware victims posted on leak sites daily, equating to one new victim every four hours.

An estimated 53% of ransomware incidents now involve negotiation as ransomware groups threaten to leak data stolen from organizations on their leak site websites. The activity has been seen from a mix of new and legacy groups, indicating that new actors are entering the landscape to cash in as legacy groups have done. Established groups like BlackCat, LockBit and others contributed to 57% of the leaks, with new groups trailing close behind at 43%.

Other findings in the report include that organizations based in the U.S. are the most publicly affected, with 42% of the observed leaks in 2022. In second and third place were Germany and the U.K., accounting for nearly 5% each.

In 2022, 30 organizations on the Forbes Global 2000 list were publicly affected by extortion attempts. Since 2019, at least 96 of these organizations have had confidential files publicly exposed to some degree as part of attempted extortion. Manufacturing was the most targeted industry in 2022, with 447 compromised organizations publicly exposed on leak sites.

Image: Pixabay