Ransomware attacks tend to have some unofficial protocol; the attacker gives the victim a window where the attack is hidden from the public, allowing them to discreetly make a payment to fix the problem as quickly (and with as little hassle) as possible. A new ransomware gang on the scene is jumping on that joke, using the defacement of the website to share ransom notes with the company and the public in the immediate aftermath of the attack.
It’s unclear if this signals a broader trend, but ransomware gangs have been known to change and evolve their tactics over time. “Double extortion” is a recent development that has become increasingly common over the past couple of years, and the use of direct website defacement is essentially a mutation of the “triple extortion” approach that started appearing towards the end of 2021.
New ransomware gang comes under direct public pressure with ransom notes
Industrial Spy is a relatively new threat actor that emerged in April with a dark web market used to directly sell stolen data to the public. The group started out as a data extortion business, claiming to offer companies the ability to buy rivals’ confidential data (but most likely simply pressuring the company from whom the data was originally stolen). to pay to get them back). It has since expanded its operations to become a ransomware gang, however, beginning to attack an assortment of businesses in mid-May with what appears to be a variant of Cuban ransomware that has been in circulation for several years.
The group initially operated like a typical ransomware gang, encrypting device files and delivering ransom notes directly to victims in a non-public manner. The website downgrade is a new development that appears to have begun with the early June breach of French company SATT Sud-Est. The website defacement took place in the English version of the company’s main public site, “sattse.com”. The page was edited with a message stating that 200 GB of data had been stolen and that the ransomware gang demanded a payment of half a million dollars to prevent its public release and the associated “reputational risks”.
Ransomware gangs typically give victims at least two weeks to pay before going public in any way, and can then slowly increase the pressure using targeted communications with company executives or business partners. At most, the stolen data is usually dumped without much fanfare on some sort of dark website; Unless there is something particularly newsworthy, the general public is often unaware of these developments as they get little or no mainstream media coverage.
Private ransom notes are usually part of the ransomware gang’s psychological approach, giving the company the chance to avoid reputational damage (and possibly fines from regulators) by paying quickly to keep the case going. silent. There are almost no prior examples of such an immediate and public ransomware gang with ransom notes, and defacing websites of any kind is also an extremely unusual tactic.
Website defacing is a new approach, but there are no clear signs that it will become a ransomware trend
It’s unclear whether Industrial Spy’s defacing of the website is the mark of a less experienced group who are new to the game and don’t really understand the nuances of ransomware, or a wiser bet in response to changing market conditions.
The former would initially seem like the safest bet, given that it’s relatively rare for organizations to self-host their sites in such a way that this type of website defacement can occur by breaking into the internal network. Businesses typically use third-party hosting service providers to manage publicly-facing websites. An attacker can find login credentials for a website while browsing the corporate network, but all of that involves extra work (and risk) that doesn’t make sense in a ransomware attack. typical.
Ransomware gangs are constantly evolving and changing their techniques, sometimes based on information that is not publicly available. Prior to the late 2010s, ransomware attacks were much more dispersed. Savvy threat actors have finally realized that the indiscriminate distribution of ransomware as spam attracts many small fish with no ability to pay, wasting their time and resources. Attacks then became more targeted, focusing on companies known to have the ability to pay (whether through assets on hand or cyber insurance). This then led to more personalized approaches such as spearphishing, with potential entry points spotted on public sites such as LinkedIn.
Yet ransomware remained almost exclusively about encrypting files (and demanding payments to unlock them) until 2019. The DoppelPaymer ransomware was the first major shift towards ransomware gangs first exfiltrating sensitive files, then encrypting everything and delivering their ransom notes. This has led to the development (and popularization) of the “double extortion” approach, in which ransomware gangs threaten to leak sensitive files to the public through the dark web portals they run. This in part grew out of a growing realization by organizations that maintaining regular online and offline backups was essentially an antidote to the traditional ransomware attack.
The “triple extortion” is another development that surfaced in late 2021, and to which the website defacement approach is linked. This involves ransomware gangs not only encrypting and extracting files, but also delivering ransom notes to companies in the target organization’s supply chain or their customers. Some have also incorporated strategic leaks to the media. Industrial Spy’s website defacement approach simply opens the accelerator immediately and jumps straight to the full public notice for the company’s customers.
It remains to be seen whether defacing the website is an approach that can create a net positive for ransomware gangs. Posting ransom notes on company websites means law enforcement is immediately notified of the situation; not only does this allow for a faster response, but it also rules out the possibility of a company paying a sanctioned entity in secret or factoring the public suppression of the incident into its decision to pay. The surest sign that it actually works is if imitators appear during 2022.