Cyber attackers are shifting their strategies, moving away from traditional ransomware attacks and instead relying on social engineering tactics to extort money from victims, according to Paul Chichester, the operations director of the UK’s National Cybersecurity Centre (NCSC). Chichester shared his insights during a speech at the 44CON conference in London, emphasizing that while ransomware incidents are still a major concern, many attackers are now opting to steal data and threaten to leak it rather than encrypting it.
“We’ve seen criminals move from only encrypting data, to double extortion — encrypting it and threatening to leak it, to now, on some occasions, simply threatening to leak the data,” Chichester explained. He believes attackers are becoming more efficient and seeking ways to make the process less painful for victims, as they are aware that victims are more likely to pay to avoid their data being exposed.
In recent years, “double extortion” attacks have become increasingly prevalent. In these attacks, attackers not only steal valuable data but also demand payment from organizations in exchange for its return. Often, ransomware is also deployed to encrypt networks and computers as an additional pressure tactic. However, the trend is shifting towards pure data-theft extortion, with attackers moving away from encryption malware.
Addressing a cyber extortion attack requires more than just having backups to restore systems and data. Experts advise organizations to adopt best practices for passwords and multifactor authentication, efficient patch management, and enhanced security training for their employees.
Chichester highlighted the UK’s policy that discourages organizations from paying ransom due to the belief that such payments support criminal activities. However, he acknowledged that some companies still choose to pay as a way to reassure their customers that their data is protected. Chichester shared a story of a company that was attacked, where the ransom payment was deliberately set to be lower than the potential GDPR fine, creating an illusion that the company was saving money by paying the ransom.
The empathetic NCSC official recognized the difficult position that companies face when dealing with ransomware attacks. In some cases, organizations feel they have no choice but to pay the ransom when all their data is encrypted and they are locked out of their systems.
GDPR fines for data breaches have varied, ranging from £20 million ($24 million) for British Airways to $425 million for Microsoft-owned LinkedIn. The maximum fine, as stated by the UK Information Commissioner’s Office, is £17.5 million or four percent of the total annual worldwide turnover in the previous financial year, whichever is higher. In contrast, ransomware payments have been reported to reach up to eight figures, with UK organizations paying an average of $2.1 million in 2023.
Chichester emphasized the importance of collaboration between the NCSC and the UK industry sector. When organizations alert the NCSC about a ransomware attack, the agency can study the malware and work with threat intelligence providers and research communities to assist the victims. Sometimes, the NCSC also acts as a mediator between the victim and the attacker.
“I’d much rather stop an incident than actually be responding to one,” Chichester stated. “But we respond to and work closely with all of those organizations [that are hit].”
Chichester’s insights shed light on the evolving tactics of cyber attackers and the challenges faced by organizations dealing with ransomware attacks. As the threat landscape continues to evolve, it is crucial for businesses to prioritize cybersecurity measures, including proactive defense strategies, employee training, and effective incident response protocols.