Threat Essentials analysts have observed the emergence of at least 11 new cyber extortion gangs since the Colonial incident in May. Collectively these groups have carried out 99 successful attacks across 25 sectors in 16 countries.
“Attacks by Country” and “Attacks by Gang”, “Attacks by Sector” (below), and use of dataset by Threat Essentials
is licensed under CC BY 4.0
Given that the dataset is a record of successful, not attempted attacks and that it only captures the activities of groups who publicise their attacks, even this brief look at the statistics demonstrates that cyber extortion as a criminal practice is thriving.
Two cyber extortion business models
Of course, not every attack perpetrated by cyber extortion gangs involves ransomware. Instead, modern cyber extortion is a mix of two distinct business models, these being:
- data theft combined with the threat of disclosure, the so-called “ransom or data dump” approach
- encrypting files and then demanding a ransom for the decryption key
It is within this first business model – the “ransom or data dump” – that we have seen the most development since the Colonial Pipeline attack in May. The main strategic developments in this area have included the following three key trends:
1. Manufacturing as a preference target: of the 99 attacks, 16 were directed against the manufacturing sector. This is significant given that the second most targeted sector is construction on seven attacks, with the average attacks per sector being just over three.
2. Large data dumps as the new normal: some gangs would appear to have moved towards large scale data dumps as a cornerstone of their business model with Conti, Marketo and Revil (before their “retirement”), leading the pack in terms of the volume of victim data being dumped.
3. Emergence of specialist “ransom or data dump” cyber extortionists: groups like Marketo have been seen to only use a ransom or data dump approach. We have not seen them deploy ransomware in any of the attacks that we are aware of to date.
Cyber extortion – an evolving scene
So, what does this data say about the current cyber extortion scene? Aside from the obvious observation that cyber extortion is very much alive and well in the post-Colonial world, it suggests a move away from Ransomware deployment and towards data theft and dump as the preferred model.
There are a number of possible factors for this shift, including technical factors such as the challenges of deploying ransomware versus the ease of stealing data and social factors such as a possible stigma being attached to ransomware post-Colonial. Regardless of the casual factors behind this change, the manufacturing sector is a primary focus of cyber extortionists at this point, probably due in large part to an abundance of business-critical data within this sector.