The growing impact on
Australia and New Zealand

Ransomware and Cyber Extortion

Download Full Guide

The impact and frequency of all forms of cyber extortion has increased in 2021. All Australian and New Zealand organisations are at risk.

Attackers use different cyber extortion methods, including ransomware and data theft extortion.

While attackers often apply these methods together, they can also occur separately. Understanding their differences is key to responding effectively.

Data theft extortion is an increasingly popular crime, both on its own and together with ransomware. In the next 12 months, it may outstrip ransomware as criminals’ preferred method of cyber extortion.

What is cyber extortion and how does it work?

Criminals are using two dominant cyber extortion strategies: ransomware and data theft extortion.

They often combine these strategies, but not always.

We believe it is important to understand both, and their differences, to develop the most effective techniques for preparing and responding.

In a typical ransomware attack, the attacker disrupts the availability of a victim organisation’s files or systems in order to significantly impact their operations.

The attacker gains unauthorised access to a victim’s network and runs malicious software known as ‘ransomware’. The ransomware encrypts files, making them unreadable. Affected files can include user files such as documents and spreadsheets or system files which are required for computers to properly operate.

Some attacks make other changes, such as locking systems to make them inaccessible to users or displaying ‘ransom notes’ on screen to alert users to the attack and instruct them how to pay their attackers.

The effects of ransomware can normally be reversed by using a decryption program or key, which the attacker usually promises to provide in exchange for a payment. Payments are often transacted using cryptocurrency such as Bitcoin or, more recently, Monero.

Data theft extortion involves the attacker stealing confidential information and threatening to share it in a way that will cause harm to the organisation.

Data theft extortion has become increasingly popular among cybercriminals since late 2019. It is often combined with ransomware – an approach sometimes called ‘double extortion’.

In a 2020 interview, representatives of REvil (one of the most prolific ransomware syndicates) flagged their intent to focus more on data theft extortion, which they see as being a more profitable, easier crime. Many cybercrime groups are orientating away from ransomware towards other strategies of extortion, either solely or combined with ransomware.

Data theft extortion involves the attacker stealing confidential information and threatening to share it in a way that will cause harm to the organisation.

Case study

Australian and New Zealand organisations hit by mass data theft extortion attack

In early 2021, attacks against California-based Accellion’s legacy File Transfer Appliance by cybercrime group Cl0p disproportionally affected Australian and New Zealand organisations. A previously undisclosed zero-day vulnerability was discovered in the product in mid-December 2020, with a patch released to customers on 24 December 2020, California time. For Australian and New Zealand customers, this was the start of Christmas holidays and many organisations were operating with skeleton staff, if any.

Victims began receiving extortion emails, threatening to leak stolen data on the Cl0p data leak site unless the victim paid a ransom. CyberCX investigated and responded to many of these incidents and shared our threat intelligence with most affected organisations in our region. We noted that while these cases did not involve ransomware or encryption of data, the attackers had stolen organisations’ data with the intent of extortion.

Why is cyber extortion increasing?

Cyber extortion is a lucrative industry for cybercriminals, who operate out of foreign countries with relative impunity.

Cybercriminals use attack methods that involve the lowest amount of effort for the highest payoff. Before ransomware and other forms of cyber extortion became popular schemes for cybercriminals, they often made money from selling or using stolen information such as credit card details and bank account logins.

However, it takes time and effort to sell stolen goods, and the black market for this type of information became saturated. Ransomware offered a way for cybercriminals to extract money directly from victim organisations. The size of the ransom demand could also be tuned to make paying the ransom an attractive, if not welcome, resolution to the problem for smaller victims.

The next phase of evolution became known as ‘big game hunting’, where attackers sought victim organisations against whom they could conduct far more disruptive attacks, and who often had far greater propensity to pay a ransom demand.

The most recent major evolution of these crimes was a pivot to also stealing confidential data while the attacker was inside the victim’s network.

Having obtained this information, cybercriminals could threaten to release it publicly if they were not paid. The tools and methods of cybercriminals will continue to change in future. But their purpose – monetising their attacks – will not change.

Cybercrime has long been a dynamic and efficient enterprise, unrestricted by policy and regulation. In the days of credit card fraud, different groups or individuals would focus on each stage of creating fake cards, from stealing real cardholder data to manufacturing plastic moulds, encoding magnetic stripes, reproducing holographic security labels, and recruiting ‘mules’ who used the fake cards to obtain hard cash.

Advanced ransomware and cyber extortion groups are organised and professional – a step change from the cybercrime scene even several years ago.

Nowadays, groups specialise in different attack phases, such as developing the actual ransomware programs which encrypt data, finding ways to penetrate victim networks, negotiating with victims and laundering any payments which are made.

Some cybercriminals are also demonstrating elements of tradecraft mimicking more sophisticated nation-state attackers, in terms of the technical tools they use, targeted intelligence-gathering on victims, and sophisticated strategies for applying pressure to victims. This situation has also been fuelled by security researchers who sell vulnerabilities and exploits to cybercriminals. All of this makes modern cybercriminals a big – and growing – risk to organisations.

Who’s likely to be a victim?

Every organisation, of every size, in every sector, is a potential target.

The scale and impact of ransomware and other types of cyber extortion has increased since 2017, with a sharp uptick in 2021.

CyberCX observes that the frequency of cyber extortion attacks against Australian and New Zealand organisations more than doubled from the first quarter to the second quarter of 2021.

Attacks against essential services and critical infrastructure providers, government entities and large corporations have also increased, following the trend of ‘big game hunting’ that has emerged in recent years. Under this strategy, attackers target larger organisations, surmising that they may be more willing and able to pay large ransoms, since a disruption to their services or breach of their sensitive data is incredibly damaging.

The largest and smallest ransom demands CyberCX has observed from cyber extortion attacks in Australia and New Zealand

However, cybercriminals also actively target smaller organisations. While compromising large organisations for big payoffs has become the dominant strategy of some cybercrime groups, CyberCX is observing a renewed focus on smaller targets by others.

This is because the lucrative cyber extortion economy is attracting more and more criminals, some of whom lack the technical sophistication or risk appetite to target big organisations.

Increased public awareness, especially of ransomware, has also meant big organisations with big security budgets are getting better at preparing and defending against cyber extortion.

Snapshot of organisations in Australia and New Zealand affected by cyber extortion, including ransomware, so far in 2021

The Australian Cyber Security Centre received reports of almost 500 ransomware attacks in financial year 2020-21.

 

CERT NZ received 74 reports over the same period. But this reflects only a small proportion of the volume of cyber extortion crimes. Many attacks go unreported. The number of attacks is also increasing.

How would an attack impact your organisation?


In CyberCX’s work with victim organisations, the most significant impacts from ransomware attacks are:

  • Operational disruption, which can impact delivery of services to customers
  • Lost revenue from missed business while operations were disrupted
  • Customers leaving due to security or privacy concerns, which can exacerbate lost revenue
  • Cost of response and remediation activities
  • Cost of restoration from destructive attacks where data cannot be decrypted
  • Reputational damage including impacts on share value
  • Costs incurred from failing to meet obligations to third parties, including penalties for contractual non-performance
  • Personal impacts on staff, which are often overlooked, but very real.

The impacts of responding to and recovering from a ransomware attack can be felt by an organisation for many months, long after the attack ceases. There are also other potential costs, including the risk of litigation by affected contractual partners and customers.


In the case of a data theft extortion attack, the most significant impacts include:

  • Reputational damage and intellectual property loss if confidential data is exposed
  • Customers leaving due to security or privacy concerns following notification of sensitive data being stolen
  • Cost and possible operational disruption of response and remediation activities
  • Impacts on individuals, including staff and customers, affected by any exposure of personal information.

Victims of data extortion may also be exposed to litigation risk from third parties, depending on the type of information that is exposed. While ransomware and data theft extortion are often combined, there are key differences organisations should be aware of.

Comparing the two dominant strategies

Ransomware and data theft extortion have different effects on victim organisations. While ransomware and data theft extortion are often combined, there are key differences organisations should be aware of.

Attack characteristics

Involves compromise of the victim organisation’s computer systems.

Ransomware

Yes Ransomware is ‘detonated’ inside a compromised network.

Data theft extortion

Yes In most cases, this involves an attacker compromising systems, however it can also result from a data spill.

Causes disruption to computer systems and impacts business operations.

Ransomware

Yes The specific intent of ransomware is to disrupt the operation of systems.

Data theft extortion

Maybe Data can be stolen without disrupting the victim’s systems, however some disruption may still result from the attacker’s other actions, or from remediation activities.
Incident response

Can be responded to without widespread knowledge that the breach occurred.

Ransomware

No Encryption of systems will likely be visible to employees and will probably become publicly known.

Data theft extortion

Maybe Depends on whether the attacker chooses to post stolen data online before or during negotiations.

Can be overcome by rebuilding damaged systems or restoring from backups.

Ransomware

Yes However, this process can be lengthy and difficult.

Data theft extortion

No Once data has been stolen, no remediation or restoration of the victim’s systems will bring it back, nor prevent its possible disclosure.

Damage can be mitigated by paying the attacker.

Ransomware

Maybe In our experience, cybercriminals often do provide working decryption processes – if they don’t, that damages their business model. However, there is no guarantee this will occur in every situation.

Data theft extortion

Maybe While attackers may provide assurances of data destruction, and some have strong records of doing so, they cannot provide absolute certainty.

Paying the attacker provides a guarantee that no further harm will arise.

Ransomware

No When dealing with criminals, this cannot be guaranteed.

Data theft extortion

No When dealing with criminals, this cannot be guaranteed.
Costs and impact

May require costly and time-consuming rebuilding of damaged systems and networks.

Ransomware

Yes This process can be lengthy and difficult, depending on the complexity of systems and the integrity and completeness of backups.

Data theft extortion

Maybe While whole systems often don’t require rebuilding or restoration, security remediation is still required, and may be extensive.

Requires security remediation to fix security weaknesses that contributed to the breach.

Ransomware

Yes Remediation should be based on a thorough investigation to identify the full scope of the attack.

Data theft extortion

Yes Remediation should be based on a thorough investigation to identify the full scope of the attack.
Regulatory obligations

Requires reporting data theft to a privacy regulator and affected individuals.

Ransomware

Maybe If the investigation identifies that the attacker accessed or stole personal information that is likely to cause serious harm to an individual if misused.

Data theft extortion

Maybe If the investigation identifies that the attacker accessed or stole personal information that is likely to cause serious harm to an individual if misused.

Requires reporting to other regulators, government agencies or industry bodies.

Ransomware

Maybe If the investigation identifies that the attacker accessed or stole other information that would trigger a reporting obligation.

Data theft extortion

Maybe If the investigation identifies that the attacker accessed or stole other information that would trigger a reporting obligation.

Wolves in sheep’s clothing

The need for intelligence-led incident response

Not everything that looks like a cyber extortion attack is one. For example, some nation-state threat actors use a tactic known as ‘ransomware-as-a-diversion’. They might use encryption tools that look like known ransomware strains, but they never actually intend to offer decryption tools, or even methods to pay a ransom. This is because their objectives are political, not financial.

This is one reason why victim organisations should work with incident response experts who apply an intelligence-led approach to help organisations understand who their attacker is, and what they want.

Know your enemy

Cl0̸P

The versatile extortionists

[Image thumbnail credit: Ukrainian Police.]

Modus operandi:

Cl0p started as a strain of ransomware, but their affiliates are versatile. Their Accellion attacks in early 2021 were quite novel, highly technical and used only data theft extortion, not ransomware. Cl0p’s operations focus on large enterprises, a strategy known as ‘big game hunting’.

Tradecraft:

Vulnerability exploits including zero-day vulnerabilities, custom backdoors and loaders, phishing emails.

Australian and New Zealand victims:

Finance, Government, Healthcare, Legal.

On Christmas Eve 2020, the cybercriminals behind Cl0P began exploiting multiple vulnerabilities in Accellion’s File Transfer Appliance, a data transfer tool widely used by large organisations to transfer large and sensitive files securely, often with external parties.

Public and private sector organisations in Australia and New Zealand were affected, including government agencies at state and federal levels. These organisations received ransom demands threatening the release of their sensitive data on a website called Cl0P^_- LEAKS. No ransomware was ever deployed on their networks, since Cl0P’s operators understood that stealing sensitive information was enough to extort their victims. Since the Accellion attacks, Cl0P has added data of multiple other victims around the world to their website.

As more potential victim organisations protect themselves from ransomware attacks, and global law enforcement action against ransomware operators intensifies, more cybercriminals are likely to follow Cl0P’s lead of pivoting away from ransomware.

On 16 June 2021, Ukrainian national police, in collaboration with Interpol, South Korea and US law enforcement, arrested six individuals in Kiev allegedly involved in money-laundering cryptocurrency from Cl0P extortion proceeds into fiat currency. The arrests had only a fleeting effect on the activities of L0P’s affiliates, who published stolen data of two new victims on the Cl0P^_- LEAKS website a week later.

Anatomy of an attack

Understanding the cyber extortion ‘attack chain’ creates awareness of early warning signs

If an attack is caught in its early stages, there is still an opportunity to stop subsequent attack stages.

For ‘big game hunting’ victims, the length of time between initial compromise and later attack stages can be longer, since criminals may work harder and more methodically for higher expected returns.

How long does a cyber extortion incident last?

After gaining initial access to a network, the visible stages of an attack may be seen anywhere from hours to weeks later.

From the investigations performed by CyberCX, we see a wide range of timeframes between network penetration and obvious malicious activities such as detonating ransomware. The variance depends upon a range of factors, including:

Expected return

The time a cyber attack takes can be linked to profitability – that is, how much the criminals believe the ransom is worth. For a high-value target, criminals may spend a month inside the victim’s network to ensure their attack is successful. For smaller organisations, where access can be bought cheaply, attackers often operate more quickly, waiting only days or sometimes hours between initial compromise and obvious actions.

Scope of access

Often we see a gap between initial access and later attack stages, which often reflects the time it takes an initial attacker, commonly referred to as the ‘initial access broker’, to escalate their initial access to a privileged level, or to sell or pass on their access methods to another criminal, who in turn leverages that access for subsequent attack stages

Completing exfiltration of information

The length of this stage can depend on the complexity of the victim’s network and the steps needed for the attacker to avoid tripping security controls.

The attacker’s workflow

Sometimes attackers just get busy, or are distracted with other targets, especially in a large campaign.

If an attack is caught in its early stages, there is still an opportunity to stop subsequent attack stages.

Through CyberCX’s active Cyber Intelligence capability, we aim to identify early signals that an organisation is an attack victim. In some cases, we’re able to catch the attack after initial penetration, but before more damaging later stages. Where possible, we advise clients proactively and help them shut down the attack before it escalates.

A cyber incident is like an iceberg – what you initially see is only a small part of an immense problem spreading throughout your organisation’s systems.

Attackers often compromise multiple systems, but not all these systems will show signs of compromise at the same time. This is why it’s important for the investigation to also consider systems which show no initial signs of compromise, including on-premises and cloud platforms.

For example, many organisations that have suffered a breach of their on-premises networks assume cloud platforms, such as Office365, have not been compromised because they are operating normally. However, attackers can easily access Office365 mailboxes using stolen credentials to locate and steal confidential data, especially from senior employees.

A cyber incident is like an iceberg – what you initially see is only a small part of an immense problem spreading throughout your organisation’s systems.

What are the stages of a cyber extortion attack?

The MITRE ATT&CK framework provides a detailed understanding and reference for the steps most often executed by cyber attackers. The final two stages are not in the MITRE ATT&CK framework but are common in cyber extortion cases. Most attacks involve executing tasks within each phase. The below timeline focusses on phases most relevant to ransomware and data theft extortion attacks.

It is important to remember that while response activities surrounding an incident may conclude, the victim organisation should not simply revert to ‘business as usual’. Post-incident activities should include:

  • Conducting a post-incident review to identify areas where response was effective, and where improvements should be made
  • Remediating security vulnerabilities which contributed to the incident.
01

Resource development

Including creation of ransomware program, data leak site (DLS) and cryptocurrency accounts.

02

Initial access

Gaining initial access to the victim’s network.

03

Discovery

Gaining a detailed understanding of the victim’s network, to inform subsequent attack stages.

04

Defensive evasion

Steps taken by attackers to avoid detection or delete evidence that could be used to reconstruct their actions.

05

Lateral movement

Accessing other computers and resources across the network.

06

Collection

Finding and extracting sensitive information which can be used for extortion.

07

Exfiltration

Extracting copies of sensitive and confidential data.

08

Impact

Detonation of ransomware inside the victim’s network

09

Engagement

The attacker applies pressure to coerce the victim into paying their demands.

010

Conclusion

Incident response concludes.

Know your enemy

REvil

The Ransomware spokesperson

Modus operandi:

REvil ransomware first emerged in April 2019 and has been rapidly developed since then. REvil’s developers recruit highly-capable affiliates who target large organisations they can extort for high demands. REvil employs a double extortion strategy of data encryption and exfiltration. REvil’s Data Leak Site went offline on 12 July 2021, suggesting REvil has at least temporarily paused operations. However, it recommenced operations and revived its infrastructure in early September.

Tradecraft:

Vulnerability exploits, initial access brokers, credential theft, phishing, brute-force attacks against Remote Desktop Protocol, insecure Virtual Private Networks and proxies, Trickbot and other botnets.

Australian and New Zealand victims:

Accounting, Aged Care, Consulting, Education, Food and Beverage, Insurance, Healthcare, Legal, Manufacturing, Managed Services.

Given the illegal nature of their activities, cybercriminals tend to avoid public attention. Not REvil. The cybercriminals behind one of the most active ransomware groups of the last couple of years loves giving interviews.

The willingness of REvil to openly talk to journalists signals the threat actor’s perception of safety from law enforcement action. REvil is believed to operate out of Russia, where authorities turn a blind eye to cybercriminals as long as they don’t target organisations in the Commonwealth of Independent States – a partnership of 10 post-Soviet republics.

REvil’s showmanship lets the reader peek into the opaque world of cybercrime. The interviews give away trends applicable not only to REvil but also the wider cyber extortion community, which often shares tools, tactics and even access to compromised networks. While it’s never wise to trust a criminal, here’s five top insights from REvil’s statements:

Ransomware operations are large criminal enterprises.

These include dozens, if not hundreds of carefully-selected individuals. REvil claims to have a team of about ten penetration testers, 60 affiliates and a couple of managers who do not directly communicate with each other to preserve security.

The ransomware-as-a-service model will continue to be prevalent due to its profitability.

REvil’s developers do not directly deploy the ransomware on victim systems, but handle the subsequent victim negotiations, receive the ransom, and provide the decryptor. Ransomware deployment is the responsibility of affiliates who keep 70% of the ransom. REvil says this approach helps them to scale their business, which allegedly made them over US$100 million in 2020.

The future of cyber extortion is in data exfiltration, while data encryption is a nice-to-have

Like many other cybercriminals, REvil is focusing on the exfiltration, rather than encryption, of sensitive data.

Cybercriminals work hard to keep their finances hidden.

In recent times, some cybercriminals have shown a preference for Monero over Bitcoin and other cryptocurrencies because tracking transactions is more difficult. REvil values the added security so much that it offers a 20% discount to victims who pay the ransom using Monero.

Arm your business

Download Full Guide

To download the Full Guide of this guide, please enter your details below.

Next up

Protect your organisation

Best practice security controls

Explore Online

Download Part 1

Download Part 2

Download Part 3

Download All