Executive Summary
Threat actors are increasingly employing extortion techniques to gain leverage over targeted organizations and accomplish their goals. While much attention has been paid to ransomware in recent years, modern threat actors increasingly use additional extortion techniques to coerce targets into paying—or dispense with ransomware altogether and practice extortion on its own.
While in many cases the motivation is financial, Unit 42 also sees indications that extortion can happen in service of a group’s larger goals— sometimes simply to fund other activities, but other times to distract from them.
Organizations, in turn, need to evolve defenses to address the various methods threat actors use to apply pressure. Incident response plans today need to involve not only technical considerations but also safeguards for an organization’s reputation and considerations for how to protect employees or customers who may become targets for some of extortionists’ more aggressive tactics.
In our review of incident response cases, as well as our threat intelligence analysts’ assessment of the larger threat landscape, we noted some key points:
Multi-extortion tactics continue to rise.
In Unit 42 ransomware cases, as of late 2022, threat actors engaged in data theft in about 70% of cases on average. Compare this to mid-2021, and we saw data theft in only about 40% of cases on average. Threat actors often threaten to leak stolen data on dark web leak sites, which are increasingly a key component of their efforts to extort organizations.
Harassment is another extortion tactic we see being used in more ransomware cases. Ransomware threat actor groups will target specific individuals in the organization, often in the C-suite, with threats and unwanted communications. By late 2022, harassment was a factor in about 20% of ransomware cases. Compare this to mid-2021, when harassment was a factor in less than 1% of Unit 42 ransomware cases.
Extortion gangs are opportunistic, but there are some patterns in the organizations they attack. Based on our analysis of dark web leak sites, manufacturing was one of the most targeted industries in 2022, with 447 compromised organizations publicly exposed on leak sites. Unit 42 believes this is due to the prevalence of systems used by this industry running on out-of-date software that isn’t regularly or easily updated or patched—not to mention the industry’s low tolerance for downtime. Organizations based in the United States were most severely affected, according to leak site data, accounting for 42% of the observed leaks in 2022.
Large, multinational organizations can be lucrative targets for threat actors. Attacks on the world’s largest organizations represent a small but notable percentage of public extortion incidents. In 2022, 30 organizations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Since 2019, at least 96 of these organizations have had confidential files publicly exposed to some degree as part of attempted extortion.
Advanced threat groups may use extortion and ransomware to fund other activities — or hide them. Threat groups from countries under economic embargoes or sanctions have been observed using ransomware and extortion to fund their operations. Other threat groups, including some from Iran or China, seem to have a different objective when using ransomware. Threat actors can gain more than money from deploying ransomware—it also has potential for both destruction and espionage.
Predictions for what to expect from extortion in the coming year. Unit 42 experts have put together predictions for what we expect to see from extortion groups in the coming year. Our predictions include:
- 2023 will be the year we see a large cloud ransomware compromise.
- A rise in extortion related to insider threats.
- A rise in politically motivated extortion attempts.
- The use of ransomware and extortion to distract from attacks aimed to infect the supply chain or source code.
To access the full report, please visit here