Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
We can’t stop talking about it: Ransomware. It’s dominating a lot of security news for sure, which also means it’s definitely in the media cycle and on everyone’s mind. Ransomware groups have recently upped the ante with their attacks with adaptations of various tactics, techniques, and procedures (TTP) in the threat landscape. As if it weren’t enough to worry about the threat of having your data encrypted and held for ransom, groups these days are offering the additional threats of Distributed-Denials-of-Service (DDoS) and data disclosure to their arsenal. Several of these ideas have been around for a while, but with all of the recent upheavals in the ransomware market, many of these tactics have been adopted, dropped, and renewed by some fairly notorious groups to ensure that one way or another, payment will be made.
Many blogs, articles, and researchers keep talking about things like “double-extortion” or other terms you might’ve been afraid to ask about when we talk about ransomware in 2021. We want to shed light on what’s going on now as a “back-to-basics” on how attacks work and some of the history behind them. In this article, we’ll walk through some of the basics as we see ransomware attacks today, which break down to extortion based on threats of encryption, disclosure, or network attack and how your organization can protect itself from data loss.
Encryption and extortion were the original basis of ransomware threats. If this tactic is news to you, please say “Hello” to Wilson the volleyball for us because you may have been on a desert island for the last few years (probably more preferable to 2020). In the beginning, the targets varied between individuals and businesses; however, it would seem these days it’s all about the enterprise now. According to the Verizon DBIR, that victim profile was typically located in North America or Europe, in the manufacturing, energy, or healthcare sectors.
The execution also varied among groups, but the model was simple, pay or get encrypted. The decryption part was where things often got tricky, especially for victims, because this is where the variance occurred. It also meant a huge (and potentially expensive) leap of faith.
As ransomware attacks began to hit more news cycles worldwide, more and more voices in the security world advised that the best tactic–especially if backups existed or a decrypter was available–was not to pay. Ransomware operators increasingly were likely at a crossroads: It was still probably reasonably profitable, but how to increase pressure while at the same time increasing the likelihood of payment, especially with cyber insurance involved? As ransomware began to look more and more like a service, threat actors were forced to add new revenue streams to their business model.
The “All your data belongs to us” approach—public data disclosures have been around practically since the early years of the public internet, but the practice again changed the landscape when added with ransomware. Intentional data disclosure dates back to the 1990s and was often used in response to feuds among various groups, which brought actual personas out of the shadows and anonymity of the internet.
Varying hacktivist groups, as well as lone-wolf actors, have used this technique–often referred to as “doxing”–in recent years as a method of public shame, generally in response to a person or organization running afoul ethically or socially. In its latest form, ransomware actors opting to include disclosure in their threats will typically exfiltrate critical data first before encrypting it. If a victim fails to meet demands for payment, the added pressure of a public disclosure might be just enough to nudge that victim towards the finish line. Previously, unless disclosed publicly in some fashion, ransomware incidents sometimes could be pretty quiet.
The added pressure of having sensitive data, whether customer or financial data, information on internal projects or plain old intellectual property out there for everyone to see might be too much for an enterprise to bear. Especially in a competitive landscape. One group, REvil, stands out in particular for their brand of nefarious behavior, as they seek to disclose victim information publicly and profit from it.
The old “Extortion or DDoS” gambit is not new. Prototypes of this activity were spotted in the wild as far back as 2015, and in the years following, each were also very newsworthy years for DDoS attacks. Attacks in recent years gained notoriety because of attacker claims to be part of other well-known groups such as Armada Collective, Anonymous, and Fancy Bear, among others; not to mention, they grew in scale and type. They also targeted many different sectors, which left much of the press at the time breathless trying to attribute the threat correctly. In essence, the fake Bears were attacking with extortion threats while the actual Bears were off making big news with espionage campaigns. Several groups have recently adopted the practice, either as a standalone threat or alongside traditional ransomware encryption attacks and newer disclosure tactics.
Distributed-Denial-of-Service in itself is noteworthy because of how an attack originates from widespread IPs, potentially from multiple regions of the world, to shut down networks. The wide distribution of IPs also makes it difficult to attribute directly or even block with some traditional network security methods, especially since botnets can be rented out for this purpose. The very nature of DDoS makes it different from a standard Denial-of-Service attack in this regard.
Akamai’s Tom Emmons recently looked at historical comparisons with known DDoS activity and incidents, which was interesting given Akamai’s unique position as a leading content delivery network (CDN). An interesting takeaway from this research is that DDoS “stresser” kits saw average prices fall, which lines up with our marketplace research: the lowest observed price for a kit was less than a Big Mac meal at a McDonald’s in the US. These low prices provide a shallow barrier to entry for just about any criminal group or wannabe out there. They would be a drop in the bucket for a well-financed threat actor currently making waves in ransomware who might opt for DDoS-as-a-service rather than stand up their own infrastructure.
The good news about DDoS attacks is that despite the bandwidth issues it might create temporarily, there is evidence that these attacks can be mitigated if caught early and through proactive measures that may include a vendor solution or network configurations. The question in this instance is if network availability or data integrity is the priority when faced with all threats in a potential ransomware attack.
In the time since this blog’s inception to its finish, the Babuk ransomware group recently announced they were rebranding their services, with some members moving on to a disclosure-extortion–only model. As we saw throughout May 2021, there were many ripples in the usual marketplaces after the Colonial incident. As time goes on, it will be interesting to see what the potential fallout is as more people are attuned to the ransomware threat. There have already been several high-profile attacks in the wake of ransomware operators moving to other safe-havens.
There should be some healthy debates happening in the private and public sectors about ransomware. Still, as we predicted in 2020, this is just going to keep happening until something new comes along (likely), ransomware operators decide to go quiet and stop attacking everyone (probably not), government and law enforcement bodies manage to arrest everyone and stop all the crime (also unlikely), or we get better about security as a whole (hopefully). Whether these debates and changes result in a free-for-all for attacks, changes in attack methodology, or if any of the rhetoric from governments resulted in slowing or stopping attacks, we’ll know in a year from now if this will be another year of ransomware.
As an aside, we don’t often talk about the attacks that didn’t happen or were prevented through either tooling, law enforcement measures, or a combination of factors, but kudos to those successes. Those stories should be told and passed down to generations of SOC defenders and security teams everywhere. I can’t take the credit for this, but the other debate we should all be having is whether to publicize these incidents or change how they’re presented. In any case, we’ll continue to monitor and update as needed, but if you are curious about how intelligence may help you stay informed in the fight against ransomware, you can always take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a test drive with a free demo request. If you like reading some of the complex data we’ve seen this year, take a look at our Q1 2021 report on ransomware trends, which should hold you over until we can publish the Q2 results.