Ransomware? Let’s call it what it really is: extortionware

Just as the targets of these attacks have shifted from individuals to corporations, so too has the narrow focus given way to applying force and pressure to pay.

No one needs reminding that ransomware has reached incredible proportions; one widely reported statistic from Purplesec suggests that $20 billion was paid out in 2020. That’s almost double its $11.5 billion estimate from 2019, with a commensurately huge increase in the number of attacks, while Bitdefender suggested a 715% increase in the first half of the year.

The “crews” have multiplied, adopted tactics that are reminiscent of nation-state attacks, and developed partnerships and relationships with a speed and efficiency that put many of our business practices to shame. New tactics are constantly appearing both to gain access and to apply pressure on victims to pay.

What hasn’t changed is what we call it: ransomware. That’s a mistake, since it ties it in too many people’s minds to the past, and to a much less threatening form of the attack, the attack form that started in 1989 with the AIDS Trojan (distributed on 20,000 floppy disks and looking for a payment of around $500). The attack returned in the mid-2010s, but as individual threats. Attacks such as CryptoWall, Cryaki, TeslaCrypt, and CTB-Locker impacted individual users and forced the victim to approach the attacker to recover. Attackers also took rapid advantage of cryptocurrencies, using the relative anonymity and easy transferability of Bitcoin to protect them as they monetized their efforts.

These attacks were distributed by multiple means, or vectors. Phishing, pop-ups from malvertising, and even messaging on platforms like Facebook Messenger were common vectors. The code base was different, the attack vector was different, but the goal was the same. Land on a user’s computer, encrypt that computer and network-accessible data, and demand payment. The attack was against the individual, and corporate damage was a bonus (in terms of payment), not the objective. The ransom was to decrypt the locked data, and defensive tactics focused on limiting access to data — least privilege, user-awareness training, and host-based malware prevention.

This model slowly shifted toward corporate targets, as the bad guys followed the money. 2020, however, saw a series of seminal shifts in the landscape, and a change in tactics. This series of shifts is why we should change the naming — from ransomware, a serious attack but one with a relatively narrow scope, to extortionware, where every pressure is being applied to force payment.

To read the complete article, visit Dark Reading.