FBI’s IC3 report finds drops in ransomware incidents, though notes rise in extortion tactics used by hackers

The FBI’s Internet Crime Complaint Center (IC3) has seen an increase in an additional extortion tactic used to facilitate ransomware in 2022, as the number of reported ransomware incidents has decreased. The hackers pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom. The IC3 report comes in the wake of the cyber landscape providing ample opportunities for criminals and adversaries to target U.S. networks, attack critical infrastructure, hold money and data for ransom, facilitate large-scale fraud schemes, and threaten national security.

“The number of reported ransomware incidents has decreased, we know not everyone who has experienced a ransomware incident has reported to the IC3. As such, we assess ransomware remains a serious threat to the public and to our economy, and the FBI and our partners will remain focused on disrupting ransomware actors and increasing the risks of engaging in this activity,” the FBI said in its report titled ‘Internet Crime Report 2022.’ 

“In concert, the public can play a crucial role by taking proactive measures to prevent and prepare for a potential cyber attack and, if there is an incident, by reporting it to the FBI through the IC3,” the report added. “Though cybercriminals are continuously seeking to make their attacks more resilient, more disruptive, and harder to counter, public reporting to the IC3 helps us gain a better understanding of the threats we face daily.”

In 2022, the IC3 received 2,385 complaints identified as ransomware with adjusted losses of more than $34.3 million, the report said. “Ransomware is a type of malicious software, or malware, that encrypts data on a computer, making it unusable. In addition to encrypting the network, the cyber-criminal will often steal data off the system and hold that data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable,” it added. 

The report said that although cyber criminals use a variety of techniques to infect victims with ransomware, phishing emails, remote desktop protocol (RDP) exploitation, and exploitation of software vulnerabilities remained the top initial infection vectors for ransomware incidents reported to the IC3. Once a ransomware hacker has gained code execution on a device or network access, they can deploy ransomware.

“While the cyber threat is ever-growing, the FBI remains appreciative of those individuals and entities who report cyber incidents to the IC3, as that valuable information helps fill in gaps that are crucial to advancing our investigations,” Timothy Langan, executive assistant director at the FBI, wrote in the IC3 report. “The FBI is relentlessly focused on promoting safety, security, and confidence into our digitally connected world, and we are eager to continue working with the American public to bring cybercriminals to justice around the globe,” he added.

The IC3 received 870 complaints that indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack. Of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least one member that fell victim to a ransomware attack in 2022. It also revealed that the three top ransomware variants reported to the IC3 that victimized a member of a critical infrastructure sector included Lockbit, ALPHV/Blackcoats, and Hive.

In 2022, the IC3 received 21,832 BEC (business email compromise) complaints with adjusted losses over US$2.7 billion. BEC is a sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. 

“As fraudsters have become more sophisticated and preventative measures have been put in place, the BEC scheme has continually evolved in kind,” the IC3 said. “The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts. These schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.” 

More recently, fraudsters are more frequently utilizing custodial accounts held at financial institutions for cryptocurrency exchanges, or having victims send funds directly to cryptocurrency platforms where funds are quickly dispersed, the report added.

In 2022, the IC3 also saw a slight increase of targeting victims’ investment accounts instead of the traditional banking accounts. There was also an increasingly prevalent tactic by BEC hackers of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims. For one example, the victims report they have called a title company, realtor, etc., using a known phone number, and then later the phone number has been spoofed, the report said. 

With this increased tactic of ‘spoofed’ phone numbers, it emphasizes the importance of leveraging two-factor or multi-factor authentication as an additional security layer, the IC3 reported. Procedures should be put in place to verify payments and purchase requests outside of e-mail communication and can include direct phone calls but to a known verified number and not relying on information or phone numbers included in the e-mail communication. 

“Other best practices include carefully examining the email address,URL, and spelling used in any correspondence and not clicking on anything in an unsolicited email or text message asking you to update or verify account information,” it added.

In December, U.S. security agencies warned organizations in the food and agriculture sector of recently observed incidents of criminal hackers using BEC tactics to steal shipments of food products and ingredients valued at hundreds of thousands of dollars. It identified that while BEC is most commonly used to steal money, in cases like this criminals spoof emails and domains to impersonate employees of legitimate companies to order food products. Another scenario the agencies presented was that the victim company fulfills the order and ships the goods, but the criminals do not pay for the products.

FBI’s IC3 report comes as the federal government has in its Federal Budget for Fiscal Year 2024 allocated funds to bolster federal cybersecurity by ensuring that every agency is increasing the security of public services, while also working towards making cyberspace more resilient and defensible.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.