Zscaler ThreatLabz report analyzes ransomware trends, impacts, encryption-less extortion, RaaS growth

Cloud security vendor Zscaler has released a ransomware report that tracks the continued growth of complex ransomware attacks and highlights the latest ransomware trends. The report identifies that ransomware attacks are rising, and businesses of all sizes are at risk. It also addresses the attack on public institutions and organizations with cyber insurance, the growth of Ransomware-as-a-Service (RaaS), and encryption-less extortion. 

Zscaler identified that the ransomware impact is felt most acutely in the U.S., which was the target for nearly half of the ransomware campaigns over the last 12 months. Combined, Canada, the U.K., and Germany had less than half the number of attacks targeting U.S. entities. It revealed that the manufacturing sector remains the most targeted industry vertical, accounting for nearly 15 percent of total ransomware attacks.

“The report found that ransomware attacks increased by over 37% in 2023 (tracked between April 2022 and April 2023) compared to the previous year, with the average enterprise ransom payment exceeding $100,000, with a $5.3 million average demand,” the report titled ‘Zscaler ThreatLabz 2023 Ransomware Report’ disclosed. “The most common targets were businesses in the manufacturing, services, and construction sectors. Ransomware attacks are becoming increasingly sophisticated, with attackers using a variety of techniques to exploit vulnerabilities in organizations’ systems and networks. These techniques include phishing, social engineering, and exploiting known vulnerabilities.”

Zscaler also outlined that ransomware attacks are becoming increasingly sophisticated, with attackers using a variety of techniques to exploit vulnerabilities in organizations’ systems and networks. These techniques include phishing, social engineering, and exploiting known vulnerabilities.

The manufacturing, services, and construction sectors have been the targets of ransomware attacks more often, Zscaler reported. “Known for their critical infrastructure and valuable intellectual property, these industries have become prime targets for cybercriminals seeking financial gain and disruption.”

Zscaler identified that the most prevalent ransomware families that Zscaler ThreatLabz has been tracking include BlackBasta, BlackCat, Clop, Karakurt, and LockBit, all of which pose a significant threat of financial losses, data breaches, and operational disruption to individuals and organizations of all sizes. It added that 25 new ransomware families were identified as using double extortion or encryption-less extortion attacks this year.

“Over the last year, the most-targeted market sector globally was manufacturing, where intellectual property and critical infrastructure are attractive targets for ransomware groups,” Zscaler said. “All ransomware groups tracked by Zscaler victimized businesses in this industry, which included companies engaged in goods production for sectors including automotive, electronics, and textiles – just to name a few. Zscaler research noted that the BlackBasta ransomware family was particularly interested in manufacturing organizations, targeting these types of businesses more than 26% of the time.”

The report also identified that the evolution of ransomware is characterized by the inverse relationship between attack sophistication and barrier of entry for new cybercriminal groups. “The barrier of entry has decreased, while cyberattacks have grown in sophistication, due to the prevalence of RaaS, a model where threat actors sell their services on the dark web for 70-80% of ransomware profits. This business model has continued to increase in popularity over the last few years as evidenced by the frequency of ransomware attacks, which increased by nearly 40% over the last year.”

It added that one of the most noteworthy trends that aligned with this growth in 2023 has been the growth of encryption-less extortion, a style of cyberattack that prioritizes data exfiltration over disruptive encryption methods.

“Ransomware-as-a-Service has contributed to a steady rise in sophisticated ransomware attacks,” Deepen Desai, global CISO and head of security research at Zscaler, said in a media statement. “Ransomware authors are increasingly staying under the radar by launching encryption-less attacks which involve large volumes of data exfiltration. Organizations must move away from using legacy point products and instead migrate to a fully integrated zero trust platform that minimizes their attack surface, prevents compromise, reduces the blast radius in the event of a successful attack, and prevents data exfiltration.”

In 2022, ThreatLabz observed 44 ransomware families that used a double or multiple extortion approach in their cyberattacks, compared to 19 such families in 2021. “The reason these types of attacks are popular is because after they encrypt the stolen data, attackers threaten to leak the data online to further increase the pressure on victims to pay,” it added.

Zscaler assesses that the increasing popularity of encryption-less extortion attacks, which skips over the process of encryption, employs the same tactic of threatening to leak victims’ data online if they don’t pay. The tactic results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support. These attacks are also harder to detect and receive less attention from the authorities because they do not lock key files and systems or cause downtime associated with recovery. 

Thus, encryption-less extortion attacks tend to not disrupt their victims’ business operations – which subsequently results in lower reporting rates. Originally, the encryption-less extortion trend started with ransomware groups like Babuk and SnapMC. Over the last year, researchers saw a number of new families adopt the tactic, including Karakurt, Donut, RansomHouse, and BianLian.

Over the past 12 months, there have been plenty of ransomware attacks, such as Toyota’s manufacturing plants, Dole’s supply chains, U.K.’s South Staffordshire Water, and Thames Water, to name a few, Jonathon Gordon, directing analyst at Takepoint Research, wrote in the ‘Industrial Cybersecurity Technology, Solutions & Services – Buyer’s Guide 2023.’ “Ransomware attacks targeting IT networks and computers are, by far, the biggest threat to industrial enterprises. While malware and ransomware can specifically target OT systems, such as Stuxnet, Havex, Industroyer2, Triton, Pipedream, CosmicEnergy, and Snake, etc., IT-targeted malware that impacts industrial organizations such as EKANS, LockerGoga, and BlackEnergy3, etc., is more common.”

Gordon identified a growing awareness of attacks on critical infrastructure due to the increased transparency of impacted organizations. However, many stakeholders remain unaware of the magnitude of the current situation and are unprepared to effectively manage potential threats. “Another major concern is the lack of confidence critical infrastructure providers/manufacturers have in their current defenses and protections,” he added.

Zscaler suggests the adoption of a comprehensive zero-trust security strategy to combat the rising tide of increasingly sophisticated ransomware attacks. The approach entails implementing robust measures such as zero-trust network access (ZTNA) architecture, granular segmentation, browser isolation, advanced sandboxing, data loss prevention, deception technology, and cloud access security broker (CASB) solutions. By adopting these proactive defenses, organizations can fortify their security posture and effectively protect against ransomware attacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.