Ransomware Criminals Aiming at Third-Party Vendors in Hunt for ‘Big Game’

By Jim Sams | October 19, 2023

Ransomware victims have become less likely to pay extortion demands, but cyber criminals are changing their tactics by hitting third-party vendors and using data exfiltration instead of encryption when making ransom demands, according to a new report by cyber insurer Resilience.

Resilience said that ransomware notices comprised 16.2% of total claims in the first half of 2023, but only 15% of its clients paid the extortionists. That is down from 21.4% of Resilience clients who paid ransom in 2022 and less than half of the 39.5% average rate of payment observed by its partner Coveware in the first half of 2023.

A separate report by Coveware, a cybersecurity company that specializes in cyberattack incident response, says the percentage of ransom demands that were resolved with the victim paying dropped from 85% in the first quarter of 2019 to 34% in the second quarter of 2023. Coveware said the numbers show the impact of increased investment in cybersecurity and incident response training.

Confronted with increasingly stingy victims, cybercriminals are returning to “big-game hunting,” the Resilience report says. Attackers are focusing on bigger targets, particularly those with sensitive data that may make them more willing to pay larger ransom demands. The attacks on MGM Resorts and Caesars Entertainment are two recent examples, the Resilience report says.

Cybercriminals are also going after third-party vendors. The Resilience report says that an attack on a third-party vendor was the point of failure for 28.9% of all claims during the first half of 2023, supplanting phishing attacks as the previous No. 1 point of failure for its policyholders.

Attacks against BBC, British Airways and other firms in May are one recent example of vendor risk, the report says. Hackers believed to be based in Russia breached a popular file transfer software called MOVEit to steal employees’ personal details and threatened to publish the information if they weren’t paid.

The cyber criminals behind the MOVEit attack did not attempt to encrypt data, Resilience said. Still, the hack affected at least 1,000 organizations and more than 60 million individuals whose data was stolen. The extortion gang is continuing to extort payments from victims, Resilience said.

While victims may be less likely to pay, the number of ransomware attacks is increasing and extortionists are demanding more money than ever. Resilience said it saw a 1,100% increase in ransomware incident notifications from the second quarter of 2022 to the second quarter of 2023. However, ransomware attacks dipped substantially in 2022, likely a result of the Russia-Ukraine War disrupting their operations, Resilience said.

In a separate report, crypto analytics firm Chainalysis, which partners with Resilience, said ransomware gangs had extorted at least $449.1 million in the first half of 2023. At that pace, the total take will be only slightly less than the $939.9 that was taken in 2021.

The International Underwriting Association of London also noted the increasing role that third-party vendors play in cybercrime in a white paper released Wednesday.

The association, in partnership with cyber analytics firm CyberCube, said modern businesses rely on an interlinked cyber supply chain that offers cybercriminals multiple points of attack. To manage risks, insurers need to be aware of the single points of failure within that supply chain.

“Mapping how that supply chain integrates into an organization’s business operations is fundamental in understanding the risk exposure and actions that an organisation can take to mitigate that risk,” the paper says.

Was this article valuable?

Here are more articles you may enjoy.