Ransomware Evolves: From Encryption to Data Extortion and Corruption
Cybercriminals behind ransomware attacks are shifting tactics, moving away from traditional full encryption toward faster, more flexible extortion methods. This evolution reflects a broader trend where threat actors prioritize efficiency, leverage stolen data, and adapt to defensive measures creating a spectrum of data-destructive techniques.
The Shifting Ransomware Landscape
Once defined by full data encryption, ransomware operations now encompass a range of strategies, from pure data theft to partial or intermittent encryption. This shift is driven by the need for speed, reduced detection risk, and the growing profitability of extortion. Ransomware-as-a-Service (RaaS) programs have further lowered the barrier to entry, enabling even low-skilled actors to launch sophisticated attacks with support structures akin to legitimate businesses.
The Spectrum of Data Extortion
Modern ransomware operators now occupy different positions on a "data destructiveness" spectrum:
-
No Encryption, Pure Extortion: Groups like Karakurt and Lapsus$ bypass encryption entirely, instead stealing sensitive data and threatening to leak or auction it. Karakurt, linked to the defunct Conti syndicate, targets organizations across industries by exploiting vulnerabilities in exposed services (e.g., outdated Fortinet VPNs) or purchasing access from initial access brokers (IABs). Lapsus$, known for high-profile breaches (Nvidia, Samsung, Okta, Microsoft), relies on stolen credentials, phishing, and social engineering including SIM-swapping to bypass multi-factor authentication (MFA). Unlike Karakurt, Lapsus$ also seeks notoriety alongside financial gain.
-
Data Corruption: Some actors, like those using the Exmatter tool, corrupt files by replacing chunks of data with unrelated content. This method is faster than encryption, harder to reverse, and eliminates the risk of decryption tools being developed by researchers. Corruption also avoids the technical complexities of encryption, reducing the chance of implementation flaws.
-
Partial Encryption: Ransomware families like BlackCat, BlackBasta, Agenda, Qyick, and the newer Royal employ intermittent encryption, targeting only portions of files. This approach speeds up attacks especially for large files while evading detection by security tools that monitor file I/O intensity or entropy changes. Royal, for example, skips encrypting blocks of data based on operator-defined parameters, balancing speed and impact.
Why the Shift?
Several factors drive this evolution:
- Speed: Full encryption is time-consuming and increases the risk of detection. Partial encryption or corruption allows attackers to move quickly, demanding ransoms before defenses can respond.
- Leverage: Stolen data alone can be enough to extort victims, particularly if it includes sensitive or proprietary information. Threatening leaks or auctions adds pressure without the need for destructive payloads.
- Avoiding Decryption: Corruption and partial encryption reduce the likelihood of security researchers developing decryption tools, as seen with past ransomware strains like Lorenz and MafiaWare666.
- Hybrid Models: Some actors may switch between pure extortion and destructive techniques based on the value of stolen data, adopting a flexible approach to maximize payouts.
Future Trends
The ransomware ecosystem is expected to diversify further, with:
- More extortion-only groups emerging, particularly those targeting high-value data without deploying ransomware.
- Increased use of corruption and partial encryption to balance speed and impact.
- Hybrid attacks where actors combine data theft with selective destruction, tailoring their approach to the victim’s profile.
This shift underscores the professionalization of cybercrime, where threat actors refine tactics to evade defenses, exploit vulnerabilities, and maximize profits whether through encryption, corruption, or pure extortion. As the landscape evolves, defenders must adapt to a broader range of attack methods beyond traditional ransomware.
Samsung Electronics cybersecurity rating report: https://www.rankiteo.com/company/samsung-electronics
NVIDIA cybersecurity rating report: https://www.rankiteo.com/company/nvidia
"id": "SAMNVI1775781329",
"linkid": "samsung-electronics, nvidia",
"type": "Cyber Attack",
"date": "10/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology',
'name': 'Nvidia',
'type': 'Corporation'},
{'industry': 'Technology',
'name': 'Samsung',
'type': 'Corporation'},
{'industry': 'Identity Management',
'name': 'Okta',
'type': 'Corporation'},
{'industry': 'Technology',
'name': 'Microsoft',
'type': 'Corporation'}],
'attack_vector': ['Exploiting vulnerabilities in exposed services',
'Stolen credentials',
'Phishing',
'Social engineering (SIM-swapping)',
'Initial Access Brokers (IABs)'],
'data_breach': {'data_encryption': ['Partial', 'Intermittent'],
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive data',
'Proprietary information',
'Personally Identifiable '
'Information (PII)']},
'description': 'Cybercriminals behind ransomware attacks are shifting '
'tactics, moving away from traditional full encryption toward '
'faster, more flexible extortion methods. This evolution '
'reflects a broader trend where threat actors prioritize '
'efficiency, leverage stolen data, and adapt to defensive '
'measures, creating a spectrum of data-destructive techniques.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True},
'initial_access_broker': {'entry_point': ['Exploiting vulnerabilities in '
'exposed services',
'Stolen credentials',
'Phishing']},
'lessons_learned': 'The ransomware landscape is evolving toward faster, more '
'flexible extortion methods, including pure data theft, '
'partial encryption, and data corruption. Defenders must '
'adapt to a broader range of attack methods beyond '
'traditional ransomware.',
'motivation': ['Financial gain', 'Notoriety', 'Data extortion'],
'post_incident_analysis': {'root_causes': ['Exploiting vulnerabilities in '
'exposed services (e.g., outdated '
'Fortinet VPNs)',
'Stolen credentials',
'Phishing',
'Social engineering (SIM-swapping)',
'Use of Initial Access Brokers '
'(IABs)']},
'ransomware': {'data_encryption': ['Partial',
'Intermittent',
'None (pure extortion)'],
'data_exfiltration': True,
'ransomware_strain': ['Karakurt',
'Lapsus$',
'BlackCat',
'BlackBasta',
'Agenda',
'Qyick',
'Royal',
'Exmatter',
'Lorenz',
'MafiaWare666']},
'threat_actor': ['Karakurt',
'Lapsus$',
'BlackCat',
'BlackBasta',
'Agenda',
'Qyick',
'Royal',
'Conti syndicate',
'Exmatter tool operators',
'Lorenz',
'MafiaWare666'],
'title': 'Evolution of Ransomware Tactics: From Encryption to Data Extortion '
'and Corruption',
'type': 'Ransomware',
'vulnerability_exploited': ['Outdated Fortinet VPNs']}