Gangs Using Ransomware Create a New Method of Cyber Extortion
The Global Research and Analysis Team (GRA) at Kaspersky has discovered a risky change in the tactics used by Fog Ransomware, a cybercriminal organization well-known for its methodical attacks on a range of sectors. The group has started connecting victims' IP addresses to the stolen data and making it publicly available on the dark web, rather than just encrypting the victims' data and threatening to publish it.
By increasing the visibility and traceability of breaches and raising the possibility of regulatory fines for impacted organizations, this new strategy amounts to an unprecedented increase in psychological pressure on victims.
Details of the Fog Ransomware Attack:
Ransomware as a Service (RaaS), a business model in which malware developers lease their infrastructure and tools to other cybercriminals so they can launch attacks, is what the Fog Ransomware group offers. The group first appeared in early 2024 and immediately gained notoriety for focusing on important industries like finance, entertainment, and education.
The group targets Windows and Linux operating systems and uses compromised virtual private network (VPN) credentials to access and encrypt victims' data, frequently in a matter of hours.
In the past, the Fog Ransomware group has used double extortion to coerce victims into paying the required ransom by encrypting their data and threatening to make it public.
Nevertheless, the group made history by being the first to post the IP addresses and stolen data of its victims on the dark web following the execution of its attacks, which distinguished it from other ransomware-as-a-service companies.
This strategy not only raises psychological pressure but also creates new risks because other criminals can use exposed IP addresses as entry points to launch malicious botnets that target previously compromised organizations or launch follow-up attacks like credential stuffing.
"Declining ransomware payments due to improved cyber defenses and tighter regulatory measures have prompted these attackers to develop new methods of extortion," said Mark Rivero, Chief Security Researcher at Kaspersky's Global Research and Analysis Team.
"Data leaks and publicly disclosing IP addresses may make it more likely that companies will comply with ransom demands in the future. This tactic may be used as a scare-mongering marketing strategy, with attackers showing off their strength to coerce potential victims into making a quick payment," he said.
Advice from Kaspersky experts:
Experts from Kaspersky advise that businesses abide by these rules to guard against ransomware attacks:
- Providing training programs for employees to enable them to understand the basic principles of cybersecurity.
- Perform regular data backups and keep these copies in separate storage units isolated from the main network.
- Installing reliable and approved security systems on all corporate devices and using the XDR solution to monitor suspicious activity on the network.
- Delegate threat detection and response tasks to a specialized company with advanced expertise in this field.