Ransomware Attackers Eying 'Pure Data-Leakage Model'Facing Intense Scrutiny, Attackers Retool, Says Cybercrime Researcher Bob McArdle
A funny thing happened on the way to the nonstop ransomware payday for some criminals: They hit the wrong targets.
After ransomware attacks by Russian-language group Conti against Ireland's health service in May, DarkSide against U.S.-based Colonial Pipeline the same month, and REvil against remote management software firm Kaseya in July, the Biden administration has been moving to much more aggressively disrupt the ransomware business model. The White House has also called out the Russian government for not doing more to police criminals acting from within its borders and threatened to disrupt such operations unless Moscow acts.
Feeling the heat, some leading Russian-language cybercrime forums have announced bans or restrictions on ransomware discussions and recruitment, says Bob McArdle, director of cybercrime research at security firm Trend Micro.
In addition, some ransomware groups have been exploring whether they might shift to just stealing data and attempting to extort organizations - as, for example, the Clop group did starting in December 2020, when it stole data from Accellion File Transfer Appliance users and held it for ransom, he says.
"We're seeing some groups discussing about just moving to the pure data-leakage model," McArdle says. "Plus, 'We will tell all your customers that we're about to leak your data.' Just those two components. And especially in industries that are tightly regulated, like healthcare or something like that, where if you're breached, that can cost a fortune, then that's a very good target to go after for criminals."
In this video interview with Information Security Media Group, McArdle also discusses:
- The move to ban or restrict ransomware discussions and recruitment on some leading Russian-language cybercrime forums;
- How ransomware operations are continuing to refine their business model to target bigger organizations;
- Why banning payments to ransomware groups would do little more than "revictimize victims."
McArdle is responsible for managing part of Trend Micro's Forward-Looking Threat Research Team, which focuses on cybercrime and criminal underground research, but also researches potential new attack vectors and emerging technologies.