Ransomware Double-Dip: The Cycle of Re-Victimization in Cyber Extortion

Crossroads of Cyber Crime: The Re-Victimization Phenomenon in Ransomware Attacks

In examining a dataset of over 11,000 organizations impacted by Cyber Extortion and ransomware attacks, a troubling trend emerges: many victims are notably repeated targets. This raises critical questions about the nature of these re-victimizations—are they a result of multiple attacks, affiliate crossovers where perpetrators shift to new operations involving the same victims, or are they due to stolen data being repurposed? Regardless, for the organizations involved, the implications are far from favorable.

To fully understand this complex landscape, we first assess the current and evolving threat environment represented within our latest research. A significant focus lies on the activities of law enforcement agencies, which may have inadvertently sparked a return to earlier tactics among cybercriminals striving to regain their footing in a disrupted ecosystem. The question remains: are these re-victimized organizations simply enduring a new wave of attacks, or are criminals adopting increasingly desperate measures to recoup losses after thwarted extortion attempts?

Insights from the Evolving Cyber Extortion Landscape

Cyber Extortion, often identified through ransomware, has garnered considerable attention in recent years, particularly since 2020 when Orange Cyberdefense began tracking the escalation of these threats. Recent findings from the Security Navigator 2024 report reveal a staggering 51% surge in attacks from Q4 2022 to Q3 2023. This discrepancy indicates the fluid nature of the cybercrime ecosystem, as our awareness of certain leak sites and victim data continued to evolve throughout our research.

Disturbingly, predicting future trends in Cyber Extortion remains challenging. While initial data indicates potential stabilization at current incident levels, historical patterns suggest an increasing victim count may emerge as the year progresses. Despite cautious optimism surrounding this plateau, declaring victory remains premature, as underlying complexities abound.

Twelve months post-discovery of the SN24 dataset, a significant rise in victim numbers totaling 2,141 from Q4 2023 to Q1 2024 echoes past years’ data. This count nearly mirrors the total number of victims recorded throughout all of 2022. Notably, even as law enforcement pursued high-profile groups such as ALPHV and LockBit, these groups demonstrated resilience, quickly re-establishing their operations post-intervention. ALPHV was notably inactive by early March 2024, likely after executing an exit scam—a tactic that could disrupt trust within the ransomware ecosystem.

Unpacking the Disruption of Cyber Extortion Operations

Despite challenges faced by law enforcement in combating Cyber Extortion, their interventions provide valuable insights into the ecosystem. For example, the concept of the “dark number”—the unknown victims not represented on monitored leak sites—illustrates the potential scope of Cyber Extortion. Recent actions have uncovered victim counts several times higher than expected, suggesting the overall impact could range up to 67,000 across various groups.

One of the most active threat actors, Cl0p, accounted for 11% of recorded victims in 2023, yet recent data shows surprisingly few new postings on their leak site. This cyclical pattern of aggressive exploitation followed by abrupt inactivity raises questions about their operational strategies.

The dynamics surrounding active Cyber Extortion groups vary markedly, with some establishing enduring presences while others see swift disappearances. The Security Navigator 2024 report highlights a net increase in active Cyber Extortion groups compared to 2022. Our research identifies that over half of such operations degrade within 1 to 6 months. The increased influx of new groups compensates for the decline in established operations, reflecting the volatile nature of the Cyber Extortion landscape. Notable examples, such as LockBit3 and ALPHV, were categorized as “Persistent” for 2023.

This analysis informs the ongoing efforts from law enforcement and government agencies worldwide to dismantle the framework supporting Cyber Extortion. Over the last two and a half years, there has been a measurable increase in law enforcement’s proactive measures, addressing cybercrime through 169 documented operations, the majority focused on Cyber Extortion, which accounted for 14% of actions amidst other crimes.

According to the recent Security Navigator report, 2023 saw increased efforts from law enforcement to disrupt cybercriminal infrastructure and hosting services often exploited by threat actors. From developing international task forces to intercepting ransom payments and seizing operational infrastructure, law enforcement strategies have evolved significantly. Interestingly, the downfall of ALPHV, initially showing resistance to law enforcement initiatives, culminated in their departure, potentially diminishing trust amongst affiliates within the Ransomware-as-a-Service (RaaS) model. Such dynamics may alter the landscape of victimization as affiliates assess the viability of their partnerships.

The Complicated Nature of Re-Victimization in Cyber Extortion

The Cyber Extortion ecosystem is multifaceted, characterized by various actors, roles, and strategies. This complexity is especially relevant when analyzing victim re-victimization trends, frequently observed since 2020. Recent analyses reveal that certain victims surface repeatedly, prompting further investigation into whether these are true repeat incidents or manifestations of systemic issues within the cybercrime model.

In tracking victims across data leak sites, our dataset reveals instances where organizations appear multiple times, either within short intervals or years apart. Our methodology, focusing on name matching rather than examining stolen data for ethical concerns, facilitates a broader understanding of how victimization patterns manifest within the cyber threat landscape.

Critical to our inquiry is the pressing question of why specific victims endure repeated targeting. Three primary hypotheses emerge: the possibility of subsequent attacks against the same organization, the resale or re-leverage of compromised data to orchestrate further extortions, or the crossover of affiliate actors repurposing victim data across different plots. Each of these dynamics illustrates the financial motivations fueling cybercrime.

By analyzing over 100 instances of re-victimized organizations, we constructed a network graph that elucidates these relationships. The nodes signify different actors, color-coded to indicate primary posters and repeat posters of victim data. This graphical representation underscores the intertwined nature of Cyber Extortion, revealing how affiliates propagate victim details across operations while heightening the exposure of the same victims to various threats and harms. Such patterns reinforce the opportunistic character of Cyber Extortion, depicted as a high-volume game that thrives on exploiting multiple fronts for profit.

Ultimately, re-victimization not only complicates the existing framework of Cyber Extortion but further exacerbates the challenges faced by organizations previously impacted by such attacks. Recognizing these patterns can inform business leaders about the vulnerabilities inherent in their digital environments, emphasizing the importance of strengthening cybersecurity practices to mitigate the risks of future incidents.