Russian ransomware group Lockbit 3.0 leading cyber attacker in Malaysia
Malaysia is no stranger to cybercrime, particularly ransomware. Over the last few years, the country has continued to experience increased cybercriminal activities despite measures taken by both the government and private sector. There have been increased cybersecurity awareness programs, courses, and regulations implemented to ensure businesses take regulations seriously, but the problem still remains.
Many Malaysians believe the reason for increased cybercrime in the country is the lack of accountability from organizations and government agencies. Regulations on data security have been introduced, yet companies that experience data breaches or leaks often are not charged or fined for them. Cybercriminals themselves frequently escape with data and ransom payments as law enforcers struggle to take them down.
While the government has introduced new measures and clearly indicated that cybersecurity is a significant problem that needs to be dealt with, the implementation and actions taken are still taking a long time. In the meantime, cybercriminals continue to launch attacks, be it through phishing emails or ransomware on local organizations.
In fact, ransomware and extortion cases in Malaysia increased by 37.5% in 2022, with 11 reported cases across key sectors. There is no confirmation on the figures for unreported cases as well. Findings by Palo Alto Networks’ Unit 42 indicate that threat actors are utilizing more aggressive tactics to pressure organizations, with harassment being involved 20 times more often than in 2021.
This harassment is typically carried out via phone calls and emails targeting a specific individual, often in the C-suite, or even customers, to pressure them into paying a ransom demand. The 2023 Unit 42 Ransomware and Extortion Report shares insights compiled based on findings from Unit 42’s incident response work from approximately 1,000 cases throughout the past 18 months.
According to the findings, attacks in the education and manufacturing sectors have been on the rise due to their high-value data and have emerged as top targets after experiencing relatively few incidents the previous year.
Interestingly, the Russian-linked ransomware gang, Lockbit 3.0, was revealed as the leading attacker in Malaysia. Lockbit was one of the most prolific ransomware groups of 2022. It ramped up activity around the start of the Russia-Ukraine war.
Globally, ransomware demands continued to be a pain point for organizations last year, with payments as high as US$7 million in cases that Unit 42 observed. The global median demand was US$650,000, while the median payment was US$350,000, indicating that effective negotiation can drive down actual payments.
From ransomware to extortion, cybercriminals are getting braver
Cybercriminals are carefully picking their victims these days. The findings from Unit 42 clearly indicate this. Not only have ransomware groups improved their targeting, but they are also layering extortion techniques for greater impact, with the goal of applying more pressure on organizations to pay the ransom. Some of these tactics include encryption, data theft, distributed denial of service (DDoS), and harassment. Data theft, which is often associated with dark web leak sites, was the most common of the extortion tactics, with 70% of groups using it by late 2022.
Currently, Unit 42 researchers see an average of seven new ransomware victims posted on leak sites, equating to one new victim every four hours. In fact, in 53% of Unit 42’s ransomware incidents involving negotiation, ransomware groups have threatened to leak data stolen from organizations on their leak site websites. This activity has been observed in a mix of new and legacy groups, indicating that new actors are entering the landscape to cash in as legacy groups have done. Established groups like BlackCat, LockBit, and others contributed to 57% of the leaks, with new groups trailing close behind at 43%.
In 2022, 30 organizations on the Forbes Global 2000 list were publicly impacted by extortion attempts. Since 2019, at least 96 of these organizations have had confidential files publicly exposed to some degree as part of attempted extortion. At least 75% of ransomware attacks handled by Unit 42’s Incident Response team resulted from attack surface exposures.