Skip to main content
Security Scorecard

Extortion and Adaptability: Ransomware Motives Remain Consistent as Tactics Change

By Dr. Robert Ames, Staff Threat Researcher
Posted on September 30th, 2022


Ransomware has traditionally revolved around the encryption of victims’ files. But even if encryption remains ransomware groups’ most common approach, it isn’t really their priority–extortion is. Financially-motivated cybercriminals care more about extracting payment from their victims than they do about the particular methods used to achieve that goal.

That being the case, the recent news that the BlackCat/ALPHV ransomware group has threatened to destroy victim data instead of encrypting it likely reflects a wider tendency toward flexibility and innovation among ransomware groups. Recent years have shown that ransomware groups are quite willing to alter their Tactics, Techniques and Procedures (TTP)s, both in terms of how they access victim systems and their methods of extorting their victims; findings from SecurityScorecard’ssummer and fall 2022 research likely reflect this broader tendency.

Initial Access

Originally phishing was the main tactic attackers would employ for initial access to a system on which they hoped to deploy ransomware. More recently, exposed RDP ports and the use of leaked credentials have become other common attack vectors.. Neither of these by-now familiar approaches have died out, but SecurityScorecard has also observed two additional possible methods of initial access while researching Summer 2022 ransomware attacks against public institutions in the U.S., which may represent novel TTPs on the part of the ransomware operators (or initial access brokers) employing them: attacks against SSH services and the use of the Cryxos malware to facilitate social engineering attacks against victim organizations.

In several investigations, including one with publicly available findings, researchers have observed considerable amounts of traffic between port 22 of victim IP addresses (port 22 is the standard port for SSH traffic) and IP addresses that SecurityScorecard’s Attack Service Intelligence (ASI) tool or other sources have previously linked to brute force attacks against SSH services in the months leading up to public disclosures of ransomware attacks against those organizations.

This may suggest that attackers either launched brute force attacks against (or otherwise attempted to access) victim SSH services prior to deploying ransomware to victim systems. Since researchers have not previously linked the ransomware group involved in this incident to SSH brute force attempts, this traffic may represent a novel dimension of their activity, although it is not unheard of for ransomware groups to use SSH brute force attacks to access victim systems: 2016 research linked the FairWare ransomware group to such attacks, and Intezer observed ransomware groups employing it in 2019.

Findings in more recent research have suggested that the early stages of the attacks employed the Cryxosfamily of malware. In one recent investigation into a ransomware attack against a US school district, SecurityScorecard uncovered a collection of malicious files that may indicate that social engineering attacks against the school district preceded the deployment of ransomware. A collection of fifty-four HTML files with embedded javascript, which may have been involved in an earlier stage of compromise culminating in the encryption of this school district’s systems, appeared on VirusTotal throughout July and August. These files either contain district URLs or email addresses, and vendors have detected them as a variety of trojans with Trojan.WIN32.cryxos.5913 being a particularly common detection.

Cryxos is a family of malicious javascript files that display fraudulent alerts to users visiting the malicious or compromised web pages hosting those files. These files typically enable tech support scams: they warn the user that their computer has been infected by a virus and direct them to call a threat actor-controlled telephone number. Usually, the attackers will take the call as an opportunity to collect payment information from the victim, framing it as legitimate payment for their “services” (their assistance in removing a non-existent virus from the victim’s computer). However, in some cases, attackers will use the call to direct the victim to install software that gives the attackers remote access to their computer.

Given this behavior, we can then speculate that in the case of this school district, attackers were able to obtain remote access to systems when a school district employee called the number displayed in a warning that appeared when they visited the webpage of a school in the district and installed remote-access software as directed by attackers masquerading as support personnel. While tech support scams are quite familiar, and it is fairly common for ransomware attacks to begin with social engineering, the use of this particular variety of social engineering would be more novel, should this collection of files be linked to the recent ransomware incident.


The new capabilities discovered by Stairwell and Cyderes, which raise the possibility that ransomware groups will threaten to destroy data during a ransom attempt, may be the latest evidence that these groups’ approaches to extortion are also continuing to evolve. As with previous adaptations like secondary extortion, it appears to reflect a tendency for the amount of pressure applied against victims during a ransomware incident to increase.

In ransomware’s early days, ransomware groups would simply demand a ransom after encrypting files on a victim system. Then, 2020 saw the rise of secondary extortion, with ransomware groups applying additional pressure by threatening to publish data exfiltrated from victim systems on data leak sites. Some groups, feeling the need to apply additional pressure, also developed tertiary extortion tactics, in some cases attempting (or threatening) further disruption of victim operations by launching distributed denial-of-service (DDoS) attacks against them.

SecurityScorecard has also observed ransomware groups taking increasingly aggressive steps to pressure their victims to pay ransom in its own incident response efforts. In addition to the secondary and tertiary extortion methods mentioned above, attackers have taken more personal steps in recent incidents, contacting friends and family members of executives of some affected organizations to exert additional pressure. Together, these changes indicate that the amount of pressure attackers apply to victims has gradually been increasing. This may reflect a need on the part of the attackers to increase the amount of pressure they apply when extracting payment from their victims.


Threat actors are always looking for methods to make their victims more likely to pay out, the threat of data destruction being one of them. Fortunately, existing security controls to prevent ransomware still work in this case, namely maintaining timely back-ups to offsite servers. Secondary extortion may, in some ways, be an attempt by threat actors to maintain pressure on those targets who have maintained timely back-ups. In such cases, the addition of data exfiltration to encryption would not only attempt to deny victims access to their data but present the additional threat that attackers may dump the data or sell on the dark web even if victims can restore their data from back-ups.

That being said, the threats of data leaks and data destruction both reflect ransomware operators’ willingness to apply pressure to extortion targets in new ways. Despite their different particularities, both approaches likely also reflect a single, persistent trend: just as financially-motivated threat actors are, in general, likely to continue to evolve and remain adaptable as long as there is money to be made from criminal activity, so too are ransomware groups likely to continue to develop new ways to pressure victims.

Return to Blog
Join us in making the world a safer place.