Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Exfilteration. Show all posts
Ransomwares
Advanced Social Engineering Cyber Attacks Data Exfilteration data security Ransom Demands ransom payments ransomware attacks Ransomwares

Ransom Payouts Hit Record Levels Amid Social Engineering and Data Exfiltration Attacks

 

Ransomware payouts surged to unprecedented levels in the second quarter of 2025, driven largely by the rise of highly targeted social engineering schemes. According to new data from Coveware by Veeam, the average ransom payment skyrocketed to $1.13 million, representing a 104% jump compared to the previous quarter. The median ransom also doubled to $400,000, highlighting how even mid-tier victims are now facing significantly higher costs. Analysts attribute this spike to larger organizations paying ransoms in incidents where data was stolen rather than encrypted, marking a significant shift in extortion tactics.  

The study found that data exfiltration has now overtaken file encryption as the primary method of extortion, with 74% of attacks involving theft of sensitive information. Multi-extortion techniques, including delayed release threats, are also on the rise. Bill Siegel, CEO of Coveware by Veeam, described the findings as a pivotal moment for ransomware, explaining that threat actors are no longer focused solely on disrupting backups or locking systems. Instead, they increasingly exploit people, organizational processes, and the reputational value of stolen data. 

The report identified the leading ransomware variants for the quarter as Akira, responsible for 19% of incidents, followed by Qilin at 13% and Lone Wolf at 9%. Notably, Silent Ransom and Shiny Hunters entered the top five variants for the first time, reflecting the growing influence of newer threat groups. Among the most concerning trends was the heavy reliance on social engineering by groups such as Scattered Spider, Silent Ransom, and Shiny Hunters, who have shifted from broad, opportunistic attacks to precise impersonation schemes. By targeting help desks, employees, and third-party service providers, these actors have refined their ability to gain initial access and execute more lucrative attacks.  

Exploitation of known vulnerabilities in widely used platforms including Ivanti, Fortinet, VMware, and Microsoft services remains a common entry point, often taking place immediately after public disclosure of security flaws. At the same time, “lone wolf” cybercriminals armed with generic, unbranded ransomware toolkits are increasing in number, allowing less sophisticated actors to successfully infiltrate enterprise systems. Insider risks and third-party vulnerabilities also rose during the quarter, particularly through business process outsourcing firms, contractors, and IT service providers. Researchers warned that these external partners often hold privileged credentials but lack direct oversight, making them an attractive avenue for attackers. 

The professional services sector was hit hardest, accounting for 20% of all incidents, followed closely by healthcare and consumer services at 14% each. Mid-sized companies with between 11 and 1,000 employees represented 64% of victims, a range that attackers consider optimal for balancing ransom potential against weaker defenses. Before executing data theft or encryption, many attackers are spending additional time mapping networks, identifying high-value assets, and cataloging sensitive systems. This reconnaissance phase often blends in with normal administrative activity, using built-in system commands that are difficult to detect without contextual monitoring. Experts note, however, that detection can be improved by monitoring unusual enumeration activity or deploying deception techniques such as honeyfiles, decoy credentials, or fake infrastructure to trigger early alerts. 

Siegel emphasized that organizations must now treat data exfiltration as an immediate and critical risk rather than a secondary concern. Strengthening identity controls, monitoring privileged accounts, and improving employee awareness against social engineering were highlighted as essential steps to counter evolving ransomware tactics. With attackers increasingly blending technical exploits and psychological manipulation, businesses face mounting pressure to adapt their defenses or risk becoming the next high-value target.
Read more »
SaaS Ransomware
Cyber Attacks Cybercrimes Cybersecurity Data Exfilteration Ransomware SaaS Ransomware

Researchers Discover Landmark Ransomware Extortion: Automated SaaS Ransomware

 


A company's SharePoint Online environment has been successfully targeted by the Omega ransomware group to extort money from it. This is instead of using compromised endpoints, the most common method of launching such attacks. The threat group appears to have infiltrated the unnamed company's network using an administrator account with weak security and elevated permissions. It eventually snatched sensitive data from the victim's SharePoint libraries with the help of a weak administrator account. As a result of the theft of data, a ransom was demanded from the victim as a means of extortion. 

Probably the first attack of its kind 

According to Glenn Chisholm, cofounder of the security firm Obsidian, which discovered the attack, most enterprise efforts to counter ransomware focus on endpoint protection mechanisms which is a means of protecting systems from ransomware infections. 

Chisholm explained that the only way companies have mitigated or prevented attacks by malicious ransomware groups is through investments in endpoint security. It is clear from this attack that endpoint security is not sufficient, as many companies now store and access their data via SaaS applications, something that was not the case previously. 

One of the victim organizations whose Microsoft Global administrators were attacked by the Omega group began with a poorly secured credential associated with one of the services accounts belonging to one of the hackers. There was not only a vulnerability in the breached account, but it was also missing multi-factor authentication (MFA) – something that most security experts agree is an essential security measure, particularly for accounts with privileged access to information. 

Threat actors targeted an Active Directory account compromised by the threat actor and created  somewhat brazenly  a new user named "0mega" with all the permissions that were necessary for the new account to wreak havoc in the environment by performing all kinds of malicious activities. As part of these permissions, administrators were granted access to be Global Admins, SharePoint Admins, Exchange Admins, or Teams Administrators. As an additional measure, the threat actor used compromised admin credentials within the organization's SharePoint Online environment. This was done to grant the Omega account the ability to manage site collections. In addition, the threat actor removed any other administrators within the environment. 

The SharePoint term 'site collection' describes a set of websites within a single Web application that is administrated by the same person and that have similar settings and share a common owner. Organizations with large data sets or those with a large number of different business functions have a higher incidence of site collections, while those with large data sets tend to have fewer site collections. 

The attackers behind this attack used some 200 administrator accounts within two hours to remove the compromised admin credentials used in the attack that Obsidian analyzed. A threat actor who possessed the self-assigned privileges in the organization's SharePoint Online libraries then proceeded to take hundreds of files from the libraries and sent them off to a virtual private server (VPS) hosts that are associated with a Russian domain hosting provider. To facilitate the exfiltration of the data, the threat actor implemented a Node.js module called "pull" which can perform HTTP requests on SharePoint resources, to facilitate the exfiltration of the data. The attackers then used another node.js module called "got" to upload thousands of text files to the victim's SharePoint environment as a result of data exfiltration. These text files provided an overview of the situation to the organization, basically telling them what had just occurred. 

Endpoints are not compromised 


It is most common for ransomware groups to attack SaaS applications by compromising an endpoint, encrypting or exfiltrating files, and then leveraging lateral movement as required to further spread their infection, Chisholm explains. A compromised credential was used by the attackers to log into SharePoint Online with administrative privileges, which they granted to a newly created account. The attackers then executed an automated data exfiltration attack on a rented host provided by VDSinra.ru using scripts. In the end, the threat actor did not compromise an endpoint or use any ransomware executables to perform the attack. 

Chislom said that this is the first time an automated SaaS ransomware extortion has been publicly recorded. They believe that it is also the first known instance. 

According to Chisholm, Obsidian has observed more attacks targeting enterprise SaaS environments than in the previous two years combined in the last six months, and the trend is expected to continue. There is an increasing number of attacks linked to the fact that organizations are increasingly putting sensitive, confidential, and regulated information into SaaS applications without assessing how well they protect it, he says. He contends that organizations are not doing the same with endpoint technology as they do with SaaS applications. 

An organization should ensure its SaaS environment has the right proactive risk management tools in place to avoid incidents within the SaaS environment.  Similar trends have been reported by others who have observed the same thing. 

The AppOmni security firm reports that SaaS attacks on Salesforce Community Sites and other SaaS applications have increased by 300% since March 1, 2023, and they have been observed to be on the rise since then. Among the most common attack vectors identified in the past are excessive permissions granted to guests, excessive permissions granted to objects and fields, and privileged access to sensitive data. 

According to an Odaseva report published last year, 48% of respondents said that over the past year, their organization had been hit by a ransomware attack. SaaS data has been the target of more than half of those attacks (51%).
Read more »
Subscribe to: Posts (Atom)