Ransomware remains one of the biggest cybersecurity threats that organizations and governments continue to face.\u00a0However, hackers are engineering new ways to extract ransom from their victims as organizations take a conscious call to decline ransom payment demands. With the fall of the most notorious ransomware gang, Conti, in May 2022, it was assumed that ransomware attacks would see a major decline. However,\u00a0Tenable\u00a0found that 35.5% of breaches in 2022 were the result of a ransomware attack, a minor 2.5% decrease from 2021.Payouts from ransomware victims, meanwhile, declined by 38% in 2022 \u2014 and this has prompted hackers to adopt more professional and corporate tactics to ensure higher returns, according to\u00a0Trend Micro\u2019s Annual Cybersecurity Report.\u00a0\u201cCybercriminals increasingly have KPIs and targets to achieve. There are specific targets that they need to penetrate within a specific time period. It has become a very organized crime because of the business model that the ransomware groups follow because of which they have started increasing the pressure,\u201d said Maheswaran S, country manager at Varonis Systems.\u00a0The double extortion tacticOne of the tactics that is increasingly being used by ransomware groups is double extortion. In the double extortion method, the ransomware group, in addition to encrypting the files on the victim\u2019s systems, also downloads sensitive information from the victim\u2019s machine.\u201cThis gives them more leverage, since now the question is not only about decrypting the locked data but also about leaking it,\u201d Mehardeep Singh Sawhney, a threat researcher at CloudSEK, said.An example of this is the BlackCat ransomware gang. This ransomware gang can encrypt and steal data off the victim\u2019s machines and other assets running on it, for example, ESXi servers, CloudSEK said.\u00a0In March, ransomware\u00a0group BianLian shifted the main focus of its attacks away from encrypting the files of its victims to focusing more on extortion as a means to extract payments, according to cybersecurity firm\u00a0Redacted.The triple extortion methodSome ransomware gangs go a step further and deploy the triple extortion method.\u00a0In the triple extortion method, the ransomware gangs encrypt files, extract sensitive data, and then add distributed denial-of-service (DDoS) attacks to the mix. Unless the ransom is paid, not only will all the files remain locked, but even regular services will be disrupted through DDoS.\u00a0\u201cEarlier, ransomware groups were focused on encryption but now with a collaboration with other groups, they are involved in data exfiltration as well they compromise the victim organization\u2019s website or carrying out DDOS attacks. The idea behind this is to add more and more pressure on the victim organization,\u201d Maheswaran said.Contacting stakeholders of the victim organizationsAnother tactic that ransomware groups use to add pressure on victim organizations is directly contacting the customers or stakeholders of the company being attacked.Since this adversely affects the reputation of the victim organization and can sometimes lead to financial losses that can amount higher than the actual ransom, victim organizations tend to pay up, Maheswaran said.\u00a0The ransomware groups personally search out the victim\u2019s customers via email or calls, Sawhney said. An example of this is how the Cl0p ransomware group emailed stakeholders and customers of their victims, informing them that even their data would be leaked.\u201cCl0p also maintained a website where a list of their victims and stakeholders was updated every day. This adds more pressure on the victim firm, making it seem like the fastest way to end the attack is to pay the ransom amount,\u201d Sawhney said.Along with contacting customers and stakeholders, Lorenz ransomware and LockBit also leaked their ransom negotiations with victim organizations on their leak site. \u201cIt can further damage the company\u2019s reputation and increase the perceived urgency of the ransom demand,\u201d cybersecurity firm Cyble said in a report.Modifying the malware anatomyThe way in which malware is written has also changed, which has made detection difficult. Malware writers have now started using multiple techniques in order to evade sandbox detection and greatly slower incident response protocols.\u00a0\u201cFor example, the BlackCat ransomware seen recently runs only if a 32-character access token is supplied to the executable,\u201d Sawhney said. This means that the automated sandboxing tools will fail in analyzing the sample, unless and until the arguments needed are supplied.This information can only be found with manual analysis of the sample, which takes a lot of time and expertise, hence putting a great deal of pressure on the victim firm during the times of an incident.Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the programing language Rust. \u201cThis cross-platform language allows groups to customize malware for operating systems like Windows and Linux, which are widely used by businesses,\u201d Trend Micro said in a report.Using the Rust programming language makes it easier to target Linux and more difficult for antivirus to analyze and detect the malware, making it more appealing to threat actors.\u00a0Russia-linked ALPHV group was the first ransomware to be coded in Rust. This group, which\u00a0was the second most active ransomware in 2022, according to Malwarebytes, also created a searchable database on its leak site where employees and customers of their victims can search for their data. The group\u2019s \u201cALPHV Collections\u201d allows anyone to use keywords to search for sensitive stolen information.Another ransomware group, LockBit, even started its own bug bounty program. Bug bounty programs are generally run by organizations that invite ethical hackers to identify vulnerabilities in their software and inform them in return for a reward. \u201cWith ransomware groups, it becomes a platform for hackers or cybercriminals to show their talent and discover new malware to be deployed,\u201d said Vijendra Katiyar, country manager for India at Trend Micro.Safeguarding against ransomware attacksWhile organizations are deploying more and more controls to protect assets that store or access critical data, they don\u2019t essentially deploy the right controls around data, which is extremely important for making an attacker\u2019s job difficult in getting access or corrupting data, according to Maheswaran.For organizations to effectively respond to ransomware incidents, their cybersecurity solutions need to be responsive, agile, and easily scalable and this is best achieved through a combination of the cloud and machine learning analytics, said Harshil Doshi, country director at Securonix.\u201cIt is easier to avoid paying the ransom if you detect the risk before encryption occurs. Or you can avoid ransomware response workflows altogether by having an effective endpoint backup strategy,\u201d Doshi added.\u00a0Organizations should take the following steps to ensure that employees do not fall victim to a clever attacker:Reduce the blast radius by minimizing the damage attackers could do by locking down access to critical data and ensuring that employees and contractors can access only the data they need to do their jobs;Find and identify critical data that\u2019s at risk. Scan for everything attackers look for, including personal data, financial data, and passwords.Embrace multifactor authentication. Enabling MFA makes an organization 99% less likely to get hacked.Monitor what matters the most. Monitor how every user and account use critical data and watch for any unusual activity that could indicate a possible cyberattack.\u201cIt\u2019s also important for organizations to have SOPs for responding and remediating to ransomware incidents and have effective awareness programs to educate users to detect and report breaches,\u201d Maheswaran said.CloudSEK suggests organizations create a backup of critical data and store it in a secure location. This way, even if their system is infected with ransomware, they can restore your data from the backup.Organizations must also ensure their operating system, software, and security tools are up to date with the latest security patches and updates. They must use reputable antivirus and antimalware software and ensure that it is regularly updated, CloudSEK said.