Cybercriminals are increasingly trying to extort companies multiple times when their data has been captured. That’s according to Cy-Xplorer 2024, the latest report from Orange Cyberdefense. The researchers note a worldwide increase in so-called ‘re-victimization’.
The number of companies facing extortion by cybercriminals in the past 12 months has increased 77 percent from the previous year. More worryingly, however, the number of companies affected multiple times increased by a considerable 127 percent from 2022. The researchers put these figures alongside those of 2020 as well, putting the increase at an even more alarming 1,533 percent over the most recent figures. Preliminary figures from this year show that the trend continues.
Patterns of re-victimization
According to Orange Cyberdefense’s report, three patterns lead to re-victimization. First, repeated attacks by the same threat actor occur. In addition, criminals repeatedly share victims’ data on leak sites, sometimes with years in between.
Finally, hackers sell data on dark web marketplaces, leading to new attacks. Thus, when companies have not taken adequate measures earlier, they become vulnerable to new attacks along the same ‘attack vectors’. Even if months or years have passed.
Tip: There is no OT apocalypse, but OT security deserves more attention
The role of affiliates
So-called ‘affiliates’ play an important role in re-victimization —cybercriminals who collaborate with multiple rogue parties. Matthijs van der Wel-ter Weel, strategic advisor at Orange Cyberdefense Netherlands, explains that affiliates can sell or share access to systems during a previous attack with other groups. These groups then carry out their own attacks, often with great success, by reusing previously obtained information.
Van der Wel-ter Weel says, “This reuse of data leads to an increased risk of repeated attacks, as different groups exploit the same vulnerabilities repeatedly.”
To prevent companies from becoming victims of multiple attacks based on the same vulnerabilities or past leaks, Orange Cyberdefense advises a thorough forensic analysis after an initial attack to identify and fix vulnerabilities. They also advocate for implementing intrusion detection and prevention systems (IDS/IPS) to detect and block suspicious activity in advance.
Monitor consistently and refuse to pay
It is also advisable to conduct regular pen tests to discover and fix vulnerabilities. Concerning access management, companies should strictly monitor permissions to prevent unauthorized network access. Furthermore, the advice is to use the services of third-party security professionals (Managed Detection & Response, or MDR) for ongoing monitoring and immediate incident intervention.
Finally, Orange Cyberdefense advises against paying ransoms, even if insurers cover it. This can prevent cybercriminals from viewing a company as ‘easy prey’ that will pay up no matter what. A recent high-profile example of a company that refused to pay was Belgian brewery Duvel-Moortgat. The company didn’t get its data back, but it didn’t make the criminals any richer either, at least not by paying ransom.
Orange Cyberdefense’s full report can be downloaded here.