Orange Cyberdefense Reports Changing Trends in Cyber Extortion and Ransomware

March, 2023

With cyber threats on the rise, organizations need to secure their hybrid technology environments to protect their operations and their customers. Ransomware and cyber extortion are not only becoming more common but more damaging to enterprises. As cyberattacks become more sophisticated, often supported by nation-states, they are leading to high-profile and embarrassing releases of customer data.

These threats are global, and with tools and platforms readily available on the dark web, amateurs can easily engage in cybercrime. Orange Cyberdefense, which held an analyst event in Antwerp, Belgium, followed a few days later by a customer and partner event in London, England at the end of November 2022, is countering these threats by providing new managed security services offerings, including increased threat intelligence, and supporting secure access service edge (SASE). At both events, the company emphasized that it wants to expand its partnership with providers, VCs, academia, NGOs, and others to maintain the highest possible level of cybersecurity service.

From Ransomware to Cyber Extortion or Cy-X

The ransomware attack on the Colonial Pipeline and the latest series of distributed denial-of-service attacks on US airport websites shows how hacking has become an organized business.

Orange Cyberdefense specialists noted that the amount of money ransomware attackers are asking for has doubled over the course of the last two years. This is now often coupled with the growing adoption of publicly naming and shaming ransomware victims by attackers. This “double extortion” involves using leak websites on the dark web created by threat actors to publicly post sensitive data and thus apply further pressure for a company to pay the ransom.

A recent example happened on November 9, 2022, when a ransomware group leaked customer records for a leading Australian health insurance company, Medibank, after it refused to pay a ransom. These records included sensitive details on about 9.7M people.

To better understand what is happening in the ransomware space, Orange Cyberdefense specialists have been working with others in the industry to clarify and standardize the terminology. For the criminal act of extorting ransom from a victim, Orange Cyberdefense uses the term “cyber extortion” or Cy-X. Cy-X is a form of computer crime in which the security of a corporate digital asset (confidentiality, integrity, or availability) is compromised and exploited to extort payment.

Figure 1 shows the number of Cy-X enterprise victims who had their data placed on leak sites since 2020. While month-to-month numbers vary, it is clear there are more of these types of attacks than at the beginning of 2020.

Torc Fig1 1030x620 - Orange Cyberdefense Reports Changing Trends in Cyber Extortion and Ransomware

Orange Cyberdefense specialists noted that large, English-speaking economies have typically been the most impacted by cyber extortion. However, they observed that starting in 2021 and continuing through 2022, the location of victims seems to be shifting from the US and Canada, through the UK and Western Europe, and toward the rest of the world.

Orange Cyberdefense concludes that while some countries (the US, Canada, and the UK) may be able to manage or limit the amount of cyber extortion as they mitigate these attacks, they will only spill over to other, smaller, and non-anglophone countries less capable of responding.

They also reported noticeable additions to the traditional sources of cyberattacks. Such attacks are now being perpetrated by operators who are less technically or deeply skilled than those previously and who utilize ransomware platforms and tools available on the dark web. This, again, will lead to a more widespread set of targets, as these new threats look for less protected victims.

Charl van der Walt, Head of Security Research, Orange Cyberdefense, said, “Think of the obstacles presented to extortionists by language and business culture as a low dam wall. While the systemic factors that enable cyber extortion to remain in place (as they have), the ‘water level’ will continue to rise. Even if the crime can no longer flow comfortably into the familiar, large, English-speaking countries, it will still want to flow somewhere. Eventually, we expect it to break its banks, overcoming the limited obstacles impeding its course, and continuing its steady flow.”

Scaling Up Support for Customer Organizations’ Cyber Defenses

While cyber threats increase, organizations continue to secure their hybrid environments by refreshing, enabling, and standardizing security controls deployment to address trends emerging around cloudification, Industry 4.0, and the convergence of 5G and software-defined networking.

As the threat environment becomes more complicated and advanced, it also implies that enterprise reliance on service providers for specialized cybersecurity needs will increase.

Progressive service providers are aware of the evolving needs of the enterprise customer and have introduced necessary services either in-house or in collaboration with their partner ecosystem to strengthen the defense against sophisticated attacks.

Avasant noted in a Research Byte Network and Digital Services were Never More Vital, September 2022, that Orange Cyberdefense is one of the biggest growth engines for the Orange Group, with €977M in revenue, and aiming to become a €1B business by 2023.

At two events in November 2022, Orange Cyberdefense announced that it was on track to achieve these targets. The company indicated it was involved in an ambitious initiative called “Faster Ahead” in which it is now intent on becoming #1 in the managed security services space in Europe, with sales of €3B by 2027. In support of this initiative, Orange Cyberdefense announced it will continue to grow by acquisition, with two Swiss organizations, SCRT and Telsys, joining the organization in the last few months to enhance its leadership.

The Faster Ahead initiative will allow Orange Cyberdefense to provide better security outcomes for its customers, leveraging its internal and external ecosystem by building on its DNA, centered on threat intelligence, research, and its own IP.

Orange Cyberdefense continues to scale-up and improve its offerings to support customers. In addition to the solutions and initiatives spoken of at the July 6–7, 2022 Orange Business Services Analyst Event, reported in our September 2022 Research Byte, Orange Cyberdefense’s November meetings focused on the following areas to help enterprises prevent ransomware attacks:

  1. Threat intelligence

Orange Cyberdefense reported that they were strengthening their actionable threat intelligence to constantly fuel and adapt their offerings to ensure continuous security for their customers.

Enterprises are moving from a reactive to a proactive SOC and automating the triage process and incident response. This includes using ML and data science to model attacker behavior and identify threats before they occur.

In fact, service providers are taking the following measures to augment their threat detection and response capabilities:

    • Partnering with security specialist firms to contextualize and accelerate threat detection and automate incident response time
    • Collaborating with regional players to codevelop sovereign solutions specifically to handle ransomware attacks
    • Leveraging cloud service providers’ security capabilities to address cloud security and configuration challenges, including 24×7 event monitoring and incident response and triaging
  1. SASE implementation support

Orange Cyberdefense is supporting customer transitions in implementing SASE. The company has identified certain conditions that make SASE more useful to enterprises, including: rapid expansion in remote work, migration to cloud resources, the need to improve network performance and optimization, compliance issues, the need for a zero-trust strategy, and the desire for vendor consolidation.

As organizations scale up their SD-WAN projects, we see IT leaders combining secured Internet access and secured access to applications. There is a lot of customer interest in adopting SASE security models. These models bring cloud and network security capabilities together with WAN, firewall, data loss prevention, deep packet inspection, and cloud security tools.

Businesses are replacing legacy VPNs and traditional Internet gateways with a zero-trust solution. The popular one in this space is Zscaler SASE and its zero trust network access solution to overcome the challenge of mismanaged security controls.

  1. C-level cybersecurity awareness

Orange Cyberdefense demonstrated its highly interactive Cyber Experience Center for board and C-level executives aimed at creating and enhancing security awareness by showing the impact of a cyberattack on every C-level stakeholder, facilitating buy-in on why investments in cybersecurity are needed and how to deal with attacks.

The Cyber Defense Collaborative Ecosystem

Although the cyber defense sector appears fragmented and offers great expansion opportunities for leading managing security service providers such as Orange Cyberdefense, there is considerable effort being made in standardization and collaboration between the active players.

The collaborative solutions include zero trust, identity and access management, and IT/OT security. The objective is to proactively protect companies from emerging cyber threats. Figure 2 illustrates the variety of such partnerships among MSSP peers.

Torc Fig 2 1030x527 - Orange Cyberdefense Reports Changing Trends in Cyber Extortion and Ransomware

Figure 2: MSSPs actively collaborating with ecosystem partners

In the case of Orange Cyberdefense, it is going to market together with Orange Business Services for security solutions around cloud and connectivity aimed at multinational organizations. The solutions include services covering SASE and Industry 4.0.

It has expanded its portfolio, including extending its managed SASE services platform support from Zscaler to Palo Alto, Fortinet, and Netskope. It collaborates with Okta and Thales for its Flexible Identity Authentication solution and partners with CyberArk, WALLIX, and BeyondTrust for privileged access management services. For identity life cycle management, it collaborates with SailPoint and IBM.

In its new Security Navigator 2023 report, Orange Cyberdefense reported they had adopted the industry standard VERIS (Vocabulary for Event Recording and Incident Sharing) framework for classifying their recorded incidents. Two conclusions from analyzing the new VERIS data for this past year (through September 2022) are as follows:

    • About 47% of incidents are caused by internal sources, not external ones.
    • The most targeted resource among clients are endpoints (around 30%) and servers.

Orange Cyberdefense UK shared their event with many of their business partners and suppliers in the cyber defense ecosystem. The second event was also attended by over 100 of their UK customers. The ecosystem members that actively participated in the event include Abnormal, Check Point, Cybereason, Forescout, Fortinet, Netskope, Palo Alto Networks, Splunk, Varonis, Zscaler, BeyondTrust, Cyberfusion, Veracode, and Tufin. Many of the presentations delivered by Orange Cyberdefense’s partners at the event demonstrated the high degree of cooperation that exists between the players in this sector.

Looking Forward

We expect to see significant consolidation in this fragmented market as cyber defense organizations expand their tools, capabilities, and size of teams required to meet the needs of their customers in addressing serious cyber-related threats to their business operations.

It becomes imperative for service providers to keep pace with the evolving threat landscape by investing further in threat intelligence, talent development, organization structure evolution, and, as mentioned earlier, partner network expansion to strengthen their security portfolio and support their clients.

Customers that engage with service providers should be sure that they offer cybersecurity across all the threat vectors and provide implementation and managed services for a variety of security tools and platforms. Service providers, leveraging their extensive partner ecosystem, should help customers navigate and secure their entire digital transformation journey and continue to apply necessary security procedures and controls proactively.

By Adrian Quayle, Distinguished Fellow, Avasant, and Gaurav Dewan, Research Director, Avasant