Threat actors are increasingly trying to grind business to a halt
Cybercriminals intentionally disrupted operations at a growing rate last year, Palo Alto Networks’ threat intelligence firm Unit 42 said in an annual incident response report released Tuesday.
Of the nearly 500 major cyberattacks Unit 42 responded to last year, 86% involved business disruption, including operational downtime, fraud-related losses, increased operating costs and negative reputational impacts.
Unit 42 called this trend the “third wave of extortion attacks,” another point of potential leverage for threat groups to impose on targets in addition to encryption and data theft.
These disruptive attacks stand out for the pain, impact and broader ripple effects they inflict on society and the economy at large, said Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42.
“This is what organizations need to be worried about from a threat perspective and from a defensive strategy standpoint,” Rubin said.
Encryption remains the most common tactic used in extortion attacks, which Unit 42 observed in 92% of attacks last year, followed by data theft in 60% of all cases. Yet, cybercriminals are demonstrating adaptability by intensifying attacks through operational disruptions, adding to the impact of data theft and encryption.
“It’s often building on each other, but ultimately it’s how to get to that end game of getting paid,” Rubin said.
Unit 42 observed attackers visibly disrupting organizations by removing systems, destroying data and harassing customers and partners, which allows them to gain leverage in rather significant ways. For example, in an attack on a large IT services firm, the threat group’s persistence and proven ability to continue deleting additional systems compounded financial losses, Rubin said.
The CEO of the IT services firm was so determined to end the hardship, they instructed advisers to pay the large ransom demand without further negotiations. Unit 42 helped the organization lower the payment, but “that’s the urgency that they felt to just move on and get past this, because there’s just continuing pain and infliction of different tactics to take down parts of their environment,” Rubin said.
Unit 42 observed threat groups using disruptive tactics against critical infrastructure organizations in sectors like health care, hospitality and manufacturing, often extorting them for higher ransoms.
The median initial extortion demand jumped almost 80% year over year to $1.25 million in 2024, about 2% of the victim organization’s perceived annual revenue, Unit 42’s research found. The company said it negotiated a median percentage reduction of more than 50% from initial ransom demands, with the median ransom payment coming in at $267,500 last year.
