Double Extortion – Where We Are Now
In 2019, the Maze ransomware organization was the first to use double extortion assaults. Since then, a growing number of ransomware gangs have embraced this tactic. Research published in 2021 by Group-IB says that the number of firms that have had their data exposed on a data breach site has increased by 935%, demonstrating that these dangers are not unfounded.
Today, over 16 different ransomware gangs are actively using this strategy to coerce victims. Researchers believe that the ransomware-as-a-service (RaaS) affiliate market is to blame for the explosive growth of the ransomware industry.
With “double extortion” becoming one of the most popular tactics cyber criminals utilize to get their victims to pay, what steps is your business taking?
Why Has Double Extortion Become So Popular?
In the practice known as “double extortion,” ransomware gangs not only steal the data belonging to a firm but also threaten to make the stolen material public to increase the pressure placed on the company to pay a ransom.
The conventional explanation for ransomware is malicious malware secretly encrypting data in a short time using RSA public-key encryption and then threatening to delete the data if the victim did not pay the demanded ransom.
On the other hand, in the wake of the catastrophic WannaCry and NotPetya ransomware attacks in 2017, businesses strengthened their cyber defenses. There was a greater focus on backups and restoration procedures so that even if files were lost, businesses would still have copies of their data and could retrieve it without difficulty.
In an effort to adapt their tactics, these thieves operating online modified their strategies. Groups like REvil (aka Sodinokibi) have now monetized stolen data by auctioning it on the dark web to put additional pressure on their victims. Rather than simply encrypting files, double-extortion ransomware first steals the contents before proceeding to encrypt them. This implies that the information might be released online or sold to whoever places the highest bid if the corporation refuses to pay what is owed. And now, backups and data recovery procedures are rendered completely useless.
A Double Extortion Incident
The DFIR team at CYREBRO was called in to investigate an event where an external attacker accessed an internal user’s login information for a hospital network. This sophisticated attacker managed to get a hold of the user’s login information due to a flaw in that user’s email protocols, masking the attacker as a legitimate user.
The attacker connected to the organization’s VPN using the compromised credentials and was able to escalate their privileges and compromise the heart of the organization, the domain controller. From there, the malicious actor was able to steal database files and other confidential and proprietary information of the organization.
Following the database dump, the hacker used ransomware to encrypt data from the servers and demanded the firm pay $1.2M. Utilizing double extortion, the attacker hoped the threat to release the hospital’s PHI information would pressure the organization into paying the ransom.
The option of restoring the system to its pre-encrypted state was not available since the attacker could also access and encrypt the backup servers. Through an EDR and other security tools the company had put in place, the CYREBRO team in this instance, was able to collect evidence and spot all suspicious activity, assuring network purification and allowing containment. The client’s decision was not to pay the ransom and would rather wipe their network clean. Luckily, CYREBRO’s fast reaction and expert IR team prevented much of the data exfiltration the attacker planned on leaking and only a small portion of the data was exposed.
The Popularity and Effectiveness of Double Extortion
In a recent research study, “The State of Ransomware for 2022,” over 5000 IT experts and industry leaders were polled from small, medium, and large enterprises concerning ransomware. Of those respondents, over 900 shared specifics about ransom payments made.
The poll results showed that ransomware affected 66% of firms, an increase from the 37% affected in 2020. In addition, the amount paid in ransom has also increased, partly because of the growth in the number of victims and the usage of double extortion as an effective tactic. Further, double extortion tactics have become a standard practice in business ransomware campaigns.
Recent High-Profile Cases Involving Double Extortion
In May of 2021, the DarkSide ransomware gang compromised the computer systems of the North American branch of the chemicals wholesaler Brenntag, which resulted in the loss of around 150 gigabytes worth of corporate data.
According to reports, the hackers requested a ransom payment of $7.5 million, but the chemicals firm was able to bargain this amount down to $4.4 million, which it allegedly paid to DarkSide on May 14 to avoid the hacked data from being made public.
Another prominent double extortion example can be seen with the computer manufacturer Acer. The hacking organization, REvil, also responsible for an attack on the London-based foreign exchange company Travelex, launched an assault on the computer maker Acer in May of 2021. The ransom demand of $50 million was by far the highest ever recorded. In addition, hackers used a Microsoft Exchange server flaw to access Acer’s data and release photos of critical financial papers and spreadsheets.
Exposed Data Even After Payment
As evident in the Acer incident and many other organizations, even businesses that have paid the demanded ransom to secure their data have seen it become public.
The Russian ransomware-as-a-service group known as Conti Ransomware Gang is one actor that is gaining an increasingly poor reputation for reliability. They are giving fraudulent evidence that files have been erased and publishing data leaks to their website, Conti News, despite receiving the ransom money from their victim.
This is one of the reasons why they are gaining such a nefarious reputation. This also hurts ransomware as a business model for malicious organizations; if firms can’t ensure that their data will not be released, what is the point of paying the ransom? Although ransomware itself is an illegal endeavor, it was and is still considered a lucrative business based on the foundation of trust between the compromised organization and the malicious attacker. If this trust is no longer viable, the business model essentially breaks down.
How to Protect Your Organization From Double and Triple Extortion
Much like double extortion, triple extortion ransomware attacks are also on the rise. As ransomware payments soar, criminals launch follow-up assaults to get more money. In triple extortion, attackers demand money from the compromised firm and anyone harmed by the data breach.
Any standard ransomware attack, including a double extortion ransomware assault, will use the same tactics to obtain access to your network as described above. Essential actions that may be taken to prevent initial access include providing personnel with security awareness training, implementing password restrictions and multi-factor authentication, routinely patching known vulnerabilities, and protecting RDP ports and VPNs. Purchasing a ransomware detection system and a web application firewall is yet another choice you may want to consider.
Ensure All Data is Encrypted and Backed Up
If an attacker successfully breaches your network defenses, having a recent backup of your data stored offline may protect you from the first stage of a ransomware assault, which is the recovery of your files. Encrypting your data is another way to defend yourself against a double extortion assault. Encrypting your data makes it unreadable to ransomware groups if it is stolen and used to leak data.
In sum, prevention can mitigate the risk associated with ransomware attacks, especially double and triple extortion attacks. And so, it’s essential to establish a thorough ransomware resilience strategy that covers all aspects of protection, including prevention, preparedness, and reaction in the case of an attack.