The rise of double extortion ransomware

Shutterstock

Back in November 2019, the Maze ransomware strain emerged as the 1st high-profile circumstance of double extortion ransomware. The gang – famed for its attacks on Cognizant, Canon, and Xerox in current several years – hit Allied Common, a California-centered security services company, which refused to pay out the group’s ransom demand from customers of 300 Bitcoins (approximately $2.3 million at the time). 

This noticed the Maze hackers enhance the ransom ask for by 50%, publish 10% of the information they exfiltrated, and threaten to use knowledge stolen from Allied Universal in a spam procedure. The now-defunct ransomware group gave Allied Common two weeks to spend up or have the remaining 90% of their stolen info uncovered on the internet. 

The use of double extortion ransomware picked up from there. For its section, Maze assisted some teams experiment with the tactic as a result of its cartel, while other ransomware collectives made information leak web pages on their personal to set force on attack victims that are reluctant to fork out up. 

What is double extortion ransomware? 

Double extortion, also recognized as “pay-now-or-get-breached” or “name-and-shame”, is an increasingly popular tactic between cyber criminals in which they exfiltrate a victim’s sensitive info in addition to encrypting it. This usually means that if the ransom isn’t paid out in time, the criminals will publish it for all to see, like possible field competition, giving the hackers more leverage to collect ransom payments. 

According to investigate from CipherTrace, double extortion ransomware attacks improved by practically 500% in 2021, with the range of attacks increasing practically 200% quarter in excess of quarter. This surge in acceptance can be credited to the point this strategy permits financially motivated hackers to crank up the heat and strain organisations into paying extortionate costs to regain accessibility to their info, according to Tracy Cunningham, a security skilled at Examine Issue Software.

“This technique adds pressure, with cyber extortionists threatening to publish victims’ info affected organisations experience the risk of having delicate facts exposed in the open up. Not only does proprietary details – these as mental house –  operate the risk of currently being leaked, numerous of these organisations likely also maintain the info similar to their shoppers or customers,” she tells IT Pro. “Exposing such facts also constitutes a violation of privacy regulations and subject matter victims to monetary penalties imposed by regulatory bodies, this kind of as GDPR.”

This added strain suggests, finally, risk actors see a bigger results charge vs . traditional attack solutions.

“Ransomware actors are turning to double extortion attacks due to the fact it boosts their likelihood of finding paid,” Matthew Stephen, main architect at Mitiga, tells IT Pro. “In the earlier, many businesses could rely on backups to get back again to organization promptly if they had been attacked. These days, attackers not only encrypt the knowledge but also exfiltrate it. Even if an organisation has good backups out there, the danger of leaking the data motivates many organizations to pay back the ransom to protect buyer knowledge and other sensitive data.”

What are the challenges of double extortion ransomware?

Currently being strike by double extortion ransomware is undesirable news for corporations of all designs and sizes, but the leak of sensitive details and probable financial penalties are not the only outcomes. As Claire Tills, senior investigate engineer at Tenable tells IT Pro, hackers – these as the LAPSUS$ group – usually turn to this system in a bid to throw extra of a spotlight on to the incident. 

“Double extortion represents significant knock-on effects,” Tills states. “The double extortion tactic is generally utilized to convey outdoors attention and pressure to an incident. While an organisation is making an attempt to get backups on the net and restore expert services, it will also have to field reputational and customer company incidents. Menace actors are banking on these pressures coercing organisations to spend.”

Reputational damage is an additional probable consequence of turning out to be a sufferer of a double extortion ransomware attack, both as a result of the exposure of delicate data on a name-and-disgrace leak web site and as a end result of regulatory fines if it’s unveiled that the company unsuccessful to correctly safeguard shopper info. 

Jen Ellis, vice president of Community and Public Affairs at Speedy7, tells IT Pro: “For case in point, if stolen data reveals a absence of correct privacy controls, leaking the facts could develop significant reputational effect and loss of trust, and could also result in regulatory action or lawful liability. As these kinds of, victims of attack may possibly be much more probably to spend to stay clear of leaks, when they could have refused to pay out for currently being locked out of their devices. If probable, however, an attacker will push for a payment for both.”

Guido Grillenmeier, chief technologist at Semperis, adds: “Likewise if a business’s infrastructure is fully encrypted, most wrestle to get back again on their ft immediately – this typically has a immediate impact on shopper satisfaction. Those people businesses who are not properly prepared to rapidly get better their atmosphere from scratch will wrestle with the choice to fork out a ransom for the decryption vital that may assure more quickly return to company.”

How to safeguard against double extortion ransomware

Unfortunately, there is certainly no exclusive magic bullet defence to protect from double extortion ransomware. This indicates that, in purchase to deal with double extortion attacks, organisations want to be certain they are equipped with the know-how of the hottest methods applied by cyber criminals. 

“With in excess of 95% of attacks via email, organisations require to continuously ensure that personnel are educated in the threats of phishing attacks and on the net ripoffs,” Camilla Currin, channel manager at Trend Micro, tells IT Pro. “The versatility of work-from-dwelling (WFH) carries on to be a real challenge with the use of dwelling units and networks with different degrees of security. WFH greatest techniques have to have to be in line with firm insurance policies to minimise the risks that occur with remote doing work setups.  

“From an total organisation’s security point of view, doing standard vulnerability assessments, conducting patching or virtual patching on operating devices and apps as properly as updating computer software and applications to the latest versions are a few ways in which organisations can guard themselves.”

This tips is echoed by Cunningham, who says businesses will need to make certain they have robust security protocols in place throughout the whole organisation.  

“To safeguard themselves, IT groups must be vigilant for any signals of a Trojan on their networks, routinely update their antivirus software package, proactively patch applicable distant desktop protocol (RDP) vulnerabilities and utilise two-factor authentication (2FA) to protect their RDP servers. In addition, organisations really should also deploy devoted anti-ransomware solutions that continually monitor for ransomware-distinct behaviours and discover illegitimate file encryption, so that an an infection can be prevented and quarantined in advance of it will take keep. 

“With these protections in place, organisations can be far better ready for when they are attacked as in today’s climate it is a make a difference of when not if.”

Some components of this write-up are sourced from:
www.itpro.co.uk