Ransomware is one of the most common types of cyber threat, targeting a business every 14 seconds and costing $11.5bn in 2019 alone. Typically, hackers that perform these attacks will breach a system to steal data and delete it if the victim does not pay a ransom fee.
However, looking to raise the stakes and earn even more money from ransomware, cyber criminals are increasingly utilising a tactic that is becoming known as double extortion, whereby they not only encrypt data and demand a ransom from the victim in order to regain access but also threaten to upload it online if their terms are not met.
The rise of double extortion ransomware goes to show that cyber criminals are constantly expanding their arsenal. Paolo Passeri, cyber intelligence principal at software firm Netskope, says these attacks have become popular because they are the simplest way for hackers to make a profit.
Passeri says: “With double extortion attacks, even if a backup is available the attackers can put more pressure on the victim to pay the ransom. The increased pressure comes from the potential serious consequences of a data leak, for example economic and reputational damage. Groups like REvil [aka Sodinokibi] are even more creative – they don’t simply leak the data, they monetise it by auctioning it on the dark web and put even more pressure on their victims.”
When conducting a double extortion ransomware attack, hackers are beginning to spend more time on the overarching strategy. Passeri warns that crooks are no longer taking an opportunistic approach but are carefully selecting their target and method of attack in order to increase the money they make from ransoms. He explains that “the threat actors select their victims, choosing organisations whose businesses can be impacted by a data leak”.
Although spear phishing is the primary means for distributing double extortion ransomware, Passeri says cyber criminals are also exploiting vulnerabilities in on-premises devices such as VPN concentrators. “Over the past months (and this is an ongoing trend), almost all of the major VPN technologies have suffered severe vulnerabilities that have been exploited for similar attacks,” he says.
“This is unfortunate given the current situation with enforced working from home where these legacy remote access technologies play a crucial role in guaranteeing business continuity during Covid-19. These systems are directly exposed to the Internet so the threat actors can scan them and subsequently exploit any discovered vulnerability.”
Jakub Kroustek, head of threat intelligence systems at Avast, agrees that double extortion ransomware provides cyber criminals with more opportunity by enabling them to extort victims twice. “They can demand an initial payment for decrypting the files and a second for not making them public,” says Kroustek.
“This technique, also known as doxing, has been used by an increasing number of ransomware groups over the past year. The consequences of doxing are more severe for the victim, so they often comply with the demands. This means more money in the pockets of the cyber criminals for financing new ransomware strains and supporting other criminal activity.”
Improvements in malware and financial incentives for hackers have led to the growth of double extortion attacks, argues Comparitech privacy advocate Paul Bischoff. He tells Computer Weekly: “In the past, ransomware encrypted files and hackers stole data, but it was rare to do both.
“Now we have bots that can scan the web for unprotected data, steal it, encrypt or delete it, and leave a ransom note for the owner all in a single automated attack. The hacker can then collect a ransom for the data and sell the data to other criminals, double-dipping with minimal effort.”
An aggressive tactic
Over the past year, there has been an influx of double extortion ransomware attacks. John Chambers, director of IT, communication, workplace, business process and application services at electronics firm Ricoh UK, says they gained traction in late 2019 when high-profile hacking groups like Maze began “aggressively” leveraging this tactic.
“In these instances, the attacker would exfiltrate a copy of the data before encrypting them,” he says. “This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves.
“In order to claim responsibility and pressure the victim during the negotiation process, the attacker would often release small portions of the data online. Should negotiations stall or fail, the attacker would then either publish all of the exfiltrated data or sell them to third parties creating a significant data breach to the victim.”
To defend against these attacks, there are a number of different steps that businesses should take. “As well as usual cyber security best practices including keeping systems fully up to date with patching to ensure known vulnerabilities are resolved, it is imperative that organisations have a multi-layered security approach including looking at data loss prevention tools to stop the exfiltration of data that initiates these double extortion attacks,” says Chambers.
But what can organisations do if they are unable to successfully mitigate one of these attacks? Chambers explains: “To address a ransomware outbreak, organisations should look to include a Last Line of Defence that immediately isolates and stops ongoing illegitimate encryption when traditional prevention-based security has been compromised or bypassed. Robust backup processes including off-line copies should also be factored in to make it harder for the criminals to encrypt or disable critical data stores.”
If an organisation becomes victim of a double extortion ransomware attack, there are often huge ramifications. Julian Hayes, partner at BCL Solicitors, says: “Badging themselves with dystopian names such as Maze, Netwalker and REvil, they are increasingly brazen, displaying exfiltrated data like online trophies and even sponsoring underground hacking contests to showcase their malware.
“For their victims, the consequences can be devastating; Travelex, the currency exchange service, has gone into administration with the loss of 1,300 UK jobs following a New Year’s Eve ransomware attack where a cyber gang demanded the company pay $6m in 48 hours or face publication of its customers credit card information, national insurance numbers and dates of birth.”
Clearly, it is crucial that businesses do all that they can to identify and stop these attacks before they cause major damage. “Preventing such attacks in the first place is far better than mitigating their effects, with all the financial cost and reputational damage they entail,” says Hayes.
“Most attackers gain access through human error and, along with technical measures such as internal data access management and backing-up, staff training and vigilance are key elements in an organisation’s defences.”
Victims essentially have two choices, both of which are costly, according to Hayes. Organisations either “refuse to pay and face a catastrophic data breach with exposure to painful regulatory fines and civil claims”, or they “pay the ransom without any guarantee of the data’s return”.
Dealing with double extortion ransomware
Although being impacted by ransomware can deal a devastating blow to any company, businesses should be wary when being asked to pay ransom fees. Jake Moore, a security specialist at ESET, says doing so could result in even bigger risks. “There is no certainty that these hackers won’t simply ask for more or release the data anyway,” he explains.
Instead, Moore urges businesses to secure their networks and conduct simulation tests to mitigate the threat of ransomware. “Such simulated attacks will help to highlight the vulnerabilities within an organisation without the risk of facing serious financial problems and having to answer some very difficult questions from both the ICO and your customers,” he says.
Kiri Addison, head of data science for threat intelligence and overwatch at Mimecast, says implementing strong resilience measures are the best way to prevent double extortion ransomware. “Ransomware is often a secondary infection, and threat actors are looking to exploit known vulnerabilities, particularly in relation to RDP, and servers and applications that are key to working from home,” she says.
“Critical to mitigating this is ensuring vulnerabilities are patched in a timely fashion and that network data logs are monitored to detect any unusual activity or data exfiltration. There is therefore a potential window of opportunity to remediate any primary infection and thereby stop it developing into a ransomware attack.”
Meanwhile, organisations should educate their staff on the risks of double ransomware and how it is distributed. “Individual users can also assist greatly by being aware of the potential for unsafe attachments and should also be wary of clicking any email links received in any communication, particularly with the recent resurgence of Emotet,” says Addison.
Cath Goulding, CISO of Nominet, explains that there are two defence strategies for dealing with double extortion ransomware. “Firstly, robust backups, to ensure you’re not pushed into a corner if hackers do gain control of your data. Secondly, encryption, to ensure that if an attacker is threatening to expose the data, this too is protected against,” she says.
“These approaches should then be built into a broader strategy that includes basic cyber hygiene. From close monitoring of the network that could allow you to cut attackers off before data exfiltration, through to educating employees not to fall victim to phishing attacks that are often the root cause of a ransomware incident – all will play a vital part in building your cyber posture.”
The threat of double extortion ransomware is undeniable, with cyber criminals carefully targeting and crafting these attacks in a bid to increase the size of their ransoms. Often, organisations feel like they have no choice but to pay ransom fees to prevent sensitive data from being leaked. But in reality, this is a game of Russian roulette and stolen information can still make its way online. Therefore, the focus needs to be on prevention and mitigation.