Ransomware Attackers’ New Tactic: Double Extortion

Need another reason to defend against ransomware instead of ending up having to find a solution other than paying it? Double extortion may be it.

So, what is double extortion? When did it start? With this tactic, ransomware actors steal a victim’s data before their malware strain activates its encryption routine. They then have the option of demanding two ransoms. The first one is the provision of a decryption utility. The second one guarantees verbal confirmation of having deleted the victim’s data from their servers. They can also leverage that data theft to pressure victims — even those that have a robust data backup strategy.

A Look Back at Double Extortion

In November 2019, the Maze gang struck a security staffing firm. Bleeping Computer received an email from someone who claimed to be a member of the Maze Crew. It informed the computer self-help website that they had breached the security staffing firm and stolen some of their data.

“If they don’t begin sending requested money until next Friday we will begin releasing on public everything that we have downloaded from their network before running Maze[sic],” the individual explained.

The security staffing firm missed its deadline to pay. So, the Maze ransomware group published 700 MB worth of its data. The threat actors told Bleeping Computer that the leak represented about 10% of the total number of stolen files. As such, the attackers threatened to release the rest of them if the victim continued to refuse to pay.

The use of double extortion picked up from there. For its part, Maze helped some ransomware groups experiment with the tactic through its cartel, while other ransomware groups created data leaks sites on their own. This led to an increase in double extortion over H1 2020. During that period, ID Ransomware received 100,001 submissions pertaining to ransomware attacks. Just over 11% of those submissions, or 11,642 of them, related to attacks that involved data theft, noted Emsisoft.

Ransomware Extortion in 2021

Ransomware actors took their efforts one step further at the end of 2020 and the start of 2021. They began using triple extortion, a technique where they singled out customers and third parties for their own ransom payments. As noted by WIRED, the first case occurred in October 2020 when a Finnish psychotherapy clinic experienced a data breach that involved a ransomware attack. Those responsible for the infection demanded a ransom from the clinic, but they also demanded smaller sums from individual patients via email.

The second instance of triple extortion occurred in February 2021. At that time, Bleeping Computer reported that the REvil/Sodinokibi ransomware gang had begun placing phone calls to the victim’s business partners and media. The purpose of those calls was to publicly embarrass the company and create even more pressure for the victim to fulfill the attackers’ ransom demand(s).

Even more layers of extortion emerged in the months that followed. For instance, in October, the FBI warned that the HelloKitty group had begun threatening to target victims’ public-facing websites with distributed denial-of-service attacks if they refused to pay the ransom or didn’t do so quickly enough. KnowBe4 reported that other ransomware actors had begun threatening to repeat the attack and delete all their victims’ data if they decided to contact law enforcement or professional negotiators following an infection.

The Side Effect: Rising Costs

All these levels of extortion are driving up ransomware costs. Specifically, they’re giving attack groups more impetus to raise their demands. The average ransom asks increased to between $50 million and $70 million in the first half of the year. Many victims end up paying a fraction of that, as they might be able to negotiate those requests down and/or rely on a cyber insurance policy to cover at least part of those costs. In either case, they legitimize ransom demands of that amount and encourage attackers to keep making them. It’s, therefore, no wonder that ransomware costs are expected to reach a collective total of $265 billion by 2031.

Focusing on Ransomware Prevention for 2022

Double, triple and all the other extortion levels discussed above have helped to elevate ransomware into a multi-faceted threat. SonicWall logged 470 million ransomware attacks through the third quarter of the year. That’s a 148% year-over-year increase. That company detected 190.4 million attacks in Q3 2021 alone, a figure which nearly overtook the 195.7 million ransomware attacks detected in the first three quarters of 2020.

Looking ahead, the firm estimated that ransomware totals would reach 714 million attack attempts by the end of December, making 2021 the most prolific year on record. These volumes explain why the U.S. federal government is working to combat ransomware by sanctioning cryptocurrency exchanges that have moved money for ransomware actors and by introducing bills that could require victims to publicly disclose ransom payments.

Even so, organizations can’t rely on the federal government alone to keep their systems and data safe. They need to focus on their ransomware prevention strategies by prioritizing three security measures. First, they can invest in their security awareness training to educate all employees and cultivate their familiarity with ransomware attacks. Second, they can use their vulnerability management programs to prioritize and remediate security weaknesses that malicious actors could exploit as a means to drop ransomware onto organizations’ systems. Finally, they can use data encryption as a means to protect their data against ransomware attempts.

The post Ransomware Attackers’ New Tactic: Double Extortion appeared first on Security Intelligence.