Escalating Prevalence of Dual Blackmailing Ransomware Attacks

Escalating Prevalence of Dual Blackmailing Ransomware Attacks

In the ever-evolving landscape of cyber threats, a new tactic has emerged as a significant concern for businesses worldwide: double extortion ransomware. Also known as "pay-now-or-get-breached" or "name-and-shame", this method involves cyber criminals not only encrypting a victim's data but also exfiltrating it, putting organisations under immense pressure to pay extortionate fees to regain access to their data.

The surge in popularity of double extortion ransomware can be attributed to its financial appeal for financially motivated hackers. By threatening to expose sensitive data, they can crank up the heat and pressure organisations into paying hefty ransoms. This was evident in the case of Allied Universal, a California-based security services firm, who refused to pay the Maze group's ransom demand of 300 Bitcoins (approximately $2.3 million at the time). The Maze hackers retaliated by publishing a portion of the stolen data online and threatened to use it in a spam operation.

The implications of a double extortion ransomware attack extend beyond the loss of access to data. Exposing sensitive data can lead to financial penalties imposed by regulatory bodies, such as GDPR. Moreover, reputational damage can result from a double extortion ransomware attack due to the exposure of sensitive information on a name-and-shame leak site.

To protect against double extortion ransomware attacks in 2022, organisations need a multi-layered strategy that addresses both ransomware encryption and data exfiltration threats. Key protection measures include comprehensive email and endpoint protection, strong authentication and password management, immutable, offsite backups, data loss prevention (DLP) and leak detection, attack surface management, incident response readiness, system hardening, and patch management.

Email filtering and authentication are crucial in preventing initial attack vectors, such as phishing scams. Regular updates to firewalls, malware detection tools, and employee education on spotting phishing scams are essential. Two-factor authentication (2FA) and single sign-on (SSO) for secure access management can also reduce risks from stolen credentials.

Maintaining backup copies that ransomware cannot easily alter or delete and regularly testing restore procedures are vital. However, backups alone are not sufficient because attackers also steal data before encrypting it. DLP tools can detect data exfiltration, and monitoring dark web forums, marketplaces, and leak sites can identify stolen data circulating online. Credential leak monitoring can alert organisations if stolen login details appear on the dark web.

Attack surface management involves continuously scanning for exposed services, misconfigured systems, and shadow IT assets vulnerable to exploitation, reducing attack vectors. Incident response readiness includes preparedness for immediate detection, containment, and remediation of ransomware incidents, including network segmentation to limit spread and protocols for disconnecting infected devices.

System hardening and patch management involve keeping operating systems, applications, and antivirus software fully updated to close security gaps exploited by ransomware. Regular vulnerability assessments, patching or virtual patching on operating systems and applications, and updating software and applications to the latest versions can help organisations protect themselves from double extortion ransomware.

IT teams should also be vigilant for any signs of a Trojan on their networks, regularly update their antivirus software, proactively patch relevant remote desktop protocol (RDP) vulnerabilities, and utilise two-factor authentication (2FA) to protect their RDP servers.

According to research from CipherTrace, double extortion ransomware attacks increased by almost 500% in 2021, with the number of attacks rising nearly 200% quarter over quarter. Over 95% of double extortion ransomware attacks occur via email, emphasising the importance of employee education in the risks of phishing attacks and online scams.

In summary, defending against double extortion ransomware in 2022 requires blending strong preventive controls (such as email filtering and authentication), continuous monitoring of data leaks and credentials, secured and immutable backups, and rapid, practiced incident response capabilities. As the threat landscape continues to evolve, organisations must stay vigilant and adapt their strategies to protect themselves effectively.

1. To mitigate the risk of data exfiltration in the context of double extortion ransomware attacks, it's crucial for organizations to employ data loss prevention (DLP) and leak detection tools in addition to maintaining backup copies.
2. The advancement of technology in infrastructure, such as cloud computing and remote work, has significantly increased the attack surface for cyber criminals, making cybersecurity more important than ever.
3. As the use of double extortion ransomware continues to prosper, it is paramount for IT teams to adopt a multi-layered strategy that encompasses not only ransomware encryption protection but also data exfiltration threats prevention measures like DLP, leak detection, and incident response readiness.

Read also: