Double extortion ransomware attacks are on the rise. According to CipherTrac these types of attacks increased by 500% last year with payments to ransomware groups reaching $590m in the first six months.
These insidious attacks use the same concept as a ransomware attack but worse. Once the hacker has gained access to the organization’s IT network, they infiltrate the data and encrypt the system. They think of this as their own backup policy. If, for example, an organization has a good immutable backup and can recover its systems without paying the ransom, then the attackers can change tack and threaten to publicly leak all the data they have already exfiltrated, which could lead to fines and prosecution from customers, if they don’t receive payment.
However, even if the victim does decide to pay to retrieve its decryption key, cyber gangs can still use the data as leverage, threatening to leak the information in return for a second ransom payment. And some criminals don’t stop there. They then sell the intelligence and data they now hold on the company onto other cyber gangs – a triple extortion ransomware attack – increasing the chances of the company being hit once again and the entire ransom
cycle starting once more. Any organizations that paid up are also flagged as a soft target. A bit like a credit scoring, cyber gangs rate the ‘good payers.’
The lesser of two evils
Paying ransoms just perpetuates the cycle of cyber-attacks. If no one paid, then there would be no funds to fuel the criminal gangs.
It’s not that straightforward though when a business is faced with the choice of either meeting the ransom demand or potentially facing ruin. Criminals know the threat they pose. They know that often organizations will do anything to release themselves from the grip of these gangs so they can be up and running again – it’s a lesser of the two evils.
However, the decision to comply with the criminals can often be taken out of an organization’s hands by insurance companies. They suddenly become back seat passengers in the ransom process. I’ve worked on cases where legal teams of the victim organization have stated that if the attack is deemed to originate from Russia, then to pay would be a breach of UK sanctions.
Companies shouldn’t engage with threat actors until they’ve had clarity from their insurance company. Policies can stipulate many things from the maximum amount the insurers will pay out to the requirement for the insurers or underwriters to carry out an initial assessment before doing anything further. We’ve seen the damage these attacks have had on businesses for example, following a major ransomware attack nearly eight months on Gloucester City Council, the Council is still rebuilding its IT system.
After an attack, most businesses will be busy trying to recover data from their encrypted systems whilst struggling to identify what files or data may or may not have been removed. There’s a risk that the attacker could just be pretending to have your files, but in the majority of cases, they will have identified the most sensitive areas and exfiltrated the files before encrypting them.
Protect against double extortion ransomware
Unfortunately, without adequate cyber defence systems in place, proper governance and control, and adequate employee cyber awareness training, double extortion ransomware attacks are an easy way for hackers to wreak the most devastation possible. It just needs a user to click on the link or to fall foul to a phishing email, and there are network vulnerabilities constantly emerging for criminals to penetrate.
According to the US National Security Chief, 80% of cyber-attacks could be stopped if Multi-Factor Authentication (MFA) was enabled and enforced. The Cyber Essentials certification scheme equally requires organizations to have Two Factor Authentication and MFA, for networks to be patched every seven-to-14-day cycles, and for UK businesses to prevent anyone outside of the UK from accessing their network. By blocking all non-UK IP addresses limits the organization’s exposure to foreign attacks.
However, nothing is ever 100% secure. A large part of minimizing risk and the impact from an attack is to ensure you’ve identified the many ways a system can be compromised and what’s your company’s incidence response plan in the event of an attack.
Many large enterprises will have a plan in place, with key steps to implement upon a breach from first stage communications to how the internal team can work together to remediate the attack as quickly as possible. How will they recover, backup and encrypt data, for example? The speed at which you can react to a breach will be critical to minimizing the damage of an attack.
In the event of a breach, ensure you can gain swift access to a battle box containing all critical business information such as these incident response plans, cyber insurance documents, critical telephone numbers etc. Store these
separately from the corporate network such as on Google or another provider so it can’t be compromised. The same goes for ensuring that you have a good backup system in place located away from the main corporate network so hackers can’t move laterally across your systems. I’ve seen incidents where organizations have told the attackers that they can’t afford to pay the demands, by which the attackers responded by sending the organization their own cyber insurance policy, demonstrating why organizations should store such data externally.
For businesses that may not want the additional cost of storing their battle box remotely, the alternative is to have a printout stored securely in a safe, but this means ensuring to keep it updated and reprinted which can easily be forgotten.
Double extortion ransomware attacks will only get more sophisticated and common as organizations fall privy to the antics of cyber criminals and their demands. The way to stop them in their tracks is to be prepared and that means people, processes and technology.