Beware of Multi-Extortion Ransomware Attacks
Posted 16 Oct at 3:26 pm in Security
A year and a half ago, ‘double extortion’ ransomware was employed by only one known cybercriminal group. Today, more than 16 active ransomware groups utilize this method, making it one of the fastest-growing threats in the cyber landscape. But what exactly is double extortion, and why has it become so widespread?
What is Double & Triple Extortion Ransomware?
Double extortion ransomware is an advanced version of traditional ransomware. In a typical ransomware attack, malicious software encrypts a victim’s files using strong encryption algorithms, such as RSA or AES, and demands a ransom for the decryption key.
After the widespread WannaCry and NotPetya attacks in 2017, many organizations improved their defenses by implementing backup solutions and disaster recovery plans. These measures enabled companies to restore their data without paying ransoms, reducing the profitability of ransomware attacks.
In response, cybercriminals developed double extortion ransomware. In this method, attackers not only encrypt files but also steal data. If the ransom isn’t paid, they threaten to leak the stolen information online, sell it to competitors, or make it available to other malicious actors. This added pressure renders traditional backup and recovery solutions insufficient, as the risk now includes data exposure alongside data loss.
Triple extortion ransomware takes this a step further by introducing a third layer of attack. Beyond encrypting files and stealing data, attackers may launch distributed denial-of-service (DDoS) attacks or target the victim’s customers, employees, or stakeholders with threats, pressuring them to pay additional ransoms. This multi-faceted approach increases the chances of extorting higher payouts by adding more risks and urgency for the victim.
With triple extortion, cybercriminals aim to extract multiple ransoms by escalating the threat landscape and making the consequences more severe.
How does a Triple Extortion Ransomware attack work?
At the initial stages, a triple extortion ransomware attack follows the same basic attack sequence as a common ransomware attack but adds the second and third attack vectors. A typical triple extortion ransomware attack has the following steps:
- Initial access. Attackers gain entry into their victim’s network, often through phishing, malware, vulnerabilities or stolen credentials.
- Lateral movement and asset discovery. Once they have access to the network, attackers probe deeper into an environment to elevate privileges and find potentially valuable data.
- Data exfiltration. Once identified, high-value assets are stolen to use in a double extortion attack.
- Encryption of files. Attackers encrypt the data to prevent the victim from accessing it.
- Ransom demand. With the data encrypted and exfiltrated, attackers send a ransom note to the victim demanding payment, typically in a cryptocurrency, to receive the decryption key and regain access.
- Double extortion ransom demand. If the victim organization is able to restore its data from backups — or even if it paid the first ransom — the malicious actors return for a second attack and demand a second ransom payment to prevent them from publishing or leaking the victim’s sensitive data.
- Triple extortion ransom demand. In the third attack, attackers threaten additional exploitation, such as a DDoS attack or even approaching the victim organization’s customers, employees and third parties to demand a payment.
Why Has Multi Extortion Ransomware Become So Popular?
Double and triple extortion ransomware has gained popularity for several reasons:
- Increased Pressure on Victims: Encrypting files alone may not be enough to convince a company to pay, especially if they have reliable backups. But the threat of leaking sensitive information, like customer data, financial records, or intellectual property, adds significant pressure.
- Rising Payouts: Attackers stand to earn more from double extortion because the stakes are higher for victims. According to Coveware, a cybersecurity firm, double extortion attacks accounted for 77% of all ransomware incidents in the first half of 2023, with ransom demands increasing by 78% compared to the previous year.
- Potential for Ongoing Exploitation: Even if the victim pays the ransom, attackers may still sell the stolen data or use it for further attacks, like spear-phishing or identity theft. This makes double extortion highly lucrative for cybercriminals.
Real-World Examples of Double Extortion Attacks
Some recent high-profile double extortion cases highlight the severity of these attacks:
- Colonial Pipeline (2021): One of the most notable ransomware attacks, where the DarkSide ransomware group used double extortion tactics. They not only encrypted critical systems but also stole 100GB of data, threatening to release it unless paid. Colonial Pipeline paid the ransom, but the attack led to significant operational disruptions and sparked a national conversation about cybersecurity vulnerabilities.
- CNA Financial (2021): A major insurance company, CNA Financial, was hit by a double extortion attack. The hackers encrypted company files and stole data, leading to a ransom payment of $40 million to prevent the release of sensitive customer information.
How to Spot Multi Extortion Attacks
Businesses and individuals need to be aware of warning signs that may indicate a double extortion ransomware attack is underway:
- Unusual Computer Behavior: If files suddenly become inaccessible, applications take longer to load, or unexplained system errors occur, these could be signs of a ransomware attack.
- Ransom Demands: Cybercriminals typically leave ransom notes on infected systems, demanding payment to unlock files and prevent data exposure.
- Unauthorized Data Leaks: If sensitive company information starts appearing on dark web forums or other suspicious platforms, it may be a sign that data has already been exfiltrated.
Preventing and Responding to Double Extortion Ransomware
While no organization is immune to cyber threats, there are several measures businesses can take to reduce their risk and mitigate the damage if an attack occurs:
- Maintain Comprehensive Backups: Regularly back up critical data to secure, isolated environments. While backups won’t protect against data leaks, they will ensure you can restore operations quickly.
- Implement Strong Endpoint Security: Utilize advanced endpoint protection, such as antivirus and antimalware software, to detect and prevent ransomware before it executes.
- Strengthen Network Defenses: Use tools like firewalls, intrusion detection systems (IDS), and endpoint detection and response (EDR) solutions to monitor and block malicious traffic.
- Educate Employees: Ransomware often enters systems through phishing emails or malicious attachments. Regular employee training on identifying phishing attempts and suspicious emails can help prevent attacks from starting in the first place.
- Keep Software Updated: Always apply security patches and updates for operating systems and applications. Many ransomware attacks exploit known vulnerabilities in outdated software.
- Engage Cybersecurity Experts: If you suspect a double extortion ransomware attack, consult with cybersecurity experts immediately. They can help contain the attack, assess the damage, and guide your organization through a proper incident response and recovery.
Double and triple extortion ransomware presents a significant and evolving threat to businesses of all sizes. As these attacks grow in sophistication, organizations must stay proactive, not only by investing in security technology but also by fostering a culture of cybersecurity awareness and preparedness.
By implementing strong defenses, maintaining regular backups, and seeking expert guidance when needed, companies can reduce their risk and minimize the potential impact of a double extortion ransomware attack.
Are you confident your IT company is doing all they should to protect your business from threats like double extortion attacks? Contact Proper Sky today to learn more about what we’re doing to keep small and medium-size businesses and nonprofits like yours safe.
No Comments