Repeat victimisation: the threat of double extortion ransomware attacks

 

Ransomware has already confirmed itself to be a powerfully worthwhile weapon within the cybercriminal arsenal. In line with Emsisoft, in 2019, ransomware incidents may have had a mixed price of greater than $7.5 billion (£5.65 billion). That’s only for US-based incidents too.

As cybersecurity professionals and the general public at massive have come to understand, cybercrime is now an enormous enterprise, with organised risk teams sharing assets and strategies to spice up profitability. Regardless of ransomware’s stellar ROI, cybercriminal teams have lately determined there’s extra to be produced from this model of malware, and have switched up their techniques, using a brand new double extortion mannequin.

Double hassle

Within the final 12 months or so, double extortion assaults have picked up the tempo and made headlines, with the operators of Maze ransomware main the best way in utilising them. Within the double extortion mannequin, not solely do ransomware attackers encrypt information and demand a ransom to regain entry, but additionally threaten to publish any exfiltrated information on-line if their phrases are usually not met.

This has confirmed profitable for numerous causes. Firstly, companies are already extremely conscious of ransomware. The operational down-time that ransomware can drive upon an organization is after all damaging and quite tough to hide, resulting in damaging media consideration. Even when a ransomware-afflicted enterprise finally rids itself of the ransomware by the efforts of safety professionals, there should exist a public notion (even when faulty) that an organization paid the ransom, resulting in extra damaging sentiment.

Clearly, the ransomware teams just like the organisation behind Maze have realised that the injury attributable to ransomware extends far past the locking of methods. In any case, even the data an attacker is within the community, and the specter of an encrypt button being pressed is sufficient to make some firms payout.

Ransomware teams are moreover diversifying their method by taking copies of information earlier than performing the encryption. This offers them numerous choices, every of which has been seen performed out within the wild.

Firstly, it proves to the sufferer and/or the broader world that they actually have breached the organisation. It additionally provides a second layer of extortion – i.e. pay or we are going to leak the information. What’s notably threatening about this method is that, even when an organization decides to revive from backup quite than pay up, that information remains to be helpful, and the specter of leakage shouldn’t be diminished. Within the circumstances the place an organization does pay the ransom, the cybercriminals can present nugatory assurance that they’ve deleted their copy of the information. This information may find yourself leaked afterward or used once more to leverage one more payout.

Clearly, these are unscrupulous criminals looking for to take advantage of any alternative they’ve for monetary acquire. The Maze gang, when referring to the assault on LG’s community earlier within the 12 months, introduced a veneer of ethicality to their actions, claiming they didn’t execute the ransomware as LG’s shoppers are “socially important and we don’t need to create disruption for his or her operations.” As an alternative, they leaked over 50GB of stolen information.

Doubling down on safety

Luckily for would-be victims, there are a selection of the way through which ransomware assaults will be prevented, or no less than mitigated. In lots of circumstances, the intruders have been within the community for what could also be an prolonged time period previous to initiating the precise malware assault – and a important purpose of any cybersecurity programme is minimising the time intruders stay undetected within the company community.

Minimising the time attackers spend throughout the firm community depends upon being knowledgeable in the direction of the method by which ransomware assaults are executed. There are 5 distinct levels that outline a ransomware assault and by being acquainted with every part – and its indicators of compromise (IOC) – safety groups can rapidly reply to an intrusion. This enables for firms to restrict and even stop fully risk actors from accessing information that may then result in a double extortion ransomware assault.

The 5 phases of a ransomware assault are:

  1. Exploitation and an infection
  2. Supply and execution
  3. Backup spoliation
  4. File encryption
  5. Consumer notification and clean-up

To satisfy this risk, there are additionally 5 phases of defence in opposition to ransomware, that are preparation, detection, containment, eradication, and restoration. Giant scale outbreaks outcome from insufficient containment – the place the native host must be instantly blocked and remoted from the community, which prevents further information on the community from being encrypted.

An organisation’s capacity to recognise IOCs pointing to the 5 phases of assault after which using the 5 phases of defence, lies in efficient monitoring of firm networks. It’s essential that firms recognise the stark nature of the ransomware risk and purchase the mandatory technological options and safety groups to make sure this complete monitoring.

Contributed by Andrew Hollister, head of LogRhythm labs

what is double extortion ransomware,ransomware meaning

You May Also Like