Skip to main content

The rise of double-extortion ransomware

ransomware
(Image credit: Pixabay)

For years businesses have had to face the threat of ransomware attacks. Successful hacks cause havoc for an organization’s day-to-day operations, shutting down systems and stealing private and personal data. In response, technology and prevention systems continue to advance, but so do the tactics used by criminals. The last twelve months has seen a dramatic rise in the number of these attacks, as opportunistic attackers piggyback on the weakened security environments of hybrid working. Thirty-seven percent of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO) this year. 

Improving cyber security strategies and awareness has forced attackers to evolve their strategies, expanding into new territories of businesses that is making their actions harder to control. The motivations of the cybercriminals are also changing, moving on from holding organizations to ransom for financial gain, to causing as much disruption as possible, for political reasons, including large-scale shutdowns of life-critical services.

Earlier this year, we saw a standstill in services for Colonial Pipeline in the US due to a ransomware attack that forced the private company to pay an estimated $5 million in Bitcoin to regain control and continue services. In the same month, Ireland’s Health Service Executive was put under pressure to deliver a ransom fee of $20 million in order to save their patients' personal data going public. Even after an agreement was made, 520 records still made their way onto the dark web, highlighting further still the unpredictability of criminals. 

The evolution of ransomware attacks has come far in the last few decades. Now, instead of encrypting data and holding the owner to ransom, double extortion ransomware involves the attacker exfiltrating the data first and rendering standardized data backups and data recovery plans obsolete in order to force the owners hand. Criminals have found another avenue for extortion, and organizations need to be prepared to overcome this new threat.

What is double-extortion ransomware and how real’s the threat? 

Double-extortion ransomware allows criminals to not only demand a ransom for the stolen data, but also use it as a faux pledge to keep it from being released publicly. If the ransom is not paid in the timeframe required, criminals will publish it for all to see, including possible competitors.

They threaten a public and/or customer “name-and-shame” campaign if you don’t pay up and, according to Emisoft research, the number of cybercriminals adopting the “name-and-shame” tactic is growing. The research found that out of 100,101 received reports of ransomware attacks on both businesses and public sector bodies, 11.6 percent of those were by groups that steal and publish data in “name-and-shame” style attacks. 

There is also a growth in crimeware-as-a-service by nation-state actors, which are increasingly adding to geopolitical tensions. Nation-states are buying tools and services from the dark web, while tools developed by nation-states are also making their way onto the black market. 

So, how can organizations overcome this growing threat?

Double the threat, double the recovery planning needed 

For an attacker to be successful in extorting a ransom, they must first make sure recovering useful data is impossible, otherwise they run the risk of decision-makers failing to pay up. So, they disable or destroy backups, making it near on impossible to recover any valuable data. Then, they turn their hands to the available production data. 

By developing a dedicated compromised data risk management plan, businesses are able to improve their odds and make recovering cyber compromised data far more likely compared with if they were to use a standardized data recovery process. Ransomware demands have never been higher and readying an organization requires rethinking existing data recovery plans. 

To address these recurring challenges, organizations need to plan for the five most critical steps to recovering damaged data: 

  • Identify ― Identifying and justifying the organization’s Vital Data Assets (VDA). This is the data that requires an additional level of protection. It’s the businesses must-have data.
  • Protect — Capabilities to improve the odds that you will have current clean data to restore, for example a failsafe copy that is safe from a cyberattack. 
  • Detect ― Identifying vulnerabilities of weaknesses in your controls that can increase the organization’s risk of access to its VDA’s.
  • Respond — The plans, the processes, the procedures to be followed in the aftermath of a successful data compromising event. 
  • Recover ―The rehearsals, tests, and exercises that prepare the teams for this eventuality. 

Building an effective plan 

All businesses are at risk of ransomware attacks. The rapidly changing threat landscape has put the existing detection tools into question. They’re no longer an effective means to fight all attacks and prevent huge data loss. Putting external threat actors aside, all organizations are competing with the risk of internal threats too, with potential disgruntled employees having privileged access to the inside network and information. Cybersecurity training has come on leaps and bounds in recent years, but human error still remains a large risk to organizations, particularly those working in hybrid environments. 

Ultimately, it’s up to each organization to look at the bigger picture and, based on their unique points of view, put a data recovery plan in place. The significance of a traditional ransomware attack cannot be underestimated, but the risks that are associated with the new tactics are undeniably more business-critical. Destroyed brand reputation and damaged customer trust can often be irreparable. Before letting opportunistic criminals take hold of an organization, business leaders must brief the entire organization on protocol and work closely with executive management on which data should be the priority during a recovery mission. At this point, organizations can start to feel secure that their data, assets, and infrastructures will remain intact even in the face of adversity.

Chris Huggett, SVP of EMEA, Sungard Availability Services

Chris has 20 years of leadership experience, having worked with leading technology firms including HP, Vodafone and Dell. He leads the European team covering UK, Ireland, France, Belgium, Luxembourg and Poland.