Double extortion ransomware: What they are and how to defend yourself
Estimated reading time: 8 minutes
Looking to up the ante and earn more money with the ransomware , i Cybercriminals are increasingly using a tactic known as double extortion ransomware . Not only do they encrypt data and demand a ransom from the victim to regain access. They also threaten to upload them online if their conditions are not met.
Let’s take a step back, ransomware is one of the most common types of malware. It targets a company every 14 seconds and it cost $ 11.5 billion in 2019 alone . Typically, hackers who carry out these attacks break into a system to steal data and delete it if the victim doesn’t pay a ransom.
Why do hackers prefer double-extortion ransomware?
The rise of double extortion ransomware proves that cybercriminals are constantly expanding their arsenal. Paolo Passeri, director of cyber intelligence at the software firm Netskope , says these attacks they have become popular because they are the easiest way for hackers to make money.
Passeri Says: “With double extortion ransomware attacks, even if a backup is available, attackers can put more pressure on the victim to pay the ransom . The increased pressure comes from the potentially serious consequences of a data leak, for example economic and reputational damage. Groups like REvil are even more creative: they don’t just leak data, they monetize it by auctioning it on the dark web and putting even more pressure on their victims. “
When conducting a double extortion ransomware attack, hackers start spending more time on the overall strategy . Sparrows warns that scammers are no longer taking an opportunistic approach. Instead, they are carefully selecting their target and method of attack to increase the ransom money they make . He explains: “ the threat actors select their victims, choosing organizations whose businesses could be affected by a data leak “.
The spear phishing is the primary means of distributing double extortion ransomware, but cybercriminals are also by exploiting vulnerabilities in on-premises devices such as VPN concentrators. “In the past few months, nearly all major VPN technologies have suffered severe vulnerabilities that have been exploited for similar attacks,” says Passeri.
“This is unfortunate given the current situation with forced telework where these remote access technologies play a crucial role in ensuring business continuity during Covid-19. These systems are directly exposed to the Internet, so threat actors can scan them and then exploit any vulnerabilities discovered “.
Risks of Doxing : diffusion of private data
Double extortion ransomware provides more opportunities for cybercriminals, allowing them to extort victims twice. They can ask for a first payment to decrypt the files and a second payment not to make them public.
This technique, also known as doxing , is been used by an increasing number of ransomware groups over the past year. The consequences of doxing are more severe for the victim, so they often come down to demands. This means more money in the pockets of cybercriminals to fund new strains of ransomware and support other criminal activities.
Improvements in malware and financial incentives for hackers have led to the growth of double extortion ransomware attacks. In the past, ransomware encrypted files and hackers stole data, but it was rare to do both.
We now have bots that can scan the web for unprotected data, steal it, encrypt it or delete it, and leave a ransom note for the owner, all in one automated attack. The hacker can then collect a ransom for the data and sell the data to other criminals, playing double-crosses with minimal effort .
There has been an influx of double extortion ransomware attacks in the past year. Hackers gained traction in late 2019 when high-profile groups like Maze began exploiting aggressively this tactic.
In these particularly aggressive cases, the hacker would extract a copy of the data before encrypting it . This way the attacker not only prevents the victim from accessing her data, but also keeps a copy of the data for himself.
To claim responsibility and put pressure on the victim during the negotiation process, the attacker often released small chunks of data online. If the deals are blocked or failed, the attacker publishes all the stolen data or sells it to third parties . This creates a significant violation against the victim.
What to do
To defend against these attacks, there are several steps companies should take . For example, keeping systems updated to ensure that known vulnerabilities are resolved. It is also imperative that organizations have a layered security approach that includes the use of data loss prevention tools . An example is the service offered by SOD Acronis Cyber Protect Cloud . The system can stop the extraction or encryption of the data which initiates these double extortion attacks.
But what can organizations do if they can’t successfully mitigate one of these attacks?
Organizations should try to include a last line of defense that isolates and stops illegitimate encryption immediately . This mitigates the risk when traditional prevention-based security has been compromised or bypassed. Robust backup processes, including air-gap backups, should also be considered to make it more difficult for criminals to encrypt or disable critical data stores.
If an organization falls victim to a double extortion ransomware attack, there are often dire consequences. Criminal groups are increasingly blatant, even dystopian names like Maze, Netwalker and REvil, are an indication of this inclination. Their pride leads them to display exfiltrated data as online trophies and even sponsor clandestine hacking contests to display their malware. In a kind of cyber show-off . < / p>
For the victims, the consequences can be devastating. Travelex, a currency exchange service, went into receivership with the loss of 1,300 jobs in the UK following a ransomware attack . During the heist, the cyber gang REvil asked the company to pay $ 6 million in 48 hours. The company has faced the threat of publishing credit card information, national insurance numbers and birth dates of its customers.
It is clearly critical that companies do everything they can to identify and stop these attacks before they cause more damage. Preventing these attacks proactively is much better than mitigating their effects, with all the financial costs and reputational damage they entail .
Most attackers gain access through human error . For this, together with technical measures such as internal data access management and back-up, staff training and supervision are key elements in an organization’s defenses .
Victims essentially have two choices, both of which are costly: if they refuse to pay, they face a catastrophic data breach with exposure to painful regulatory fines and civil demands; if they pay the ransom, they still have no guarantee that the data will be returned.
Handle double-extortion ransomware
While getting hit by ransomware can deal a severe blow to any business, companies should be cautious when asked to pay a ransom. Doing so could involve even greater risks . There is no certainty that these hackers will not ask for more money without releasing the data anyway.
It is important for companies to secure their networks and conduct mock test < / a> to mitigate the ransomware threat . Such simulated attacks will help spot vulnerabilities within the organization without the risk of facing serious financial problems and having to answer very difficult questions from customers.
Implementing strong resilience measures is the best way to prevent double extortion ransomware. Ransomware is often a secondary infection. Threat actors seek to exploit known vulnerabilities, particularly in relation to remote access protocols and applications that are critical for working from home.
Critical to mitigating this is ensuring that vulnerabilities are patched in a timely manner and that network data logs are monitored for any unusual activity or data exfiltration. < / strong> There is therefore a potential window of opportunity to remedy any primary infection (which precedes the ransomware) and thus prevent the ransom note process from developing.
Organizations need to educate staff about the risks of double extortion ransomware and how it is executed . Individual users can also be of great help by being aware of the potential of unsafe attachments. They should also be cautious about clicking any email links received in any communication , particularly with the recent resurgence of Emotet , a known malware.
There are two defense strategies for dealing with double extortion ransomware. First, robust backups, to make sure you don’t your hands tied if hackers gain control of your data. Then, encryption, to make sure that if an attacker threatens to expose your data, it’s protected too.
These approaches should then be incorporated into a broader strategy: careful monitoring of the network that could allow attackers to be cut off, and promoting employee IT education not to fall victim to phishing attacks which are often the main cause of a ransomware incident.
The threat of double extortion ransomware is undeniable, with cybercriminals carefully targeting and creating these attacks in an attempt to increase the size of ransom.
Organizations often feel they have no choice but to pay the ransom to avoid the leak of sensitive data. But it’s actually a Russian roulette game and the stolen information can still find its way online. Therefore the focus must be on prevention and risk mitigation .
- Secure Online Desktop 10 years later: our corporate anniversary
- Air-Fi: attacking computers that are disconnected and without network hardware is possible
- Examples of phishing: the latest campaigns mentioned by the CSIRT
- Event Overload? Our SOCaaS can help!
- Business email compromise (BEC) schemes
- XDR as an approach to security
- What is threat intelligence?
- Data Loss Prevention: definition and uses
- Backup as a Service (2)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (18)
- ownCloud (4)
- Privacy (6)
- Secure Online Desktop (14)
- Security (11)
- Web Hosting (15)
- Mission Critical: What Really Matters in a Cybersecurity Incident June 17, 2021The things you do before and during a cybersecurity incident can make or break the success of your response.
- Ukraine Police Disrupt Cl0p Ransomware Operation June 16, 2021Growing list of similar actions in recent months may finally be scaring some operators into quitting, but threat is far from over, security experts say.
- Ransomware Operators' Strategies Evolve as Attacks Rise June 16, 2021Security researchers find ransomware operators rely less on email and more on criminal groups for initial access into target networks.
- Biden Tells Putin Critical Infrastructure Sectors 'Off Limits' to Russian Hacking June 16, 2021President Joe Biden said he and Russian President Vladimir Putin agreed to discuss boundaries in cyber activity.
- Security Flaw Discovered In Peloton Equipment June 16, 2021The vulnerability could give attackers remote root access to the bike's tablet, researchers report.
- Cars, Medicine, Electric Grids: Future Hackers Will Hit Much More Than Networks in an IT/OT Integrated World June 16, 2021Intelligent systems must include the right cybersecurity protections to prevent physical threats to operational technology.
- Russian National Convicted on Charges Related to Kelihos Botnet June 16, 2021Oleg Koshkin was arrested in 2019 and faces a maximum penalty of 15 years in prison, the DoJ reports.
- Is an Attacker Living Off Your Land? June 16, 2021Living-off-the-land attacks pose significant risks to organizations and, on top of that, are difficult to detect. Learn the basics about how these attacks operate and ways to limit their damage.
- Keeping Your Organization Secure When Dealing With the Unexpected June 16, 2021There's no way to anticipate every possible scenario, but the right approach to business continuity can help you respond effectively in any situation.
- Don't Get Stymied by Security Indecision June 16, 2021You might be increasing cyber-risk by not actively working to reduce it.
- Backdoor.Win32.Zombam.gen / Information Disclosure June 15, 2021Posted by malvuln on Jun 15Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ff6516c881dee555b0cd253408b64404_D.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Zombam.gen Vulnerability: Information Disclosure Description: Zombam malware listens on TCP port 80 and deploys an unsecured HTML Web UI for basic remote administration capability. Third-party attackers who can reach an infected...
- Backdoor.Win32.VB.pld / Unauthenticated Remote Command Execution June 15, 2021Posted by malvuln on Jun 15Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6ff35087d789f7aca6c0e3396984894e_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.VB.pld Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 4000. Third-party attackers who can reach infected systems can connect to port 4000 and run commands made available […]
- Backdoor.Win32.VB.pld / Insecure Transit June 15, 2021Posted by malvuln on Jun 15Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6ff35087d789f7aca6c0e3396984894e.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.VB.pld Vulnerability: Insecure Transit Description: The malware listens on TCP port 4000 and has a chat feature "Hnadle-X Pro V1.0 Text Chat". Messages are passed in unencrypted plaintext across the network. […]
- popo2, kernel/tun driver bufferoverflow. June 15, 2021Posted by KJ Jung on Jun 15Linux kernel 5.4 version. latest. __tun_chr_ioctl function of ~/drivers/net/tun.c has a stack buffer overflow vulnerability. it get's arg, ifreq_len, and copy the arg(argp) to ifr(ifreq struct) and this steps are no bounds-checking. if cmd == TUNSETIFF or TUNSETQUEUE or and so on condition then it's enter copy_from_user function area.
- Onapsis Security Advisory 2021-0014: Missing authorization check in SAP Solution Manager LM-SERVICE Component SP 11 PL 2 June 14, 2021Posted by Onapsis Research via Fulldisclosure on Jun 14# Onapsis Security Advisory 2021-0014: Missing authorization check in SAP Solution Manager LM-SERVICE Component SP 11 PL 2 ## Impact on Business Due to a missing authorization check in SAP Solution Manager LM-SERVICE component a remote authenticated attacker could be able to execute privileged actions in the […]
- Onapsis Security Advisory 2021-0013: [CVE-2020-26829] - Missing Authentication Check In SAP NetWeaver AS JAVA P2P Cluster communication June 14, 2021Posted by Onapsis Research via Fulldisclosure on Jun 14# Onapsis Security Advisory 2021-0013: [CVE-2020-26829] - Missing Authentication Check In SAP NetWeaver AS JAVA P2P Cluster communication ## Impact on Business A malicious unauthenticated user could abuse the lack of authentication check on SAP Java P2P cluster communication, in order to connect to the respective TCP […]
- Onapsis Security Advisory 2021-0012: SAP Manufacturing Integration and Intelligence lack of server side validations leads to RCE June 14, 2021Posted by Onapsis Research via Fulldisclosure on Jun 14# Onapsis Security Advisory 2021-0012: SAP Manufacturing Integration and Intelligence lack of server side validations leads to RCE ## Impact on Business By abusing a Code Injection in SAP MII, an authenticated user with SAP XMII Developer privileges could execute code (including OS commands) on the server. […]
- Onapsis Security Advisory 2021-0011 Missing authorization check in SolMan End-User Experience Monitoring June 14, 2021Posted by Onapsis Research via Fulldisclosure on Jun 14# Onapsis Security Advisory 2021-0011: Missing authorization check in SolMan End-User Experience Monitoring ## Impact on Business Any authenticated user of the Solution Manager is able to craft/upload and execute EEM scripts on the SMDAgents affecting its Integrity, Confidentiality and Availability. ## Advisory Information - Public Release […]
- Onapsis Security Advisory 2021-0010: File exfiltration and DoS in SolMan End-User Experience Monitoring June 14, 2021Posted by Onapsis Research via Fulldisclosure on Jun 14# Onapsis Security Advisory 2021-0010: File exfiltration and DoS in SolMan End-User Experience Monitoring ## Impact on Business The End-User Experience Monitoring (EEM) application, part of the SAP Solution Manager, is vulnerable to path traversal. As a consequence, an unauthorized attacker would be able to read sensitive […]
- Onapsis Security Advisory 2021-0009: Hard-coded Credentials in CA Introscope Enterprise Manager June 14, 2021Posted by Onapsis Research via Fulldisclosure on Jun 14# Onapsis Security Advisory 2021-0009: Hard-coded Credentials in CA Introscope Enterprise Manager ## Impact on Business Unauthenticated attackers can bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator. This may impact the confidentiality of the service. ## Advisory […]
Estimated reading time: 8 minutes Il termine shoulder surfing potrebbe evocare immagini di un piccolo surfista su… https://t.co/PKEpO1Mvzn
Ten years ago, on June 16, 2011, Secure Online Desktop was born. Many things have changed in ten years and we have… https://t.co/DN23n6BK7q
Dieci anni fa, il 16 giugno del 2011, nasceva Secure Online Desktop. Sono cambiate moltissime cose in dieci anni e… https://t.co/H7TPlWJ5Pk
Estimated reading time: 8 minutes The term shoulder surfing might conjure up images of a little surfer on his… https://t.co/3poUTq9MUc
Estimated reading time: 5 minutes I ricercatori della sicurezza hanno appena digerito il protocollo HTTP/2, ma gl… https://t.co/XsFsgBTpia