Ransomware gangs are continuing to evolve new tactics and techniques, and organizations need to be better prepared to defend against them in 2022. In the business of extorting money from victims, bad actors are finding innovative, disruptive new ways to gain leverage and provide incentives for victims to hand over the ransom payment.
The rise of double and triple extortion methods—used by ransomware operators to improve their success rates—is putting additional pressure on organizations to understand common and emerging ransomware trends, as well as how to respond to them.
The double extortion tactic has proved very effective given it undermines ransomware recovery strategies for organizations who planned to rely on data backup remediation options in the case of a ransomware attack. With double extortion, the options for organizations become more limited.
Common Themes Among Thieves
The common themes for ransomware extortion include prevention of data loss/destruction, prevention of business disruption as systems become disabled and prevention of data leakage by making it public.
The arrival of double-extortion ransomware signals the pairing of data exfiltration with the previous step of encryption, in addition to the threat to divulge data.
Common data types targeted by ransomware attackers include protected health information (PHI) which includes medical records, diagnosis details and patient medical insurance data and other sensitive personally identifiable information (PII), ranging from birthdates and physical addresses to Social Security numbers (SSNs).
Under triple extortion (to say nothing of emerging quadruple extortion tactics), ransom demands might now also be directed at a victim’s clients or suppliers and, although triple extortion was first observed barely 12 months ago, these types of multi-layered extortion capabilities have quickly become an important ransomware selling point for developers like REvil.
This entails several potential negative outcomes including destruction, release or trade of data with other unsavory parties.
To make matters worse, there are also observed trends of so-called “quadruple extortion”, which includes the aggressive steps of traditional DDOS attacks and targeted harassment of the organization or its customer base.
Ransomware’s Unholy Alliance
According to findings from Group-IB’s Hi-Tech Crime Trends Report 2021/2022, there’s an “unholy alliance” of initial access brokers and ransomware operators as part of ransomware-as-a-service (RaaS) affiliate programs.
Double-extortion ransomware damage has skyrocketed 935% in the last year, the study found, in contrast to the days when only one ransomware gang was using the tactic in 2019.
A report by Help Net Security found that at the end of Q1 2021, the percentage of ransomware attacks that included threats to publish exfiltrated data if a ransom demand was not paid had increased to 77% of all documented ransomware attacks.
“By threatening to release stolen data, ransomware operators have increased the incentives to pay the ransom,” explained John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company. “Many organizations have good backups and disaster recovery plans and when those work, ransomware can be mitigated.”
He explained that stolen data, however, often cannot be mitigated so even resilient organizations will have to contend with that problem.
Bambenek said he thinks one of the most underutilized techniques to prevent data exposure extortion is minimizing the data you have and keep.
“Some organizations have regulations or rules that strongly regulate how long they keep certain classes of data, but many organizations do not have such requirements,” he said. “Take strong steps to delete data when it no longer needs to be kept—it’s both better for privacy and can help protect against these types of extortion.”
Oliver Tavakoli, CTO at Vectra, an AI cybersecurity company, suggested running a tabletop exercise simulating a ransomware attack against your organization.
“Know who you would contact and when to contact them for help,” he said. “Do you have an IR firm ready to step in should such an attack occur? Do you know the limits of your cyberinsurance policy? Will the company underwriting your cyberinsurance be taking the lead on negotiations with the ransomware gang?”
While these suggestions are not perfect, Tavakoli noted these types of tabletop exercises can surface issues that should be discussed (and capabilities that should be put in place) in advance of an attack. It’s better than nothing.