What is Double Extortion Ransomware?
Ransomware is continuously getting more sophisticated and more dangerous. Cybersecurity professionals and hackers are locked in a kind of arms race, and unfortunately the hackers are currently winning. The rise of double extortion ransomware is a prime example of this trend. So what is double extortion, how does it work, and what can you do about it?
Definition of double extortion ransomware
Double extortion ransomware refers to any type of ransomware that uses two different methods of extortion. In most cases, this refers to both encryption and data exfiltration. Encryption is when ransomware locks users out of their system by making most of their files unreadable. Victims are then asked to pay a ransom if they want to get back to work. Double extortion ransomware takes this even further by threatening to release sensitive data to the public if victims don’t pay an additional ransom.
History of double extortion ransomware
Ransomware existed in theory since the 1980s, but it only became really profitable after the development of Bitcoin in 2010. Bitcoin allowed hackers to demand money without disclosing their identity. Ransomware really hit the headlines in 2017 with the WannaCry ransomware attack, which shut down hundreds of thousands of machines. WannaCry and most other types of ransomware worked by encrypting the files on affected machines and demanding a ransom in exchange for the decryption key. After this, many people and organizations started to get serious about their backup policy. Frequent, secure backups can render a network effectively immune to this kind of attack. The victim of the attack can just reset their systems and restore all the encrypted data. Hackers realized this and moved to adapt. Instead of just locking down data, they started collecting sensitive data and trying to blackmail victims by threatening to publish it. This has now become a core part of the operation of many of the biggest and most dangerous ransomware operations. Maze was the first major ransomware strain to use double extortion, and Sodinokibi followed soon after.
How does double extortion ransomware work?
Double extortion attacks have multiple phases. Understanding each phase can help to prepare defenses to prevent and stop attacks.
- Reconnaissance. First, attackers need to know two things about a victim’s network; the value of the data and weaknesses in defenses. In this phase, companies with sensitive data like health care providers or law firms are more likely to be targeted.
- Infiltration. Next, attackers seek to gain access through an open RDP port, a software vulnerability, a phishing attack, or some combination of these.
- Lateral spreading. Once inside a network, this is how ransomware spreads, as attackers try to gain access to as much of the network as possible. This may involve more phishing or brute force or the use of tools like Mimikatz to get account credentials.
- Data exfiltration. Once the attackers have access to sensitive data, exfiltration begins. This involves uploading large amounts of data to the hackers’ servers.
- Ransom demand. Once they have secured the data, hackers will encrypt and lock down the victim’s network, preventing them from working. They then demand a payment for the decryption key.
- Second ransom demand. At this point, well-prepared organizations will restore their network from a secure backup. If there is no backup, they may pay the ransom or start rebuilding their data from scratch. Hackers have special websites for publishing stolen data. If the victim refuses to pay, then all the data is released to the public.
How to prevent double extortion attacks
Traditional ransomware attacks and double extortion attacks each require unique defenses. Generally speaking, however, most of the defenses that prevent data exfiltration will also boost overall security. Preparing for double extortion attacks requires special attention in a few key areas.
- Encryption. Good encryption practices are a must for preventing data exfiltration. If data is encrypted, hackers won’t be able to use it even if they gain access to it.
- Implement the principle of least privilege. The principle of least privilege states that every network user should have no more access to the network than they absolutely need to do their job. The more people who have administrative privileges, the easier it will be for hackers to spread through the entire network and gain access to data.
- Network monitoring. Data exfiltration generates a lot of traffic. Many gigabytes of data must be transferred to the attacker’s servers. The best network monitoring is an in-house cybersecurity professional who can detect unusual traffic and move to stop it immediately. However, it’s also possible to outsource network monitoring or use automated software.
- Data management policies. Some information is more sensitive than other kinds. Highly sensitive data can be stored separately from the general storage, subject to more security measures, or redacted completely to minimize risk of exfiltration.
- Phishing education. Phishing attacks are a key part of many of the most devastating double extortion attacks. Everyone involved with a network should have at least a basic awareness of how phishing works, and keep up to date with the latest trends. Employees who have access to sensitive information should be especially aware, and it may be worth it for them to attend additional training.
Worst Case Scenario: Incident Response Plan
Last but not least, it’s important to have an incident response plan. A major data breach can be extremely stressful, and it’s easy to make bad decisions in the heat of the moment. If you have a good response plan ready, you can go through the necessary steps safely and methodically. In the event that all safeguards fail, a good ransomware incident response partner like BeforeCrypt can be a vital part of a good response plan. Beforecrypt has handled hundreds of ransomware cases, and we know the best methods for dealing with various ransomware gangs to minimize damage and get systems back online as quickly as possible.
When it comes to data breaches, there are also important legal and regulatory concerns. Depending on your country and the industry you work in, there may be special requirements and steep fines if they are not met. BeforeCrypt can help with all of these requirements and help your organization maintain regulatory compliance.
If you get hit by a double extortion ransomware attack, or if you need help drafting a ransomware response plan, reach out to us today for a free consultation on our Ransomware Recovery Services.