Why Double Extortion and Other Developments Are Making Ransomware More Dangerous

Ransomware is not a new threat or attack but it is becoming increasingly dangerous and rising in frequency, threatening more organizations than ever before. Schools, healthcare facilities, and government agencies have seen the brunt of these attacks. According to Checkpoint, ransomware attacks have risen 93% in just the last 6 months, fueled by new attack techniques.

The pandemic has also fueled a major rise in ransomware attacks, with one cyber-insurance firm, Coalition, reporting a 260% increase in ransomware incidents among its clients in 2020. And they haven’t let up in 2021, with ransomware attacks severely impacting organizations such as Colonial Pipeline, Brenntag, and Apple supplier Quanta. In the case of Colonial Pipeline, the impact was crippling, impacting the oil and gasoline supply of nearly the entire mid-Atlantic region of the United States.

This sharp rise in attacks can be attributed to several new developments that are leading to an increased attack frequency, more successful compromises, and more industries and companies finding themselves at risk.

What’s leading to the sharp rise of ransomware attacks?

There are a number of different factors leading to the rise of ransomware attacks:

• Double and triple extortion attacks
• An increased focus on industries that can’t afford to wait out an attack
• The rise of Ransomware-as-a-Service
• More companies paying ransoms, which encourage even more attacks

We’ll break down each factor here.

Double extortion ransomware attacks, explained

With traditional ransomware attacks, the data is encrypted, usually on a victim’s device and/or servers that house high value data. This locks the victim out of their own data and can prevent an organization from fulfilling its responsibilities. To decrypt the data, the attacker demands a ransom in exchange for the decryption keys. Once it’s paid, the organization, theoretically, can recover the data and run their business as before.

However, attackers have evolved their ransomware attacks and now exfiltrate the impacted data, which is standard operating procedure for most data theft attacks, but a new trend for ransomware operators. This has led to the rise of double extortion ransomware attacks — because the attackers now have the data, they can also threaten to leak it online or sell it to the highest bidder unless another ransom payment is made. This can be especially troubling for any organization who deals with extremely sensitive information, their customers’ data, or just wants to ensure their IP doesn’t get into the hands of their competitors.

This attack has impacted police departments and third-party suppliers; in Quanta’s instance (Quanta is an Apple supplier), a ransomware hacker group threatened to release files and pictures of upcoming Apple products.

Triple extortion attacks, where another threat layer is added to the traditional encryption and exfiltration/exposure attack, are also on the rise. In this scenario, if a company is still not willing to pay the ransom, the attackers will launch a DDoS (Distributed Denial of Service) attack that will further hinder the organization from carrying out its business responsibilities.
Industries most at risk for ransomware attacks

As mentioned, ransomware attacks are on the rise but certain industries are seeing higher attack volumes as groups refine their targeting. Zscaler found that manufacturing, services, and transportation companies were the top three industries most targeted with double-extortion ransomware attacks.

However, hospitals, healthcare services, and schools are also seeing a significant increase in ransomware attacks, with the latter averaging a $50,000 ransom cost. According to a recent report published by the U.S. Department of Health and Human Services (HHS), there were 48 successful ransomware attacks targeting the Healthcare and Public Health (HPH) sector from Jan 2021 to May 2021, with over 70% resulting in data exposure.

These organizations are being targeted because they can’t afford to negotiate with the attackers, develop a decryption method, or respond with third-party help in hopes of recovering their data. In the case of healthcare facilities, it’s literally the difference between life or death. For power grid companies, it’s the difference between thousands, if not millions of people having electricity. And as we saw unfold with the Colonial Pipeline attack, it meant millions of people losing easy access to gasoline.

Attackers also know that many local government agencies or departments aren’t likely to have the most robust cybersecurity defense, but do have the budget (whether city or state) to pay the ransom.

Use of Ransomware-as-a-Service (RaaS) is rising

The same technological advantages that have transformed the business world over the last decade have also benefited attackers and hacker groups in very similar ways. The affordability of cloud infrastructure tools, faster computing power, and better communication (hacker groups were the original remote teams) methods have given hackers better resources and assets to find vulnerabilities, develop exploits, and more successfully target companies.

Ransomware attacks have also evolved from infecting an organization via malware (which is the case with the WannaCry worm) to having parties successfully make their way into a network and deploy the ransomware to increase the odds of success.

This has led to the emergence of the Ransomware as a Service business model. Ransomware hacker groups offer their ransomware services to attackers looking to bring down a specific company. Once the attacker successfully infiltrates an organization, the RaaS team comes in, deploys the payload and handles most communication and processes. The attacker, if successful, receives the ransom and the RaaS group receives a percentage of the ransom for carrying out the attack.

This lucrative model leverages two parties’ most successful assets – compromising a company, often via network infiltration, and deploying ransomware. It’s proven successful over the last few years, with more RaaS options popping up and more attackers leveraging this new service, putting many more organizations at risk.

Companies continue to pay ransoms, encouraging more ransomware attacks

It’s a generally accepted rule and point of guidance among the cybersecurity industry to never pay the ransom if a company is affected by a ransomware attack. NIST’s most updated guidance on preventing and dealing with ransomware attacks does not even mention paying a ransom and the FBI states that they do not support paying a ransom.

The logic is sound — even if the ransom is paid, there’s no guarantee that an organization will recover their files. If the company didn’t do their due diligence or a sufficient enough investigation, they may also not know how an attacker might have infiltrated their network or whether a backdoor was installed. Ultimately, it means that the company may be attacked again and fall prey to another ransomware attack. Research from Cybereason shows that 80% of ransomware victims are repeat victims if they pay the ransom.

Paying ransoms also encourages more ransomware attacks because of their success. The high-profile Colonial Pipeline attack led to a ransom payment of $4.4M and in 2020, companies paid over $350M in ransoms, a 300%+ increase compared to the year before. The previously mentioned HHS department report also noted that the average ransomware payment paid by HPH companies was $131,000.

While it’s highly discouraged to pay ransoms, companies don’t always have the time or resources to combat a ransomware attack or try to recover from one. Third-party investigators and response teams can be costly and can’t guarantee files will be recovered.

It’s clear that ransomware attacks are incredibly attractive from a financial perspective and even if the cost is split among parties, attackers can always increase the ransom, knowing there’s still a high likelihood that it’s paid.

Ultimately, current circumstances benefit hacker groups and attackers in an extremely significant way. This may lead to organizations feeling helpless and powerless against these attacks, crossing their fingers that employees don’t click on the wrong link and that they fly under the radar of some of these attackers. However, there are effective methods to fight against ransomware, prevent a compromise, and reduce the amount of harm that ransomware can do.

What organizations can do to protect themselves against ransomware attacks

The good news is that fundamental and foundational cybersecurity can still present a strong defense against ransomware attacks and prevent attempts from compromising your organization.

Organizations should ensure they have a robust network and endpoint security in place and stay on top of CVE (critical vulnerability and exposure) publications. Coupled with ongoing patch management and asset management, this should reduce an organization’s risk of having easy attack vectors in the form of out of date or vulnerable software.

Engaging in regular security awareness training can also be a strong cybersecurity investment that will protect against various types of attacks. With the right training, employees will know what to do if they face a social engineering or phishing attack which can either deliver a ransomware payload or be the precursor to a targeted ransomware attack.

Organizations should also invest in tools, processes, and solutions that will reduce the amount of damage a ransomware can inflict on an organization in case they are compromised by a successful attack. Leveraging admin and network permissions, employing a principle of least privilege can help in minimizing the scope of a ransomware attack if it comes via an unsuspecting employee.

Network segregation and segmentation will also limit how much of your organization will be exposed to ransomware and can prevent your most sensitive and necessary data from being inaccessible and potentially leaked. To aid in recovery and response efforts, you should have robust and routinely tested data backup processes, backups of your data, and an incident response plan so you can recover as quickly as possible and aren’t wasting time trying to figure out what you can do if you’re hit with ransomware.

To reduce the risk of a multifaceted attack, it’s important to invest in data and storage (at rest) encryption that aren’t designed around a flawed central implicit trust model, which can be easily disabled by hackers with compromised admin credentials, so that any data that is exfiltrated is encrypted and inaccessible to hackers. This will remove the threat of data exposure or leak because the data is already encrypted on your network (and you hold the keys to decryption).

The best way to invest in this solution is to use an encryption provider (building your own encryption is often difficult, costly, and brings its own vulnerabilities) that enables you to integrate data encryption directly into the application layer, so data is encrypted by the application before it ever hits the network or reaches storage. This ensures that even if network or system admin credentials are compromised, your data remains safely encrypted.

While it may seem like ransomware attacks are inevitable, it’s important that companies adopt the right kind of security hygiene and prepare for the worst-case scenarios. Investing in a well-documented plan, strategies, and new tools designed to fight these evolved attacks, is an important start.

Click here to find out how Ubiq can help to defend your data from ransomware theft.