I keep seeing a new ransomware term, “double extortion” being discussed. It is the hot, new buzzword surrounding ransomware. This term attempts to summarize how ransomware is no longer just encrypting data and how ransomware gangs are more commonly using data exfiltration and the threat of releasing that data to hackers or the public to get paid. An example of a common use for this term is, “A good backup will no longer save you because of double extortion!”
That is true. But it is really worse than that. If only it was double extortion.
Starting in late 2019, the first ransomware gangs started to use data exfiltration as a tactic. They got paid more money more often. Other ransomware gangs noticed and by the end of 2019, 10-15% of ransomware attacks involved data exfiltration. By the end of 2020, that number was over 70%. Now, halfway through 2021, it is over 80%. This means that if you get hit by ransomware, odds are your company will also have a data exfiltration issue to deal with and a data breach to report.
Quintuple Extortion
But that is not all they do now. Besides stealing data, cyber criminals are stealing company, employee and customer passwords. It used to be that if they stole passwords, they only stole them to help infect more machines in the same network. Not anymore. Now, their primary goal for stealing passwords is to cause more damage and to do more extortion.
The average malicious ransomware code is hiding on someone’s device or network from a few weeks to nearly a year. I see different figures about how long ransomware dwells without being discovered, but the most common stats I see are 120-200 days. I personally know of many companies where ransomware was inside the network for a year or more. I know of one where the ransomware program dwelled for over three years without being detected. And, yes, over 80% of those victims were running up-to-date antivirus software. Welcome to the new world of ransomware.
Cyber criminals often steal employee passwords because during the ransomware’s dwell time, employees are going to tons of personal websites, for example, their banking website, their stock investing website, their 401K, their medical websites, Amazon to order something, Instagram, Facebook, TikTok, etc. And during all that time, the ransomware program, or Trojan Horse program or script, is collecting all of those passwords. It is the same thing with customers. If you have a website where customers log in, they are collecting those too; knowing that your customers are likely to use those passwords in other places.
Then the cyber criminals contact the employees and customers and tell them what they have, and say, “If you do not pay us, we will release your passwords to hackers!” They tell the employees and customers the only reason they are extorting them is because the original victim company is not paying. This causes reputational and trust issues.
While the cyber criminals are in your systems, they are also reading emails and learning about the business relationships you have with other vendors and trusted partners. And then they send spear phishing emails to them asking them to open malicious documents or to run Trojan Horse programs. The new victims are getting an email from the original victim, who they trust and have an ongoing relationship with. They do not understand why the person they trust is suddenly asking them to open some new document or file, but many do without further hesitation. Boom! They are now ransomware victims, too.
Ransomware attackers also publicly advertise who they have broken into to get maximum pressure on the victim organization to settle quickly. If you were hoping that maybe the ransomware attack did not leak to the media, good luck! They often function as their own malicious public relations firm and send evidence of your compromise to the media. They often post samples of your files just to prove they not only have access, but have your data.
If you are still arguing about paying, the cyber criminals will do whatever they can to get you to pay. One tactic that is becoming more common is that they conduct massive distributed-denial-of-service (DDoS) attacks if you waver early on. So, maybe they only took down your corporate network and maybe your public facing web servers are hosted somewhere else. They will take them down, to try to cause as much pain and suffering as it is takes to get paid.
This is what most ransomware does today:
- Encrypt your data
- Exfiltrate your emails, data, confidential information, IP and will post it publicly or give it to your competitors if you do not pay
- Steal company, employee and customer login credentials
- Extort your employees and customers
- Send spear phishing attacks to your business partners from your own computers using real email addresses and email subject lines your partners trust
- Conduct DDoS attacks against any services you still have up and running
- Publicly embarrass your company
That's actually a septuple of problems. If you are lucky, you only get a quintuple of problems. So, when I see double extortion used as a term to describe today’s ransomware, I think, “I wish that was all!”
I started to cover this for the first time in January of 2020 in my webinar called Nuclear Ransomware and in an article I wrote for this blog here.
You need to make sure that the people in your organization who are in charge of defenses understand what today’s ransomware does. It is not just a data encryption problem or only a data exfiltration problem. It is four to seven additional problems that a good backup does not solve. Your primary defense needs to be prevention – which means fighting social engineering and good patching to defeat the majority of the risk.