A ransomware gang with a new variant is trailblazing us towards the future of ransomware by making threats that go well beyond the simple ransom transactions of yesterday.
First we had plain old ransomware – hold your data for hostage and ask for a ransom. Then came the double extortion, where data was exfiltrated and a threat was made to publish it if the ransom wasn’t paid. Then REvil and others began to offer an additional service where customers, partners, and the press were called if the ransom wasn’t paid. Then came DDoS attacks (to keep a victim from being to communicate about their response to the attack) as a fourth mode of extortion.
And now, according to security researchers at Symantec Threat Hunter Team, a new ransomware variant – dubbed Yanluowang – includes an additional threat. Once infected, victims are instructed not to contact law enforcement or ransomware negotiation firms. If the attackers’ rules are not followed, Yanluowang says they will not only start distributed denial of service (DDoS) attacks against the victim organization, as well as make “calls to employees and business partners,” but also add on a fifth form of extortion – threatening to repeat the attack in a few weeks and simply delete all the victim’s data.
I fear this is only going to get worse; threat actors merely need to figure out additional ways to further put pressure on organizations once ransomware has infiltrated a network in order to turn this 5-time extortion game into something so unbearable that organizations will have no choice but to pay the ransom.
The silver lining here is no ransomware of late has figured out a way to deploy itself beyond the big three initial attack vectors: vulnerabilities, remote desktop access, and phishing. Security Awareness Training takes care of phishing, by recruiting users to play a role in the organization’s security through constantly being vigilant when interacting with email and the web. Vulnerabilities require patching at a minimum and vulnerability management for more mature organizations. And remote desktop services – c’mon you know those should just be turned off and traded in for a SASE solution.
Ransomware *is* going to continue to get worse. Prepare accordingly.