Double Trouble – the Threat of Double Extortion Ransomware and How Your Organization Can Protect Itself

By the time you have finished reading this sentence, an organization somewhere in the world will have fallen victim to a ransomware attack and had at least some of its corporate data encrypted.  On average, the criminals behind ransomware attacks hit a new organization every 10 seconds during 2020. Less than five years ago, the cadence of attacks was around one every 40 seconds – showing just how the cyber-crime economy relies on ransomware as a revenue generator.

It’s estimated , according to Cybersecurity Ventures, that ransomware cost businesses worldwide around $20 billion in 2020, a figure that’s nearly 75% higher than in 2019.  And as if that wasn’t bad enough, criminals have added a new tactic to the familiar ransomware playbook which puts added pressure on victims to meet their demands.

This new approach is known as ‘double extortion,’ and involves two key stages.  First, the ransomware gang stealthily infiltrates the target’s network and steals volumes of sensitive data;  then having taken the data, they then deploy ransomware to encrypt files.  The attackers then threaten to release the breached data publicly unless the ransom payment is paid within the designated timeframe – and usually publish a sample of the stolen data on the public Internet to prove their intentions.  This puts additional pressure on victims to meet the attackers’ demands, as well as exposing the victim to penalties from data watchdogs for the data breach, and the need to alert affected customers, partners and consumers whose data was breached.

In these instances, it really can feel like a lose-lose situation for companies that have been targeted. Perhaps that’s why so many victims are still willing to pay the criminals, even against strong recommendations from the likes of the FBI.  A survey of more than 600 business leaders found that 7 in 10 had, at some point, paid a ransom to regain control of their data. This willingness to pay inevitably fuels further ransomware attacks, and the ‘double extortion’ method simply ratchets the pressure on victims to the next level.

Extortion escalates

And over the past 12 months, double extortion attacks have become increasingly common as its ‘business model’ has proven effective. The data center giant Equinix was hit by the Netwalker ransomware. The threat actor behind that attack was also responsible for the attack against K-Electric, the largest power supplier in Pakistan, demanding $4.5 million in Bitcoin for decryption keys and to stop the release of stolen data. Other companies known to have suffered such attacks include the French system and software consultancy Sopra Steria; the Japanese game developer Capcom; the Italian liquor company Campari Group; the US military missile contractor Westech; the global aerospace and electronics engineering group ST Engineering; travel management giant CWT, who paid $4.5M in Bitcoin to the Ragnar Locker ransomware operators; business services giant Conduent; even soccer club Manchester United.

Research shows that in Q3 2020, nearly half of all ransomware cases included the threat of releasing stolen data, and the average ransom payment was $233,817 – up 30% compared to Q2 2020.  And that’s just the average ransom paid.  In a recent attack, the victim paid a remarkable $34 million.  And of course, even when ransom demands are met, there is still no guarantee that the attackers will honor their promise to release the files, and keep stolen data out of the public domain.   This is one of the main reasons why at Check Point, we don’t recommend paying ransoms, either from company funds or via cyber-insurance policies.  This merely feeds the criminal economy and encourages criminals to attack again.

How to avoid being held to ransom

So how should organizations defend themselves against both conventional ransomware and double-extortion attacks?  It’s important to note that in many cases, ransomware is not delivered directly to networks, but is preceded by an initial trojan infection planted by the ransomware gang – especially the Trickbot trojan.  IT teams should be vigilant for any signs of a trojan on their networks, and in preventing these pre-infections, regularly updated anti-virus software plays a key role.  We recommend running a full compromise assessment any time there are signs of intrusion.

The other main infection vector involves RDP (Remote Desktop Protocol) ransomware. Threat actors identify open RDP servers and either perform a brute force login attack or utilise phished credentials to gain access to RDP servers.  Once on the server, the attacker obtains elevated privileges and moves laterally to plant ransomware on network endpoints.  To protect against this vector, organizations should patch relevant RDP vulnerabilities and protect their RDP servers with strong passwords and two-factor authentication.

And in addition to the measures outlined above, organizations should deploy dedicated anti-ransomware solutions that constantly monitor for ransomware-specific behaviors and identifies illegitimate file encryption, so that an infection can be prevented and quarantined before it takes hold, and files automatically restored to their original state.  With these protections in place, organizations will be better able to prevent falling victim to double extortion attempts.

Find out more about the risks of double-extortion ransomware and the latest evolutions in cyber-attacks in Check Point’s new 2021 Security Report.