Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion
The danger of being hit by a ransomware attack is scary enough, but in many cases, criminals can still extort your business after the ransom has been paid and things have seemingly returned to normal. Double and even triple extortions are becoming increasingly common, with ransomware gangs now demanding additional payments to keep the private information captured in their attacks from being leaked. These added threats are driving up the collective cost of ransomware, which is forecast to reach $265 billion by 2031, according to some sources.
In traditional ransomware attacks, the attackers hijack and encrypt valuable data to force organizations to pay a ransom in exchange for the safe restoration of data and network functionality. CISOs have responded by adopting stronger cyber protections, such as creating secure offsite backups and segmenting their networks, and attackers have quickly evolved to subvert these methods.
The cat-and-mouse game that is ransomware took an ugly turn over the past year or so as attackers realized the value that organizations put on not releasing their sensitive information publicly: The brand and reputation hit can sometimes be just as damaging as being locked out of files and systems. Capitalizing on this unfortunate reality, attackers began adding the threat of leaking sensitive data as a follow-up to successful or even unsuccessful ransomware attacks when organizations were able use backups to restore their systems.
With double extortion being so successful, attackers figured: Why stop there? In cases of triple extortion, attackers threaten to release data about downstream partners and customers to extract additional ransom payments, potentially putting the initial organization at risk of lawsuits or fines.
Some bad actors have even created a search function that allows victims to find leaked data about partners and clients as proof of the data‘s damaging value. A ransomware operation known as ALPHV/BlackCat may have started this trend in June, when cybercriminals posted a searchable database containing the data of nonpaying victims. The BlackCat gang went as far as to index the data repositories and give tips on how to best search for information, as if it was providing customer service. These kinds of leaks not only raise ransom costs for victims, but they send a clear message to those who think they are clever enough to avoid paying the ransom.
For CISOs who want to become more proactive in safeguarding their organizations against such extortion events, the first step is monitoring for breaches within their supply chains and corporate relationships, while tracking relevant data that is sold on the Dark Web or released in breach dumps.
Regular backup practices provide a strong initial defense against a standard ransomware attack, but backups alone are no longer enough. Because criminals have recognized that backups are a standard option to avoid payment, they will seek to corrupt the backups, in addition to threatening future leaks. This growing problem has created a need for offline backups and out-of-band incident communications: Any system connected during an incident — such as email — should no longer be trusted.
The trouble with double or triple extortion attempts is that even if the initial pay-for-decryption ploy is unsuccessful (because an organization was able to use backups), the attackers may still gain access to sensitive data and threaten to leak it. These attacks highlight the need to prioritize the protection of the most critical data.
The only true defense against double and triple extortion is ensuring that attackers don‘t get access to the most–sensitive information.
The top priority should be to categorize critical data so that when malicious actors do get past the first lines of defense, they can‘t steal the most valuable items in the vault. This oversight process involves restricting who has access to data and what tools directly interact with it. The fewer access points, the easier it is to secure the data.
Some other best practices include:
If you still experience a breach, make sure you limit attackers‘ chances of accessing private data by:
- Vigilantly changing used passwords that may be associated with compromised systems.
- Verifying that breach information comes from a legitimate source, as compromised emails may seem official when they are, in fact, fraudulent.
- Ensuring recovery efforts go beyond “wipe and reimage“ to include thorough checks that find residual signs of compromise.
- Identifying the initial access points that were breached to avoid reintroducing the attack vector during recovery efforts.
The crippling effects of a ransomware attack can be devastating for any business. But now the stakes are much higher due to the expanded attack surface that threatens a company‘s extended ecosystem of partners, customers, and investors. As a result, all organizations need to develop a game plan to defend their data and protect themselves not only from the initial ransomware attacks, but from double and triple ransomware ploys as well.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.