Impacts of Double Extortion Ransomware Attack on Enterprises and Mitigation
The ransomware attack has been present for a while, and security experts have fought it substantially. They have provided methods to decrease the prevalence of this attack on individuals and enterprises. However, the techniques of malicious actors are also evolving at the same pace to continue causing damage.
In 2019, the world experienced a new method of a ransomware attack- Double extortion. The attack, which was by a malicious group- The Maze, targeted Allied Universal, a security company. 10% of stolen data from the security company was later made public as a warning from the threat actors for noncompliance. Maze group also demanded $3.5 million as ransom, or they would leak the remaining 90% of data.
2020 Also saw malicious groups like the REvil, Ragnar-locker, and Lock bit joining the Maze to participate in successful and devastating exploitation of enterprises. Already, more than 1200 enterprises have fallen victim to this tactic, which cost about $20 billion in 2021 and is projected to cost $265 billion by 2031. One of the companies was Cognizant, a large IT service provider. The company lost about 70 million US dollars to the attack, one of the most lethal in history.
What Is Double Extortion Ransomware Attack
In a Double extortion ransomware attack, malicious actors gain unauthorized access to a network to extract and encrypt data in the hope of a ransom payment. Contrary to the mere ransomware attack, this method decreases the effect of backed-up data. Attackers now leverage the extracted data to pressure victims. They can go as far as publishing the data or selling to a competitor should the victim refuse to comply.
Double extortion with unforgivable results when successfully executed. Victims either face financial loss to threat actors or compliance and public defacement.
In 2022, this attack procedure is still on the rise. According to the Zscaler Threatlabz report, the health care sector saw an increase of double extortion by 650%, while the food service by 450%. Also, other sectors are vulnerable to this attack, and the toll keeps going high with the involvement of RAAS.
How Does Double Extortion Ransomware Attack Work
Double extortion ransomware attack starts as a passive attack that turns into a devastating active attack like Encryption of data, and DDOS. The sequence of these attacks starts with a process where the attacker has to gain access to the company’s system through any attack vectors.
The attack vectors can be social engineering or programming, which include phishing, brute force on Remote desktop servers, malware, vulnerabilities exploitations, etc.
After the actor gains access to the system, he conducts a reconnaissance attack through lateral movement. At this stage, it is still a passive attack because the actor is masquerading as the original user to escape detection and gain valuable information for their potential attack.
When the malicious actor has gathered valuable data, he exfiltrates the data and deploys the malicious code, which encrypts the data.
Impact Of Double Extortion Ransomware Attack on Enterprises
Group IB, in their report, Hitech crime trend 2021/2022, stated that double extortion ransomware attack had about 935% increment in damages. The impact of these damages on affected companies can be huge, depending on their size. More so, the time frame for recovery of these enterprises depends on how quickly they respond and the depth of the attack.
Enterprises risk brand defacement because of data leakages and DDOS. Travelex, a travel agency, saw its reputation go down the drain in the REvil attack on new year’s eve of 2019.
After disrupting their services, which left customers stranded, REvil also threatened to publish exfiltrated data if the company refused to pay the ransom. The double extortion ransomware attack here was devasting because even if Travelex complied to restore services and prevent data leakages, the breach of confidentiality and DDOS damaged their reputation.
Loss of funds
Enterprises depend on backed-up data to avoid losing lots of funds to ransomware events. Nevertheless, the chances that this is still very effective are low in the case of double extortion.
Attackers now leverage exfiltrated data; hacked companies will be required to pay the ransom, worth millions of dollars, or get their sensitive information leaked in the public domain. With valuable data of these firms exposed to the public, they can accrue heavy compliance fines, as was with Equifax in 2017.
More so, enterprises that are unyielding to the demands risk losing the value of their stock when they are short-sold. According to the FBI’s cyber division advisory- Private industry notification, this method was introduced in 2020 by a Revil Ransomware member in a hacking forum. And Attackers are relentlessly using this means to facilitate extortion. Hence, organizations are bound to lose huge funds once they experience this form of attack.
Vulnerability Of Third-Party Associates
Since attackers have complete access to an enterprise network, they can escalate their access to partners and consumer data. With this, threat actors can exfiltrate these data and demand ransom from partners or consumers.
An example of this event was in the case of the Vastaamo hackers- Patients whose data were accessed needed to pay a ransom. Another was the event where REvil alerted Apple Inc. to pay up a 50millon dollars ransom. It was difficult for Apple because of the compromise of their valuable information with Quanta Computer Inc.
Prevalence Of Double Extortion Ransomware Attacks
The usage of the Double extortion method has tripled because of how successful it has been. Titaniam Ransomware research report, records about a 106% spike in data exfiltration, and a 60% success rate for attackers in 2022. The odds are tilting to favor malicious actors and no enterprise is free from being hacked or hacked again.
Loss Of Valuable Staff
The nefarious effect of this incident can ensure that an enterprise loses most of its valuable staff. According to the 2022 Cybereason Ransomware report, 40% of enterprises lost their staff because they were sacked or resigned after an attack.
Some small and big enterprises lose their employees because they cannot afford wages after a significant loss of funds. In some scenarios, the high loss of funds is because the attackers demanded double ransom.
On the other hand, it can happen because their stocks sink after exposure to significant information on platforms like NASDAQ.
Mitigating Double Extortion Ransomware Attack
With double extortion ransomware attacks on the rise, you do not have to wait until post-attack before taking action. Proactiveness is the best way to combat this attack. While it might not eliminate the chances of infiltrating an enterprise, it minimizes the chances. Also, it minimizes loss in case of breaching.
Apply Zero Trust Policy
Enterprises let individuals gain privileged access to their network, even to the most sensitive areas. When this happens, they put architecture in a vulnerable spot for a ransomware attack.
Enterprises must practice a zero-trust policy by restricting access to their network. They must see all elements in their network, including insiders, as a probable threat. There should be compulsory authentication of elements before granting access.
Another recommendation is to create a network segmentation for all granted access. This practice will limit the spread of malware.
The pressure point for malicious actors who use this string of attacks is that they have exfiltrated your data and can publish it if you refuse to pay a ransom. However, enterprises can be one step ahead by encrypting their data from the start.
By encrypting your data, you have denied the malicious actor access to your data, hence, reducing his bargaining power. The threat actor can no longer threaten with data leakages; the worst he can do is to double encrypt your data.
Double extortion has made Offline backup appear as a less efficient option to mitigate malicious actions. Nonetheless, offline backup can save your company from damages if you practice data encryption. This way, even when the attackers double encrypt your data, you can fall back to the backed-up data offline.
The emergence of covid 19 saw the rate of remote jobs skyrocket. More employees can now access sensitive networks through an external router. While this development makes life easier for workers, it creates more vulnerabilities for their employers.
Attackers leverage the ignorance of some employees for their exploits. Even employees can be an unintentional threat; nonetheless, this can be averted with sensitization. The recommendation is for enterprises to intensify internal awareness of ransomware attacks and the implications.
Evaluate Your Network and Patch Vulnerabilities
Enterprises assess loopholes in their network in two ways, depending on the size of their infrastructure. They can conduct a vulnerability assessment or simulation by a pen tester. With this, they can spot any security gap and misconfiguration that make a potential attack easy.
It is also critical to quickly patch up all vulnerabilities and conduct necessary security updates, or all effort is futile, as it was in the case of Travelex. Before the REvil attack, Kevin Beaumount, a security researcher, stated that vulnerabilities were found in some organizations’ networks since August 2019. However, Travelex was reluctant to patch it up, hence their downfall.
Monitoring Data Log
Enterprises can observe packet activities in their network with tools that will alert them when something unusual occurs. By monitoring the data log, you can immediately spot a malware attack and cut it off before it escalates.
While enterprises and cyber security professionals are doing their best to secure their infrastructure, Ransomware attackers are doubling their efforts to make the job tedious.
Besides double extortion, other tactics used by ransomware attackers include triple extortion and quadruple extortion. Cybersecurity experts have to update their knowledge and skill to combat this issue.
Also, enterprises should be more intentional and dedicated to their security infrastructure. They must embrace the recent security trends and implement them in their organization.
By Nduka John | @ndukajohn