When ransomware throws-in the element of extortion and betrayal, organizations had better start beefing up their defenses and crisis management mindset.
By the time you have finished reading this sentence, an organization somewhere in the world would have fallen victim to a ransomware attack and had at least some of its corporate data encrypted.
It is estimated that ransomware cost businesses worldwide around US$20bn in 2020, a figure that is nearly 75% higher than in 2019. And as if that was not bad enough, criminals have added a new tactic to the familiar ransomware playbook, putting added pressure on victims to meet their demands.
This new approach is known as ‘double extortion,’ and involves two key stages. First, the ransomware gang steals volumes of sensitive data; then having taken the data, they deploy ransomware to encrypt the files. The attackers then threaten to release the breached data publicly unless the ransom payment is paid within the designated timeframe.
These cyberthugs also usually publish a sample of the stolen data on the public Internet to prove their intentions. This puts additional pressure on victims to meet the attackers’ demands, and exposes the victim to penalties from data watchdogs for the data breach, and to the responsibilities of alerting affected customers, partners and consumers.
What you need to know
In these instances, it really can feel like a lose-lose situation for companies that have been targeted. Perhaps that is why so many victims are willing to pay the criminals, even against strong recommendations from the likes of the FBI.
So how should organizations defend themselves against both conventional ransomware and double-extortion attacks? What other measures are recommended in case they have been attacked?
- It is important to note that in many cases, ransomware is not delivered directly to networks, but is preceded by an initial trojan infection planted by the ransomware gang, especially the Trickbot trojan. IT teams should be vigilant for any signs of a trojan on their networks, and in preventing these pre-infections, regularly updated anti-virus software plays a key role. We recommend running a full compromise assessment any time there are signs of intrusion.
- The other main infection vector involves RDP (Remote Desktop Protocol) ransomware. Threat actors identify open RDP servers and either perform a brute force login attack or utilize phished credentials to gain access to RDP servers. Once on the server, the attacker obtains elevated privileges and moves laterally to plant ransomware on network endpoints. To protect against this vector, organizations should patch relevant RDP vulnerabilities and protect their RDP servers with strong passwords and two-factor authentication.
- Organizations should deploy dedicated anti-ransomware solutions that constantly monitor for ransomware-specific software activities and identify illegitimate file encryption, so that an infection can be prevented and quarantined.
- Double extortion ransomware is on the rise: in Q3 2020, some research indicates nearly half of all ransomware cases involved this double trouble. The average ransom payment was US$233,817—up 30% compared to Q2 2020. And that is just the average ransom paid. In a recent attack, the victim paid US$34m. The double extortion ‘business model’ has clearly proven effective and will therefore proliferate.
- Even when ransom demands are met, there is still no guarantee that the attackers will honor their promise to release the files or keep stolen data out of the public domain. This is one of the main reasons why at Check Point, we do not recommend paying ransom, either from company funds or via cyber-insurance policies. This merely feeds the criminal economy and encourages criminals to attack again.
With these protections and mindsets in place, organizations will be able to improve their protection against ransomware and double extortion attempts, and also their response playbooks.