Double Extortion Ransomware: The New Normal
With more and more businesses learning how to avoid paying huge amounts of money to ransomware actors by maintaining up-to-date backups and having disaster recovery plans in place, the number of victims forced to pay ransom started to decrease.
Even so, according to a study conducted by Cloudwards, in 2021, 37% of all businesses and organizations participating in the study were hit by ransomware and out of all, 32% paid the ransom but recovered only 65% of their data.
Even if companies started to learn new “tricks” when it comes to ransomware, the developers behind this kind of attack continue to adapt, rethink their tactics and find new ways to pressure their victims into paying the ransom. One of their relatively new famous technique is double extortion ransomware.
What Is Double Extortion Ransomware and How Does it Work?
Double extortion, also known as pay-now-or-get-breached refers to a growing ransomware strategy and the way it works is that the attackers initially exfiltrate large quantities of private information, then encrypt the victim’s files. Following the encryption, the attackers threaten to publish the data unless a ransom is paid.
If the victims fail to pay the requested ransom, their data will most likely be destroyed, exposed online, or sold to the highest bidder.
It’s a fact that there’s been a significant rise in the number of ransomware attackers that threaten to leak stolen data from those who don’t pay the ransom for the decryption key.
Origins of Double Extortion Ransomware
Cybercriminals have allegedly started to adopt this unique attack tactic in late 2019 with the first published double extortion ransomware case involving Allied Universal, the American provider of security systems and services.
As we said, the attack on the American company took place in November 2019. When the organization refused to pay 300 bitcoin, the ransomware gang increased the ransom request by 50% and threatened to use stolen information along with stolen emails and domain name certificates in a spam operation pretending to be Allied Universal.
The attackers leaked some of the stolen information such as certificates, contracts, and medical documentation to show they are being serious about their demands. They even posted a link to 10% of the data they exfiltrated. Allied Universal received a two weeks deadline before the rest of 90% will be exposed as well. The name of the used ransomware was the popular Maze.
According to Check Point researchers, the Maze ransomware gang has since exposed personal information for dozens of businesses, law companies, healthcare providers, and insurance organizations that have refused to comply with their demands.
Many other companies are believed to have avoided the public release of confidential data by paying the requested ransom.
In the first six months of 2020, hundreds of companies had allegedly been hit with double extortion ransomware attacks.
What Other Ransomware Groups Use Double Extortion?
Some ransomware gangs that are very prosperous in the double extortion business are Revil/ Sodinokibi (Travelex), Netwalker, and DoppelPaymer, but they are not the only ones. Conti and Egregor ransomware groups have rapidly followed in their footsteps and became some of the most productive cybercriminal groups in 2021.
After examining ransomware DLSs in 2021, Group-IB analysts concluded that Conti was the most hostile ransomware threat actor, leaking information about 361 victims (16.5% of all victim businesses whose data was published on DLSs).
As stated by Group-IB, the United States had the most double-extortion victims (968), followed by Canada with 110 and France with 103. Manufacturing, education, financial institutions, medical services, and commerce were the most affected sectors.
Double-Extortion Ransomware Damage Increases by 935%
According to Group-IB’s Hi-Tech Crime Trends Report 2021/2022, the increase of the ransomware industry happened due to a combination of poor corporate security and a thriving ransomware-as-a-service (RaaS) affiliate market. As mentioned in the report, access to compromised networks is currently very inexpensive. Thanks to an increase in the number of initial-access brokers and RaaS tools, ordinary petty criminals may turn into full-blown hackers in just a few hours for just a few dollars.
According to cybersecurity experts, the collaboration between ransomware developers and corporate-access brokers has resulted in a 935% increase in the number of companies that had their stolen data made public on a data leak site (DLS).
Ransomware organizations have increasingly employed the double extortion tactic, and the report shows that these groups are carrying on with the threats.
Double Extortion Ransomware Protection
In 2022, double extortion ransomware is expected to grow even more. In order to prevent becoming a victim of double extortion, you can take initiative on the matter by installing the most recent software updates and enabling two-factor authentication.
Also, as ransomware is most of the time delivered via phishing attacks, organizations must educate their staff to:
- Identify and avoid phishing scams;
- Know what measures to take if they think they received a phishing email;
- Know what to do if they experience a phishing attack especially that many employees are working remotely and do not benefit from the same resources as if they were physically at the office.
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
The thought behind the double extortion ransomware assaults is that even if the impacted company thinks it can fix its network without paying the amount of money requested by attackers, the idea that their staff and client’s private data could be exposed might push companies to give in to extortion and make the payment.
It is not recommended to pay the ransom as there is no assurance that the hackers involved in the ransomware attack will delete the stolen information.
Unfortunately, this kind of cyber assault has become exceptionally profitable for ransomware gangs. Over the past year, cybersecurity specialists have followed the activity of more than 24 dark web leak websites linked with ransomware attacks meaning that more and more hackers adopt this form of blackmail.