Mitigating the rise of double extortion ransomware

The proliferation of ransomware attacks in Australia is impacting everyone: from consumers and businesses to governments — and criminals are only getting more sophisticated.

The past few years have shown a pattern of ‘attack, defend, attack, defend’ between cybercriminals and organisations. Once again, ransomware perpetrators have evolved their business model to include a second catastrophic phase in their technique: double extortion ransomware.

The journey from denial of service to exfiltration

Initially, perpetrators would gain access to an organisation’s system and deny access unless a ransom was paid. This year’s Thales Data Threat Report found that almost a quarter (24%) of Australian organisations admit they have paid or would pay a ransom to regain access to their data.

While organisations felt they had no choice to pay the ransom, cybercriminals continued with their one-step, denial-of-service technique. However, as IT and security teams became savvy to the business risk more and more organisations began backing up their data.

As a result, ransomware perpetrators were forced to evolve their business model. Cybercriminals introduced a second step to their attack, which involved exfiltrating the data and threatening to release it unless a ransom was paid. Even if companies backed up their data, they could still become a victim through the release of sensitive information — as could their third-party vendors and customers.

Data-breached businesses are not the only victims

This growing type of cyber attack provides criminals with the option of demanding two separate ransom payments. Any organisation that directly has vast amounts of data or holds customer, supplier or partner information is vulnerable to double extortion attacks. Many perpetrators are taking this even further by demanding additional payments from individual suppliers or customers whose data has been accessed.

Organisations that pay the ransom to stop their data being released remain at risk because it is still in the hands of criminals. There is no guarantee that cybercriminals won’t keep coming back to ask for more money at a future date.

The exfiltration of sensitive data poses significant security risks for businesses of every size, in every sector and is one of the most concerning trends today. The Cybersecurity and Infrastructure Security Agency (CISA) notes in an advisory that this weapon of attack circumvents conventional defences and increases the pressure to pay. The data creates leverage for criminals as it increasingly impacts customers’ personal information, privacy and safety.

The creation of a multibillion-dollar crime

Average ransom demands have soared to between $50 million and $70 million. Many victims end up paying a fraction of that amount, as they resort to negotiating with the perpetrators or relying on cyber insurance to cover a portion of the costs. Either way, such actions legitimise ransom demands and encourage attackers to continue making them. It is, therefore, unsurprising that ransomware expenses are projected to reach $265 billion by 2031.

The danger of outdated data protection strategies

A key challenge is that many businesses do not see double extortion ransomware as a serious threat to their bottom line or the ineffectiveness of their existing data protection strategies. These attacks have evolved way beyond basic security defences and business continuity techniques, such as next-gen antivirus and backups, and are targeting organisations big and small across every industry.

By implementing these three controls on sensitive data, businesses can optimise their ransomware protection:

• Make data safe by hiding it in plain sight — apply encryption, tokenisation, masking or anonymisation to ensure sensitive information is not visible to unauthorised users or processes. If the data cannot be easily viewed, it is less at risk. In addition, if the data is inherently hidden, it can be easily moved, replicated or backed up, without being put at risk of disclosure — either deliberate or accidental.
• Control who or what can access the data — ensure only authorised people or processes have access to the encryption keys. If data access control is correctly enforced, it will not only prevent sensitive data from being stolen or accidentally disclosed, but it will also prevent data from being tampered with.
• Proactively alert when the data itself is threatened — if an unauthorised person or process tries to read or write to the data, good data security will stop it. Without integrating threat response, data security may only delay the attack. Once alerted, a quick response needs to be triggered.
   

It’s important that organisations focus their time and resources on the current threat landscape. However, history suggests we will face another evolution of the ransomware model of attack. Whether it’s a huge leap forward in criminal innovation or the subtle, digital equivalent of a ‘needle in a strawberry’, organisations’ sensitive data will remain the principal reason for attack.

Image credit: iStock.com/Hailshadow