By the time you have
finished reading this sentence, an organization somewhere in the world will
have fallen victim to a
ransomware attack and had at least some of its corporate data encrypted. On average, the criminals behind ransomware attacks
hit a new organization every 10 seconds during 2020. Less than five years ago, the cadence of attacks was
around one every 40 seconds – showing just how the cyber-crime economy relies on ransomware as a
revenue generator.
It’s estimated that
ransomware cost businesses worldwide around $20 billion in 2020, a figure
that’s nearly 75% higher than in
2019. And as if that wasn’t bad
enough, criminals have added a new tactic to the familiar ransomware playbook which puts added pressure on victims to meet their demands.
This new approach
is known as ‘double extortion,’ and involves two key stages. First, the ransomware gang stealthily infiltrates the target’s
network and steals volumes of sensitive data; then
having taken the data, they then
deploy ransomware to encrypt files. The
attackers then threaten to release the breached data publicly unless the ransom payment is paid within the
designated timeframe – and usually publish a sample of the stolen data on the public Internet to prove their
intentions. This puts additional
pressure on victims to meet the
attackers’ demands, as well as exposing the victim to penalties from data
watchdogs for the data breach, and the need to alert affected customers,
partners and consumers whose data was breached.
In these instances, it
really can feel like a lose-lose situation for companies that have been
targeted. Perhaps that’s why
so many victims are still willing to pay the criminals, even against
strong recommendations from the
likes of the FBI. A survey of
more than 600 business leaders found that 7 in 10 had, at some point, paid a ransom to regain control of their
data. This willingness to pay inevitably fuels further ransomware attacks, and the ‘double extortion’ method simply ratchets the pressure on victims to the next level.
Extortion Escalates
And over the past 12
months, double extortion attacks have become increasingly common as its
‘business model’ has proven
effective. The data center giant Equinix was hit by the Netwalker
ransomware. The threat actor
behind that attack was also responsible for the attack against
K-Electric, the largest power supplier in Pakistan,
demanding $4.5 million in Bitcoin for decryption keys and to stop the release
of stolen data. Other companies
known to have suffered such attacks include the French system and software
consultancy Sopra Steria;
the Japanese game developer Capcom; the Italian liquor company Campari
Group; the US military missile contractor Westech; the global
aerospace and electronics
engineering group ST Engineering; travel management giant
CWT, who paid $4.5M in Bitcoin to the Ragnar Locker ransomware operators;
business services giant Conduent; even soccer club Manchester United.
Research shows that
in Q3 2020, nearly half of all ransomware cases included the threat of
releasing stolen data, and the
average ransom payment was $233,817 – up 30% compared to Q2 2020. And that’s just the average ransom paid. In a recent attack, the victim paid a
remarkable $34 million. And of
course, even when ransom demands
are met, there is still no guarantee that the attackers will honor their
promise to release the files,
and keep stolen data out of the public domain. This
is one of the main reasons why at Check
Point, we don’t recommend paying ransoms, either from company funds or via
cyber-insurance policies. This merely feeds the criminal economy and encourages criminals to attack again.
How To Avoid Being Held To Ransom
So how should organizations
defend themselves against both conventional ransomware and double- extortion attacks? It’s important to note that in many
cases, ransomware is not delivered directly to networks,
but is preceded by an initial trojan infection planted by the ransomware gang –
especially the Trickbot trojan. IT teams should be vigilant for any
signs of a trojan on their networks, and in preventing these pre-infections, regularly updated anti-virus software
plays a key role. We recommend
running a full compromise assessment any time there are signs of intrusion.
The other main infection
vector involves RDP (Remote Desktop Protocol) ransomware. Threat actors
identify open RDP servers and
either perform a brute force login attack or utilise phished credentials to
gain access to RDP servers. Once on the server, the attacker
obtains elevated privileges and moves laterally to plant ransomware on network endpoints. To protect against this vector, organizations should patch
relevant RDP vulnerabilities and protect their RDP servers with strong passwords and two-factor authentication.
And in addition to the
measures outlined above, organizations should deploy dedicated anti-ransomware solutions that constantly monitor for
ransomware-specific behaviors and identifies illegitimate file encryption, so that an infection can
be prevented and quarantined before it takes hold, and files automatically restored to their
original state. With these
protections in place, organizations will be better able to prevent falling victim to double
extortion attempts.