Ransom sign on laptop showing double extortion ransomware attack

The Pain of Double Extortion Ransomware

While ransomware operators have long targeted systems and data availability of their victims, the groups have been evolving their attack patterns to include the privacy and confidentiality of victim data as well. Attackers are increasingly pushing for double and sometimes triple extortion of their victims, threatening them with disclosure of their most sensitive data if they refuse to pay. According to a recent market study, 71% of individuals surveyed said double and triple extortion tactics have grown in popularity over the last 12 months, and 65% agree that these new threats make it tougher to refuse ransom demands.

Double extortion ransomware is when a victim’s sensitive data is both stolen from the victim and encrypted in place, giving the criminal the option of demanding two (or more) separate ransom payments. We have seen this across headlines in 2022, most recently the Medibank hack, where the company refused to pay the ransom – and the hackers leaked some very sensitive customer data.

Any organization that directly holds large amounts of sensitive data (whether from a client, supplier, or trusted partner) should consider themselves to be a tempting target for double extortion ransomware attacks. The threat of double extortion tactics is ominous. According to the 2022 Thales Data Threat Report, which surveyed nearly 2,800 respondents across 17 countries, 21% of all respondents have experienced a ransomware attack, 43% of whom were significantly impacted. Nearly half (45%) reported an increase in scope, volume, and/or severity of cyberattacks in the last twelve months. When asked to rank their top threats, more than 60% ranked malicious insiders with financial motivations among their top four.

Under such circumstances, businesses often find themselves caught between a rock and a hard place, and end up paying the ransom costs. Thales’ report found that 22% of respondents worldwide (including 24% in the US) said they have paid or would pay ransom for their data. This doesn’t come cheap – lost productivity, recovery costs and breach notification are rated as having the greatest financial impact by 19%, 18% and 16% of the respondents respectively.

Double extortion further complicates the picture for the victims because even if you pay, the attacker will still have your data and can make more demands in the future.

The pains of double extortion ransomware

A security gap?

These methods provide significant security risks for businesses of all sizes. 72% of the survey respondents believe that ransomware attacks evolve quicker than the security controls required to protect against them. Additionally, 77% of the respondents also assert that governments should do more to assist private enterprises in defending against ransomware.

Data is already in criminal hands

Already-exfiltrated sensitive data constitutes one of the most concerning trends. The Cybersecurity and Infrastructure Security Agency (CISA) notes in an advisory that this weapon of attack circumvents conventional defenses and increases the pressure to pay. This data creates leverage for the hackers as it increasingly affects the customers’ personal information.

With privacy becoming a top priority for many citizens across the globe, revelations of this type create a wave of distrust and anger. Once the sensitive data is in the attacker’s hands, then traditional ransomware recovery mechanisms, such as offline backups and system recovery plans, are less impactful on the overall ransomware costs.

Rising ransomware costs

The various degrees of extortion are driving up the cost of ransomware because criminal groups are finding creative ways to successfully extract more money from their victims. Consider the recent case of hackers hiding malware inside fake Pokémon card NTFs to get users to click on phishing links; or of hackers stealing data though Microsoft OneNote attachments, a simple and seemingly innocent double-click away. Our most recent cause for concern is the potential threat posed by ChatGPT: a survey by BlackBerry found that over 50% of respondents consider the AI being misused to create legitimate phishing emails as a major global issue. The average ransom demands have soared to between $50 million and $70 million. While many victims wind up paying a fraction of that amount through negotiation or cyber insurance coverage, making any ransom payments help legitimize such demands and embolden attackers to continue making them. It is therefore not surprising that ransomware expenses are projected to reach $265 billion by 2031.

Preventing double extortion ransomware

Governments have taken multiple steps to help businesses mitigate the threat of ransomware attacks, with some limited success, but they are continuing to focus on the issues and providing more resources as we move forward.  Some actions an enterprise can take to minimize this risk of becoming a victim of double ransomware extortion are:

  • Develop a ransomware recovery plan that covers not only availability of your systems and data, but also how to deal with the exfiltration and public exposure of that data.
  • Ensure your teams are properly prepared and resourced to securely build, deploy, and manage their systems with appropriate defenses to minimize the ability for ransomware gangs to get a foothold in the enterprise.
  • Invest in security awareness training to familiarize personnel with common ransomware attack vectors such as phishing, social engineering, and how to recognize and securely handle sensitive data.
  • Protect their sensitive data against ransomware attacks through the Discover, Protect and Control paradigm.

Another layer of defense is to ensure their sensitive data is already encrypted. In that case, even if the attacker exfiltrates the sensitive data, it will be indecipherable without the appropriate encryption keys.  Moreover, it goes without saying that keeping those encryption keys in tamper-proof hardware is also critical to an enterprise’s defense strategy.

These measures should be viewed in the broader context of a Zero Trust approach to cybersecurity, where businesses should hope for the best but prepare for the worst by ensuring they have an effective ransomware plan in place. Secure human identities and machine identities are the foundation for limiting the chances of a ransomware actor gaining access to our sensitive data. In this regard, ransomware preparedness and secure key management are essential to protecting against double extortion ransomware attacks.