In November 2019, the group behind Maze ransomware bypassed the cyberdefenses of staffing security firm Allied Universal. After exfiltrating a massive amount of sensitive data, the fraudsters encrypted Allied’s network and demanded more than $2 million in ransom to restore it.
When the firm refused to pay up, the attackers published samples of the files to prove the exigency of their demands. They ultimately posted a link to 10% of the stolen data and a new ransom sum that was even higher than the original.
This double extortion ransomware attack turned out to be the first of many — this type of incident has become increasingly common among bad actors. Although many organizations are adopting more sophisticated cyberdefenses, fraudsters are evolving right alongside them. To combat the threat, today’s organizations need more than just a strong cybersecurity posture. They also need to consider data devaluation as a standard practice.
The only thing worse than a ransomware attack? A double extortion attack
From H2 2020 to H1 2021, more than 2,000 companies fell victim to a ransomware attack that resulted in data being exposed on a data leak site (DLS) — a striking 935% increase from the previous review period.
In a double extortion attack, bad actors infect an organization’s network using ransomware, a subset of malware that encrypts the company’s files. The fraudsters then demand ransom in exchange for decrypting the data — but if the organization refuses to pay up, the bad actors threaten to publish the information on a DLS.
In these cases, even if an organization has robust security measures in place to restore their data, the threat of data exposure may still force them to pay the ransom.
In addition to the rise of DLSs, we’ve seen an increase in the number of bad actors administering multilevel attacks. These ransomware attacks involve additional “levels” fraudsters threaten to go to if an organization refuses to pay ransom — e.g., a denial-of-service (DDoS) attack or direct threats to a company’s customers.
While all ransomware attacks result in reputational and financial repercussions, double extortion cases raise the stakes. Depending on the data that is stolen, a company may also need to worry about leakage of sensitive customer information. If personally identifiable information (PII) is exposed, it can result in identity theft, fraud and lawsuits. Additionally, data privacy laws like the California Consumer Privacy Act (CCPA) can impact organizations whose data has been exposed.
To avoid the aftermath of a double extortion ransomware attack, the first step is to educate employees about the risks. Provide continuous training about cybersecurity best practices (e.g., phishing email detection) and require employees to use multi-factor authentication (MFA) for login. While training initiatives and a tight end-to-end security posture can go a long way toward protecting your organization’s data, these measures can’t prevent ransomware attacks entirely.
Strong cyberdefenses are no longer enough to keep bad actors out
No matter how sophisticated and refined your cyberdefenses are, you are not invincible. Given that 85% of data breaches are caused by inevitable human error, organizations should consider devaluing their data to render it useless to fraudsters in the event of an attack. The two main approaches to data devaluation — tokenization and encryption — make data unintelligible to outsiders, protecting sensitive information from bad actors’ prying eyes.
Tokenization: This method of data devaluation is suited for the long-term storage of PII, like customer payment information kept on file by a retailer. Each piece of data is encoded with a randomized set of numbers that is stored on your servers instead of the information itself. The actual data is kept in a secure, third-party location with a “token” that links back to the PII.
Encryption: Encrypting data secures sensitive information while in transit or at rest, making the information indecipherable to individuals without an affiliated “key.” The Payment Card Industry (PCI) offers one particularly effective solution for sensitive cardholder information — PCI-validated point-to-point encryption (P2PE). Organizations use P2PE to encrypt data at the point of sale, and it remains encrypted until it is securely transported to the solution provider’s encryption environment. Using a PCI-validated P2PE solution limits the scope of PCI-DSS assessments while keeping customer data secure — a win-win solution.
Devaluing data makes the information meaningless to bad actors regardless of how much data and which type of data is exfiltrated. This strategy prevents fraudsters from holding your data hostage for ransom — even if bad actors bypass your security measures, they can’t sell or expose the information.
When doing business with an organization, customers expect the company to keep their data secure. And since double extortion ransomware attacks don’t appear to be slowing down anytime soon, consider devaluing your data before it’s too late.