How to Defend Against Double Extortion Ransomware Attacks

Ransomware has become the most prominent cybersecurity threat in 2020. Those who follow our blogs for the Security Weekly news updates would know that large-scale ransomware attacks happen on a weekly, if not daily basis.

What’s concerning is not only the increased popularity of ransomware, but the pace at which these attacks are evolving. Threat actors are finding increasingly complex and sophisticated ways to target the vulnerabilities of our IT infrastructure and our economy. In order to stay safe from ransomware, we need to keep ourselves informed on the latest attack trends and patterns and keep our security infrastructure updated.

 

New ransomware trends

Increase in scale

Looking only a couple of years back, ransomware was mainly used to target individual consumers. Ransomware operators took the low-risk approach by launching attacks that target a wide range of individuals and small businesses. Attackers would encrypt a computer’s database, prevent the user from accessing important files, and force them to pay a ransom (with cryptocurrency) to regain access. The demanded ransom mostly ranged from a few hundred to a few thousand dollars. Some of the infamous ransomware families at that time included Locky, SamSam, CryptoLocker, and WannaCry. 

More recently, threat actors have switched to the high-risk approach. Instead of blindly targeting a wide range of individuals, ransomware attacks are now especially well planned and carefully targeted, often against large businesses, NGOs, and governments – one at a time. From an attacker’s perspective, these large targets are difficult to negotiate with and are accompanied by higher risks. Still, the reason why an attacker would take such risks is that once a deal is made, a single ransom payment tends to be in the millions. Some of the currently active ransomware families include Maze, NetWalker, Snake, Ragnar Locker, DoppelPaymer, and REvil.

Double extortion

Ransomware attack patterns have also evolved significantly. Traditionally, ransomware was deployed to encrypt the victim’s data and lock them out of their own files. Had the victim refused to pay the ransom, their files would be destroyed.

Ransomware attacks today are completely opposite. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker would often release small portions of the data online. If the negotiation turns out badly, the attacker would then either publish all of the exfiltrated data or sell them to third parties.

Security experts call this type of attack pattern “double extortion” because these attacks are essentially a combination of a ransomware attack and a data breach. Large corporations and government agencies feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or secretive information that they would rather have destroyed then published or sold.

 

How to prevent a ransomware attack

As is the case with most malware, ransomware usually makes its way into a victim’s IT system through vulnerabilities in applications, devices, or servers. Most commonly, attackers exploit software flaws in web applications to inject malicious codes and commands to download the ransomware into the victim’s devices and servers.

In 2020, ransomware operators are taking a more old-fashioned route – by targeting employees with phishing emails. When an employee opens the link or downloads the files contained in the email, malicious payloads would be injected into their device. Many of these phishing attacks utilize subject lines and messages related to COVID-19.

Step 1: system protection

Choose a reliable web application firewall to prevent web attacks, including those that inject malicious SQL scripts and JavaScripts into your applications and servers.

We recommend WAPPLES, a logical web application firewall that uses machine learning technology to update its signature lists, designed for both on-premises and cloud environments.

Step 2: employee education

In order to prevent phishing attacks, it is also crucial to alert and educate all employees on the basics of cybersecurity and preferably create a guideline on how to safely open emails and text messages.

 

If prevention fails, how to mitigate the impact of a ransomware attack

Indeed, even the latest and best security infrastructure cannot fully guarantee that the attackers won’t be able to find new vulnerabilities and weak spots to get in. Then, what are some of the preventative measures to devitalize, at least weaken the power of the attacker?

Step 3: data encryption

The most straightforward step is encryption. Of course, this does not prevent the attackers from locking the victim out of their files because they could simply double encrypt the data on top of the encrypted data. Nevertheless, this does prevent the attacker from gaining any information from the data, and prevents them from releasing or selling the data. As double extortion becomes “single extortion”, the attacker loses significant bargaining power. 

We recommend D’Amo, a data security solution that utilizes multiple encryption algorithms and technologies for optimized security, compatible with most on-premises and cloud databases. It also comes with an advanced key management system that secures the key with blockchain technology, because encryption is not complete without securing the key.

Step 4: data backup

On top of the previous steps, adding step 4 would completely deprive all the purposes of a ransomware attack. Continuing the story from step 3, when an attacker double encrypts the victim’s encrypted database, they at least gain some bargaining power by holding the data hostage. Now if the victim has a backed-up copy of the data sitting in a separate network, the attacker would be left with no bargaining power, so they can have fun keeping the double-encrypted data of which they would never be able to view.

 

How to respond to a ransomware attack

Though ideal, it is not always possible to implement all four steps. Especially when it comes to step 4, having all important data backed up in a separate network would be extremely costly and difficult to manage. Nonetheless, we strongly recommend organizations to at least implement up to step 3. Certainly, nobody wants to be a victim of a double extortion attack.

Organizations should also develop a ransomware emergency response guideline. Whenever an intrusion is detected, immediately shut down the infected systems and separate them from the rest of the network to prevent the attack from spreading further. It is also helpful to contact cybersecurity firms to investigate the case and work on system recovery.

We cannot give a definite answer on whether or not to pay a ransom because factors like the importance of data, the bargaining power of the attackers, and whether third parties are affected can vary greatly across situations. A few days ago, the University of California, San Francisco, unfortunately, had to make the decision to pay ransomware attackers $1.14 million to recover medical research data. Since these data contain the research work of scientists and scholars, their value to society can be priceless.

In the end, the best way to deal with ransomware is prevention and mitigation.

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt