Pressure points: Ransomware operators run their extortion efforts through a multiplier
Article by Tecala, manager - cyber security, Murray Mills.
Attackers have doubled the number of techniques simultaneously deployed against victims in a few short months.
It used to be that encrypting files was enough to squeeze a ransom out of a business.
But as more ransomware victims rely on backups instead of their bank balance to get themselves out of trouble, attackers have also switched tactics in an attempt to improve their chances of being paid.
Recent research shows that threat actors now “employ up to three additional leverage points, in addition to file encryption, to maximise extortion pressure on victims.”
From 2019-2021, ransomware groups increasingly utilised a second form of extortion (aka “double extortion”) in which sensitive data was downloaded and posted on leak sites – sometimes with a countdown timer. If organisations fail to pay in a timely manner, not only is the ransom fee likely to increase, but threat actors will begin leaking sensitive information stolen during the intrusion.
Additional tactics such as Distributed Denial of Service (DDoS) and contacting the organisation’s customers and affiliates have become common in 2021 (aka “triple” or “quadruple” extortion).
Attackers layered additional extortion methods one on top of the other as it became progressively harder to extract a ransom using just one.
Governments and federal cyber security agencies have played a part in making the ‘business’ of ransomware more challenging. Together with insurers, they have seeded the message that paying a ransom is inadvisable as a matter of policy and principle.
One of the reasons it’s inadvisable is that payment is a less reliable way of recovery than wiping everything and restoring from good backups. As one recent survey showed, only one-third of victims pay to get their data back compared to 57% that restore from backup. Of those that do pay, only 8% get all their data back. Those simply aren’t good odds.
The response from attackers has not been to improve the quality of decryption tools but to instead double, triple or quadruple down on their extortion attempts by throwing more and more types of attacks at victims simultaneously in the hope that at least one will wreak the desired havoc.
That multiplier effect has happened relatively quickly.
In May-June of 2021, there were reports of double extortion attacks, comprising ransomware and data exfiltration to ratchet up pressure on target organisations.
Triple and quadruple extortion attempts arrived simultaneously in the past couple of months. As double extortion attempts faltered, criminals started to DDoS victims or call executives and record negotiations for payment, which they could then either leak or use for additional leverage.
According to research, this “harassment” element also extended beyond company executives to partners, customers, and even tipping media organisations off to compromises.
In the last month, there have even been references to quintuple extortion attacks starting to crop up.
Which is all to say that ransomware operators are not going to stop trying multitudes of attacks anytime soon, especially while there remains a one-in-three shot at extracting payment.
Countering multiple attacks
Beyond maintaining good backups, there are strategies that organisations can deploy to improve their cyber security hygiene and make life more difficult for would-be attackers, no matter how many extortion techniques are thrown at them.
One of these strategies is to adopt managed detection and response (MDR), an all-in-one cyber security service designed to detect, disrupt, and remediate known and unknown cyber threats such as ransomware infections.
With a rapidly evolving threat landscape, and the real possibility of double, triple or quadruple extortion attacks, organisations need confidence that their data and critical assets are secure.
Since initial access to data exfiltration and deployment of ransomware can unfold in mere hours, CISOs need to re-evaluate their security program, posture, and controls against the backdrop of the heightened risk organisations face from threat actors.
In addition, security operations teams need up-to-date threat detection capabilities and incident
response playbooks to fully respond and remediate ransomware threats.
MDR, a modern security operations centre capability comprising skilled personnel and sophisticated tooling, is fast becoming the best-practice standard for stopping multiple cyber threats before they can disrupt an organisation or business.
Organisations that are considering their options to bolster their defences against ransomware or multiple extortion attacks are first advised to undertake a detailed security assessment to map out where their operations are most at risk and to create a strategic security roadmap to address the identified risks.
This process will also clarify the extent to which MDR tools and techniques may be effectively deployed to counter the identified risks.