Ransomware has already proven itself to be a powerfully profitable weapon in the cybercriminal arsenal. According to Emsisoft, in 2019, ransomware incidents could have had a combined cost of more than $7.5 billion (£5.65 billion). That’s just for US-based incidents too.
As cybersecurity professionals and the public at large have come to realise, cybercrime is now a huge business, with organised threat groups sharing resources and techniques to boost profitability. Despite ransomware’s stellar ROI, cybercriminal groups have recently decided there is more to be made from this brand of malware, and have switched up their tactics, employing a new double extortion model.
In the last year or so, double extortion attacks have picked up the pace and made headlines, with the operators of Maze ransomware leading the way in utilising them. In the double extortion model, not only do ransomware attackers encrypt data and demand a ransom to regain access, but also threaten to publish any exfiltrated data online if their terms are not met.
This has proven successful for a number of reasons. Firstly, businesses are already highly aware of ransomware. The operational down-time that ransomware can force upon a company is of course damaging and rather difficult to conceal, leading to negative media attention. Even if a ransomware-afflicted business ultimately rids itself of the ransomware through the efforts of security professionals, there may still exist a public perception (even if erroneous) that a company paid the ransom, leading to more negative sentiment.
Clearly, the ransomware groups like the organisation behind Maze have realised that the damage caused by ransomware extends far beyond the locking of systems. After all, even the knowledge an attacker is in the network, and the threat of an encrypt button being pressed is enough to make some companies payout.
Ransomware groups are additionally diversifying their approach by taking copies of data before performing the encryption. This gives them a number of options, each of which has been seen played out in the wild.
Firstly, it proves to the victim and/or the wider world that they really have breached the organisation. It also adds a second layer of extortion – i.e. pay or we will leak the data. What’s particularly threatening about this approach is that, even if a company decides to restore from backup rather than pay up, that data is still valuable, and the threat of leakage is not diminished. In the cases where a company does pay the ransom, the cybercriminals can provide worthless assurance that they have deleted their copy of the data. This data could end up leaked later on or used again to leverage yet another payout.
Clearly, these are unscrupulous criminals seeking to exploit any opportunity they have for financial gain. The Maze gang, when referring to the attack on LG’s network earlier in the year, presented a veneer of ethicality to their actions, claiming they didn’t execute the ransomware as LG’s clients are “socially significant and we do not want to create disruption for their operations.” Instead, they leaked over 50GB of stolen data.
Doubling down on security
Fortunately for would-be victims, there are a number of ways in which ransomware attacks can be prevented, or at least mitigated. In many cases, the intruders have been in the network for what may be an extended period of time prior to initiating the actual malware attack – and a critical goal of any cybersecurity programme is minimising the time intruders remain undetected in the corporate network.
Minimising the time attackers spend within the company network relies upon being informed towards the process by which ransomware attacks are executed. There are five distinct stages that define a ransomware attack, and by being familiar with each phase – and its indicators of compromise (IOC) – security teams can quickly respond to an intrusion. This allows for companies to limit or even prevent entirely threat actors from accessing data that can then lead to a double extortion ransomware attack.
The five phases of a ransomware attack are:
- Exploitation and infection
- Delivery and execution
- Backup spoliation
- File encryption
- User notification and clean-up
To meet this threat, there are also five phases of defence against ransomware, which are preparation, detection, containment, eradication, and recovery. Large scale outbreaks result from inadequate containment – where the local host needs to be immediately blocked and isolated from the network, which prevents additional files on the network from being encrypted.
An organisation’s ability to recognise IOCs pointing to the five phases of attack and then employing the five phases of defence, lies in effective monitoring of company networks. It is crucial that companies recognise the stark nature of the ransomware threat and acquire the necessary technological solutions and security teams to ensure this comprehensive monitoring.
Contributed by Andrew Hollister, head of LogRhythm labs