By the time you have finished reading this sentence, an organisation somewhere in the world will have fallen victim to a ransomware attack and had at least some of its corporate data encrypted. Globally, on average, the criminals behind ransomware attacks hit a new organisation every 10 seconds, but less than five years ago, it was every 40. Recently, Colonial Pipeline, a major US fuel company made headlines after falling victim to such an attack and in 2020, it is estimated that ransomware cost businesses worldwide almost £15 billion – a figure that is nearly 75% higher than in 2019.
In the UK specifically, our researchers have identified 22 ransomware attacks on organisations this year, which is a staggering 2,414% increase over the same period in 2020. Clearly, organisations need to be more aware that they’re at risk and where the risks are.
Last year we highlighted a new approach known as ‘double extortion’, which gained popularity throughout the Covid-19 pandemic. This is where hackers steal sensitive data and threaten to release it publicly unless a payment is made. Now we are seeing prominent attacks point to a new attack chain – essentially an expansion to the double extortion technique, integrating an additional, unique threat to the process – and we call this Triple Extortion.
The first notable case is the Vastaamo clinic attack, which happened in October 2020. Innovative at the time, the 40,000-patient Finnish psychotherapy clinic suffered a yearlong breach that culminated in extensive patient data theft and a ransomware attack. A decent ransom was demanded from the healthcare provider, but surprisingly, smaller sums were also demanded from the patients, who had received the ransom demands individually by email. In those emails, the attackers threatened to publish their therapist session notes. This was the first attack of its kind within the ransomware attacks landscape.
On a wider scale, in February 2021 the REvil ransomware group announced that they had added two stages to their double extortion scheme – DDoS attacks and phone calls to the victim’s business partners and the media. The REvil ransomware group, responsible for the distribution of the Sodinokibi ransomware, operates in a Ransomware-as-a-Service (RaaS) business model. The group now offers DDoS attacks and voice-scrambled VoIP calls to journalists and colleagues as a free service for its affiliates, aimed at applying further pressure on the victim’s company to meet ransom demands within the designated timeframe.
It seems that even when riding the wave of success, threat groups are in a constant quest for more innovative and more fruitful business models. We can only assume that creative thinking and wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique. Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly. Whether further ransom is demanded from them or not, they are powerless in the face of such a threat and have a lot to lose should the incident take a wrong turn. Such victims are a natural target for extortion and might be on the ransomware groups’ radar from now on.
It’s always been the case that ‘defenders need to be right all the time, attackers only need to get it right once’. We hear a lot about the ‘sophistication’ of ransomware attacks, but in the large part they’re not. The organisations that became infected could often have done something about it, but hindsight is always great and it’s easy to point the finger and say someone could have done more.
A lot of the recommendations that organisations get after the incident are the same and focus on prevention, protection, detection and response.
But it’s important to note that in many cases, ransomware is not delivered directly to networks, but is preceded by an initial infection, we’ve seen banking Trojans, keyloggers and frameworks such as Cobalt Strike commonly used. IT teams should be vigilant for any signs of infection on their networks, and in preventing these pre-infections, regularly updated endpoint protection software plays a key role. We recommend running a full compromise assessment any time there are signs of intrusion.
Other infection vectors have involved RDP (Remote Desktop Protocol). Threat actors identify open RDP servers and either perform a brute force login attack or utilise phished credentials to gain access to servers. Once on the server, the attacker obtains elevated privileges and moves laterally to deploy ransomware to network endpoints. We’ve also seen other remote access facilities being targeted and used in the same way. To protect against this vector, organizations should patch relevant vulnerabilities and protect their servers and remote access facilities with strong passwords and two-factor authentication.
And in addition to the measures outlined above, organisations should deploy dedicated anti-ransomware solutions that constantly monitor for ransomware-specific behaviours and identifies illegitimate file encryption, so that an infection can be prevented and quarantined before it takes hold, and files automatically restored to their original state. With these protections in place, organisations will be better able to prevent falling victim to double and now triple extortion attempts.
Contributed by Jon Niccolls, EMEA Lead, Incident Response Check Point Software