By the time you have finished reading this sentence, an organisation somewhere in the world would have fallen victim to a ransomware attack and had at least some of its corporate data encrypted. On average in 2020, the criminals behind ransomware attacks hit a new organisation every 10 seconds.
Less than five years ago, the cadence of attacks was around one every 40 seconds. This shows just how the cyber-crime economy relies on ransomware as a revenue generator.
It is estimated that ransomware cost businesses worldwide around US$20 billion in 2020, a figure that’s nearly 75% higher than in 2019. And as if that wasn’t bad enough, criminals have added a new tactic to the familiar ransomware playbook, putting added pressure on victims to meet their demands.
This new approach is known as ‘double extortion,’ and involves two key stages. First, the ransomware gang stealthily infiltrates the target’s network and steals volumes of sensitive data; then having taken the data, they deploy ransomware to encrypt the files. The attackers then threaten to release the breached data publicly unless the ransom payment is paid within the designated timeframe.
They also usually publish a sample of the stolen data on the public Internet to prove their intentions. This puts additional pressure on victims to meet the attackers’ demands, as well as exposing the victim to penalties from data watchdogs for the data breach, and the need to alert affected customers, partners and consumers whose data has been breached.
In these instances, it really can feel like a lose-lose situation for companies that have been targeted. Perhaps that’s why so many victims are willing to pay the criminals, even against strong recommendations from the likes of the FBI.
A recent IBM survey of more than 600 business leaders found that 7 in 10 had, at some point, paid a ransom to regain control of their data. This willingness to pay inevitably fuels further ransomware attacks, and the ‘double extortion’ method simply ratchets the pressure on victims to the next level.
Don’t pay the ransom
And over the past 12 months, double extortion attacks have become increasingly common as its ‘business model’ has proven effective Equinix was hit by the Netwalker ransomware. The threat actor behind that attack was also responsible for the attack against K-Electric, the largest power supplier in Pakistan, demanding US$4.5 million in Bitcoin for decryption keys and to stop the release of stolen data.
Other companies known to have suffered such attacks include the French system and software consultancy Sopra Steria; the Japanese game developer Capcom; the Italian liquor company Campari Group; the US military missile contractor Westech; the global aerospace and electronics engineering group ST Engineering; travel management giant CWT, who paid US$4.5M in Bitcoin to the Ragnar Locker ransomware operators; business services giant Conduent; even soccer club Manchester United.
Research shows that in Q3 2020, nearly half of all ransomware cases included the threat of releasing stolen data, and the average ransom payment was US$233,817 – up 30% compared to Q2 2020. That’s just the average ransom paid. In a recent attack, the victim paid a remarkable US$34 million.
Even when ransom demands are met, there is still no guarantee that the attackers will honour their promise to release the files, and keep stolen data out of the public domain. At Check Point, we don’t recommend paying ransom, either from company funds or via cyber-insurance policies. This merely feeds the criminal economy and encourages criminals to attack again.
What are the ways to protect your organisation
So how should organisations defend themselves against both conventional ransomware and double-extortion attacks? It’s important to note that in many cases, ransomware is not delivered directly to networks, but is preceded by an initial trojan infection planted by the ransomware gang – especially the Trickbot trojan.
IT teams should be vigilant for any signs of a trojan on their networks, and in preventing these pre-infections, regularly updated anti-virus software plays a key role. We recommend running a full compromise assessment any time there are signs of intrusion.
The other main infection vector involves RDP (Remote Desktop Protocol) ransomware. Threat actors identify open RDP servers and either perform a brute force login attack or utilise phished credentials to gain access to RDP servers. Once on the server, the attacker obtains elevated privileges and moves laterally to plant ransomware on network endpoints.
To protect against this vector, organisations should patch relevant RDP vulnerabilities and protect their RDP servers with strong passwords and two-factor authentication.
In addition to the measures outlined above, organisations should deploy dedicated anti-ransomware solutions that constantly monitor for ransomware-specific behaviours and identifies illegitimate file encryption, so that an infection can be prevented and quarantined before it takes hold, and files automatically restored to their original state. With these protections in place, organisations will be better able to prevent falling victim to double extortion attempts.
Sharat Sinha is Vice President/ General Manager, APAC at Check Point Software Technologies
