Risk briefing: double extortion ransomware explained

What is double extortion ransomware?

Ransomware has grown from a moderate risk to a major headline-grabbing challenge.

 

In its simplest form, ransomware is malicious software that allows a hacker to restrict access to an individual’s or company’s vital information in some way, and then demand some form of payment to lift the restriction.

 

An extension of these traditional ransomware attacks is double extortion ransomware. This is when adversaries not only encrypt data, but they also exfiltrate a copy of the data giving them additional leverage in demanding payment.

 

As well as causing disruption and financial impact, double extortion strategies open victims up to increased reputational harm and potential compliance breaches, as well as the possibility of compensation to their clients and business partners.

 

Since the emergence of double extortion ransomware, some threat actors have further adapted their attack models to no longer focus on encryption.

 

Instead, they simply steal critical data and use that as their leverage. The continued evolution of ransomware attacks is extremely concerning due to the speed that cybercriminals can now cause long-lasting damage to an organisation’s systems.

 

How is ransomware evolving - is it on the rise? 

Ransomware is one of the most damaging and frequent forms of cyberattack facing modern organisations and is a security challenge that is constantly evolving.

 

Threat actors are going after bigger targets for bigger pay-outs, leaving no organisation safe from attack. It is a growing problem, with a total of 236.1 million ransomware attacks hitting organisations worldwide in the first half of 2022, according to Statista.

 

Despite a greater awareness of ransomware, organisations are still falling victim to this ever-growing risk.

Threat actors are continuing to ramp up their attack methods, focusing more on stealing and corrupting data rather than encrypting it for faster and easier attacks.

”Threat actors are going after bigger targets for bigger pay-outs, leaving no organisation safe from attack.”

When a threat actor encrypts data, they need to manage the whole decryption process and this exposes them to risk as well as additional overhead.

To simplify this process, threat actors are now going straight in with stealing organisation’s data and bypassing the encryption step altogether.

 

And if all that wasn’t enough, we’ve seen a rise of triple extortion tactics over the past couple of years. These attacks see malicious actors seek ransom from not only the initially targeted organsation or individual, but also from anyone who might be impacted by the exposure of that data.

 

What are the implications for risk managers and the organisations they work for? 

 

Cybersecurity is not a discipline of delivering point solutions; it is a continual process of addressing risk.

As threat actors develop their tactics and techniques, defenders must adapt and update their defences. Nowhere is this more relevant than in the area of ransomware.

Doing the basics well and implementing an ongoing discipline of reviewing and improving the organisation’s security posture is essential to defend against this type of attack.

”Organisations that fail to keep up with evolving ransomware tactics face long-term damage to their business operations and reputation.”

 

While ransomware attacks frequently hit the headlines, the ramifications for targeted organisations and individuals are often much broader than the reputational issue, with the impact often directly felt by customers, employees, and the general public.

Organisations that fail to keep up with evolving ransomware tactics face long-term damage to their business operations and reputation.

 

Ransomware is a threat that is too dangerous to ignore, with attacks on organisations now being a matter of ‘when’ rather than ‘if’.

 

What are the implications of failing to mitigate against ransomware attacks?

 

Ransomware attacks can severely impact organisations of all sizes across multiple industries and sectors.

 

One of the most important things to remember is that these attacks are not victimless crimes. When threat actors breach key infrastructure, such as schools and hospitals, they are directly disrupting children’s education and patient’s medical care.

When they breach a local government organisation, the effects are most keenly felt by those most vulnerable in our society.

The impacts of cyberattacks are wide-reaching and the consequences are felt in the physical world - by real people.

”Organisations must put defence and mitigation at the front and centre of their security strategy.”

 

From a business perspective, lost productivity, loss of business, inconvenience to customers, data leaks and permanent loss of data are all potential consequences of being hit by an attack.

Even paying ransom demands doesn’t guarantee that systems will be entirely restored. The effects of ransomware attacks are often felt for years after the incident, with organisations facing the possibility of never fully recovering from the attack.

 

With such high stakes at risk, organisations cannot afford to take their chances when it comes to defending against ransomware. Organisations must put defence and mitigation at the front and centre of their security strategy.

 

What should risk managers do to minimise the exposure? What are the key mitigation steps? 

 

It’s clear that ransomware attacks are here to stay, so organisations must remain vigilant at all times.

 

One of the most important methods to minimise exposure is getting the basics of cybersecurity right. Implementing two factor authentication, a regular program of patching, and ensuring critical data is regularly backed up are the cornerstones of a solid security program.

Regular end-user education sessions are essential to ensure all employees are aware of the latest threat trends and the strategies that cybercriminals use to gain access to systems.

 

To arm against these constantly evolving and potentially costly threats, organisations should also ensure they have a reliable security information and event management (SIEM) solution in place.

”It’s clear that ransomware attacks are here to stay, so organisations must remain vigilant at all times.”

60% of organisations who experienced a ransomware attack did not have a SIEM platform deployed, and whilst neither a SIEM nor any other solution is a guarantee against ransomware, the absence of SIEM in particular leads to monitoring silos, limited ability to detect end-to-end threats and inefficient security operations.

 

Cyber insurance is also a valuable tool in the overall risk management strategy.

Should the worst happen, having the ability to call on resources and expertise to help assess the incident and devise the best response is invaluable, including determining whether or not a ransom should in fact be paid.

 

The threats posed by ransomware will continue to be a top challenge for organisations of all sizes.

Staying ahead of these growing risks depends on your level of preparation and the tools you deploy to monitor your systems to detect, shut down and contain suspicious activity.