Double Extortion Means You Need More than Backups
Until recently, ransomware attackers had a universal problem. Data backups made it possible for victims to recover their encrypted data on their own. This piece of their security strategy removed the need to pay the attackers.
But things changed in November 2019. On a Friday afternoon, a representative of the Maze ransomware group informed Bleeping Computer that it had infected a security staffing company. What made this attack different was the fact that the attackers downloaded data prior to executing their ransomware payload in the company’s network. Doing so helped them to put added pressure on the victim, noted the representative.
As quoted in their email sent to Bleeping Computer:
I uploaded some files from their network as the data breach proofs. If they dont [sic] begin sending requested money until next Friday we will begin releasing on public everything that we have downloaded from their network before running Maze.
The computer self-help website later confirmed that the security staffing firm missed at least one deadline. In response, the Maze ransomware group published nearly 700 MB of data—just 10% of the files stolen from the victim, as the attackers told Bleeping Computer.
Growing Popularity within a Cartel
In the months that followed that attack, the Maze attackers continued to popularize this technique of stealing a victim’s files in plaintext before launching their ransomware payload. They did this by launching “Maze News,” a website for leaking non-compliant victims’ data, as well as by forming a cartel with other ransomware groups for the purpose of sharing experience and infrastructure. The LockBit Ransomware-as-a-Service (RaaS) operation was the first group to join that cartel, for instance, with the Ragnar Locker gang signing on a few days after that.
Other ransomware gangs saw what the Maze cartel was doing, so they in turn began to incorporate data theft into their own attacks. These incidents combining crypto-ransomware and double-extortion became quite popular in the first half of 2020. During those six months, ID Ransomware received 11,642 submissions relating to attacks perpetrated by ransomware groups who had committed themselves to stealing their victims’ data. That was just over 11% of the total 100,001 ransomware submissions received during that period, wrote Emsisoft.
Putting This Development into Context
Ransomware attackers have taken to this technique because they understand that backups facilitate data recovery but fail to remediate data theft. In other words, they realize organizations can’t use their backups—or anything else, for that matter—to force them into removing whatever information they’ve stolen from their servers. This situation creates even greater pressure for organizations, even those with backups, to pay the ransom. It also empowers particularly greedy attackers to demand two ransoms, one for the decryption utility and the other for the deletion of stolen data. Hence the name “double extortion.”
The problem for organizations is that paying the ransom doesn’t guarantee that the attackers will keep their word. In the case of double extortion, it sometimes encourages malicious actors to perpetrate additional attacks. Coveware observed as much in Q3 2020 with five ransomware families. For instance, the security firm witnessed the Sodinokibi gang re-extort victims for the same data just weeks after they received a ransom payment. Other operations like Netwalker and Mespionza went ahead and posted the data anyway despite having received a ransom payment.
Avoid Data Theft by Preventing a Ransomware Infection
The last thing organizations want is for ransomware gangs to steal their data. Subsequently, they should focus on preventing a ransomware infection in the first place. One of the ways they can do that is by strengthening their security posture against email-borne ransomware payloads. A solution that scans incoming messages for threat indicators in real time, all while allowing legitimate correspondence to reach their intended destination, will help in this regard.