It’s 2021, and today, ransomware is nastier than ever. It has evolved from amateurish software sent en masse into a new, more sophisticated threat, targeting specific companies as part of a broader attack chain. The criminals behind it are smarter – and so are their monetization methods. Welcome to the worrying world of double-extortion ransomware.
Dmitry Bestuzhev, director of Kaspersky’s global research and analysis team in Latin America, calls this latest evolution ransomware 2.0. “Ransomware used to be about encrypting files only, but nowadays, the encryption phase is the last step in the attack,” he explains. “It’s about stealing information, exfiltrating data and publishing extortion.”
Traditional ransomware is focused purely on encrypting files and demanding a ransom for a decryption key. This incurs a higher risk of failure for attackers, because a victim with adequate backups would not need to pay for the key. While ransomware evolved to search out backup servers on victims’ networks, proper backup strategies with air-gapped media were still immune. In addition, the No More Ransom project, created by Europol, McAfee, Kaspersky and Dutch law enforcement organization Politie, distributed keys among victims to combat the problem.
Stealing the data before they encrypt it gives attackers a second monetization option. Even if the victim can recover the data, they likely do not want sensitive information published. Attackers blackmail them to keep it quiet.
Double extortion ransomware is a growing problem, according to a Q3 2020 ransomware report from ransomware mitigation company Coveware. Nearly half of all ransomware cases included a data publication threat, the research claimed.
How Double-Extortion Ransomware Works
Double-extortion ransomware infection methods mirror those of traditional ransomware. Spear-phishing is still a common way for these toxins to find their way onto victims’ systems, while software vulnerabilities are also an attack vector. According to Coveware, the most popular route for ransomware onto victims’ machines is still the use of exposed Remote Desktop Protocol (RDP) ports. These ports, which enable remote access on Windows networks, are a gift for attackers.
The race to find RDP weaknesses is now so frantic that it has become a business in its own right, explains Bruno Halopeau, CTO of the CyberPeace Institute, a Geneva-based non-profit that helps cyber-attack victims.
There are cyber-criminal groups dedicated to finding open RDP ports and then using brute force techniques to access their login credentials, offering them for sale on the dark web.
“They found out that more and more ransomware groups need that,” Halopeau says. “So now, those RDP shops are less open. They are increasingly reserved for operators who want exclusive access to those RDP connections.”
Getting into the network is only the first part of the process for a double-extortion ransomware group, explains John Fokker, principal engineer and head of cyber-investigations for McAfee’s Advanced Threat Research team. Prior to joining McAfee, he worked at the National High-Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime.
“From there on, the attacker will try to move through the network to escalate their privileges and gain complete control of the network,” Fokker says.
“From there on, the attacker will try to move through the network to escalate their privileges and gain complete control of the network"
Open-source penetration testing scripts and frameworks are often go-to tools for these attackers. Tools like CobaltStrike, Metasploit or Covenant are common among ransomware thieves. The ransomware gangs will usually steal the data before encrypting it, using common FTP tools to get it out.
“In the final stage, the criminals use their high-privilege accounts to turn off any security products and to automate distribution of the ransomware binary across the network,” he continues.
Tracking the Ransomware Perpetrators
Who are the groups behind these ransomware attacks? Kaspersky has identified 28 targeted ransomware groups, many of which focus on double-extortion techniques.
These players have become far more sophisticated in recent years, warn experts. “They are well-networked, resilient and care little about international law enforcement, as many of them operate in jurisdictions beyond its reach,” says Mark Raeburn, CEO and founder of UK-based technical security consulting company Context Information Security, which is part of Accenture Security.
“Some of the crews are highly experienced; cybercrime veterans who have netted tens of millions of dollars and can use that money to purchase the best human and technical skills to further their goals,” he added.
One of the most pernicious players in this space was Maze, a gang that habitually listed uncooperative ransomware victims on its website. The group also released files that it had stolen from its victims. In November 2019, it dropped nearly 700MB of files stolen from Allied Universal. It also blackmailed cable manufacturer Southwire. Coveware notes that Maze shuttered its operation in Q3 2020, migrating instead to a splinter group called Egregor, which forked the Maze malware. The Sekhmet ransomware variant also used some of the Maze source code.
Double-extortion ransomware group REvil (also known as Sodinokibi) goes further than simply leaking the data, putting purloined data up for auction to the highest bidder. The gang famously stole sensitive data about celebrities from law firm Grubman Shire Meiselas & Sack in a May 2020 ransomware attack, subsequently publishing some of it online after the company refused to pay. It then threatened to auction off stolen data on popstar and actress Madonna.
Defense Strategies
This evolution in ransomware sharpens the need for strong defenses. Organizations that relied purely on backups in the past must adopt more mature cybersecurity strategies, warn experts. They might not need to pay for a key in the wake of a successful encryption attack, but they will still face the prospect of their sensitive data going public. Now more than ever, prevention is key.
All the regular cybersecurity hygiene rules apply, such as regular software patches and application whitelists, but companies must dig deeper. Encrypting data at rest (and protecting the decryption keys) is an important step to render data unusable if stolen, but that will only help if attackers fail to gain access to the accounts that can access the decrypted data. That’s why privilege-based account access is key, perhaps with separation of duties for especially sensitive files.
Beyond that, network segmentation is important, warns Michael Daniel, CEO of the Cyber Threat Alliance, a non-profit working to enhance digital security. Daniel, who served from 2012 to 2017 as special assistant to President Obama and cybersecurity coordinator on the National Security Council, says that this is helpful in preventing lateral movement if ransomware crooks do make it into a system.
Companies can do even more by thinking about how they store data and considering what data they collect, says Daniel. He suggests uncoupling sensitive data from non-sensitive files. In some hybrid cloud scenarios, for example, companies will replace sensitive record fields with tokens pointing to another more closely protected system. “If they do not need to be combined, then do not combine them just because it’s easier on the IT staff,” he advises.
“If they do not need to be combined, then do not combine them just because it’s easier on the IT staff”
Harden your data strategy further by avoiding the collection of data that you do not need, he adds. This minimizes the risk to yourself and your customers, and is a core tenet of GDPR.
Mitigation
With all this done, you may still fall victim to a double-extortion ransomware group. What then? The US Office of Foreign Assets Control (OFAC) warned in October that ransomware payments could violate its rules. In any case, payment is even less likely to guarantee peace of mind in a double-extortion attack, warn experts, because there is nothing to stop ransomware crooks from approaching victims again for a second payment. According to Coveware, ransomware group Sodinokibi returned to re-extort victims who had already paid it to keep stolen data under wraps.
Even if the original perpetrators do not re-extort victims, there is a danger that someone could compromise their infrastructure, warns Kaspersky’s Bestuzhev. Furthermore, the group could sell the information onto other actors who might approach the victim themselves.
Coveware saw Maze and variants posting data on leak sites before the victim even realized that data had been taken. Victims of the Netwalker and Mespinoza double-extortion ransomware groups both saw their data posted after it had been leaked, it added.
The priority for victims of a double-extortion attack should be impact assessment and damage control, say experts.
“You have to think very carefully and try to do some analysis on how bad it really is if it [your data] gets published,” Daniel says.
Fokker adds that an extortion playbook is a must for handling ransomware double-dippers. “Having a solid media strategy can help control the narrative and essentially weaken the threat and impact of data disclosure,” he advises. “Having all these points thought out, practiced and printed out beforehand can save valuable time when an attack does happen.”
Expect things to get worse, warn experts. “The pandemic recession is likely to increase the number of lower tier, newly impoverished operators drawn to the scene and the huge profits available, which will probably increase the tempo of incidents,” says Raeburn. “At the higher end, there is evidence that the market for criminal skills and services is thriving, leading to specialization and professionalization.” In short, criminals are going to get even better at this.
We are already seeing double-extortion attacks evolve into what Daniel calls triple-extortion, where the attacker extorts not just the company controlling the data, but also the individuals whose data has been stolen. One notable example was the theft of data from Finnish psychotherapy clinic Vastaamo. Although there is no indication that attackers encrypted the data, they approached the employees of the company and also extorted patients. They published highly sensitive therapy notes about patient sessions on the dark web.
To combat this evolving threat, the CTA, CPI and McAfee are among 19 companies that created the Ransomware Task Force at the end of December. It will create a framework for dealing with ransomware attacks, explains Daniel. As the stakes continue to rise, a concerted multi-party effort to stamp out this mounting threat could not have come soon enough.