The Evolution of Ransomware Extortion Schemes

As the world experienced significant upheaval, the scale of threats facing businesses during the pandemic grew exponentially. Fundamentally, threat actors did not innovate; instead, they advanced the use of tools they already had, with slight modifications, at a much larger scale to take advantage of the instability that defined the changing times.

Most notably, the threat landscape saw the continued evolution of ransomware. Targeted ransomware attacks grew in both the number of attacks and in profitability, encouraging new groups to emerge. To surpass businesses’ established countermeasures, novel attackers entered the scene with new extortion schemes that prompted organizations to rethink ransomware prevention and protection.

Ransomware Learns a New Trick: Double Extortion

Ransomware attacks have existed in one form or another for ages by tech standards – the first ransomware attack dates back to 1989. However, modern ransomware operations are financially-driven businesses, and network operations evolved to a point where there was too much uncertainty to ensure payment, even after a successful attack campaign. Sometimes stymied by advancements in threat detection and confronted with countermeasures such as file redundancy, honeynets and regular backup strategies, a new approach was required that increased the leverage on victims to pay. Threat actors evolved, and barring businesses out of their information was no longer the only priority. Some chose to encrypt and exfiltrate information to pressure victims into payment.

This tactic takes two primary forms; the first is a name-and-shame approach. If a company does not pay the ransom – usually within a short period – the ransomware operative will start publishing data to damage the victim and entice payment. The second tactic entails auctioning the data in criminal underground websites, so if a victim doesn’t pay the ransom, the attacker still generates revenue. The first group to be credited with such an attack was Maze, and inspired by Maze’s success in publishing victims’ information, more ransomware families adopted these extortion schemes to great success, such as DoppelPaymer, Egregor, Conti, REvil and DarkSide.

Exploring New Dimensions

Double extortion has remained a critical approach for ransomware actors even today, but there have been several attempts to improve upon the technique. Much press attention has been dedicated to supply-chain attacks, as seen in the SolarWinds hack at the end of 2020. This is true of significant infrastructure and industrial control system targets, as demonstrated by the Colonial Pipeline breach in May 2021 (though the scale and impact of that attack appeared to have gone far beyond the attacker’s intent). In addition, it is highlighted by attacks on MSPs such as the Kaseya attack from July of 2021.

Beyond that, in February 2021, ransomware actor REvil was associated with a so-called triple extortion attack. They exfiltrated and encrypted data for ransom, but they also launched a distributed denial of service (DDoS) against critical resources for the victim until the ransom was paid. Avaddon performed a similar attack in May 2021. A variation of triple extortion has been reported in some circumstances, whereby an attacker steals and encrypts a victim’s data and uses it to extort money from affected third parties who have an interest in it protecting their data as well. This is particularly evident in the healthcare industry.

The latest variation involves combining all four threats – stolen data, locked files, denial of resources and threatening third parties – into what’s being called quadruple extortion. However, it still seems to be very rare for any single attack to apply all four areas.

Measures to Take

Ransomware is a significant cyber threat to organizations of all sizes and industries. However, preventive measures are available, and should ransomware infiltrate a network, there are methods of recovery without paying cyber-criminals.

First, businesses need to ensure security patches are applied immediately to prevent attackers from exploiting known vulnerabilities. Organizations should also use multi-factor authentication across their infrastructures in a zero-trust configuration to prevent lateral movement.

Maintaining secure backups of all business-critical information, offsite and air-gapped, remains imperative. Furthermore, data should be encrypted at-rest. Keeping security systems up to date with the latest detections to respond to potential attacks proactively is vital. Finally, robust network segmentation helps prevent lateral movement between segregated assets. Of course, constant vigilance is essential for network defense, but that process is built from a foundation of deliberate preparation.

Closing Thoughts

Criminals are swiftly switching lures for exploitation and have increased the risk of a successful attack. Dealing with a ransomware attack during a pandemic adds an extra layer of complexity. Businesses need to adapt to the new threat environment and have clear next steps should they fall victim to an attack. 

Traditional backup methods have worked in the past and should remain top of mind, but new tactics and processes need to be implemented. As ransomware groups continue to evolve their techniques and extend their influence, organizations cannot risk falling behind and exposing their assets.

What’s Hot on Infosecurity Magazine?