Authored by: Lotem Finkelsteen, Manager of Threat Intelligence, Check Point Software Technologies
Researchers at Check Point see a rising trend in a new ransomware tactic. In what researchers call “double extortion”, the tactic is when threat actors add an additional stage to a ransomware attack: prior to encrypting a victim’s database, hackers will extract large quantities of sensitive information, threatening the publication of it unless ransom demands are paid, placing more pressure on victims to meet the demands of threat actors. To prove the validity of the threat, threat actors leak a small portion of sensitive information to the dark web, dangling intimidation that more is to follow if ransom goes unpaid.
The “Double Extortion” Process
Threat actor gains entry into a victim’s network
Threat actor extracts sensitive data, such as customer details, financial and employee details, patient records, and more
Threat actor encrypts the files and demands ransom from victim
Threat actor threatens leak of gathered sensitive data
To prove validity of threat, threat actor leaks small portion of extracted information to dark web
Emergence in November 2019
The first published case of double extortion took place in November 2019 and involved Allied Universal, a large American security staffing company. When the victims refused to pay a ransom of 300 Bitcoins (approximately US$2.3 million), attackers, who used “Maze” ransomware, threatened to use sensitive information extracted from Allied Universal’s systems, as well as stolen email and domain name certificates, for a spam campaign impersonating Allied Universal. To prove their point, the attackers published a sample of the stolen files including contracts, medical records, encryption certificates and more. In a later post on a Russian hacking forum, the attackers included a link to what they claimed to be 10% of the stolen information as well as a new ransom demand that was 50% higher. Maze has since published the details of dozens of companies, law firms, medical service providers and insurance companies who have not given in to their demands. It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded.
Information Leak Sites Follow Trend
Cybercriminal groups have followed the new double extortion tactic, opening their own sites to publish and leak stolen information as a means to apply additional pressure on their victims to pay ransom. Attackers utilising Sodinokibi ransomware (aka REvil) published details of their attacks on 13 targets, as well as proprietary company information stolen from the targeted organisations. The National Eating Disorders Association was the last in the list of victim organisations.
Additional attacks that have joined the trend include Clop ransomware, Nemty, DopplelPaymer and more. Information published on these sites was soon found to be offered for sale by the ransomware group itself or by other criminals who collected the data from the dumpsites.
Check Point Research issues caution to hospitals, as they are prime targets for ransomware attacks given their inundation with the coronavirus. Ransomware attacks have affected more than 1,000 health care organisations in the United States alone since 2016, with costs totaling more than US$157 million, according to a recent analysis. In 2017, dozens of British hospitals and surgeries were affected by ransomware known as WannaCry, which resulted in thousands of canceled appointments and the closing of some accident and emergency departments. In 2019, several U.S. Hospitals had to turn away patients after another spate of ransomware attacks.
How Hospitals and Enterprises can Protect Themselves
In the ongoing fight against constantly-evolving ransomware tactics, the best defence is to prevent becoming a victim in the first place. Check Point has previously detailed its best practices to help you avoid being a ransomware victim, but to recap:
1. Back Up Your Data and Files
It’s vital that you consistently back up your important files, preferably using air-gapped storage. Enable automatic backups, if possible, for your employees, so you don’t have to rely on them to remember to execute regular backups on their own.
2. Educate Employees to Recognize Potential Threats
The most common infection methods used in ransomware campaigns are still spam and phishing emails. Quite often, user awareness can prevent an attack before it occurs. Take the time to educate your users, and ensure that if they see something unusual, they report it to your security teams immediately.
3. Limit Access to Those That Need It
In order to minimise the potential impact of a successful ransomware attack against your organisation, ensure that users only have access to the information and resources required to execute their jobs. Taking this step significantly reduces the possibility of a ransomware attack moving laterally throughout your network. Addressing a ransomware attack on one user system may be a hassle, but the implications of a network-wide attack are dramatically greater.
4. Keep Signature-Based Protections Up-To-Date
From the information security side of things, it is certainly beneficial to keep antivirus and other signature-based protections in place and up-to-date. While signature-based protections alone are not sufficient to detect and prevent sophisticated ransomware attacks designed to evade traditional protections, they are an important component of a comprehensive security posture. Up-to-date antivirus protections can safeguard your organisation against known malware that has been seen before and has an existing and recognised signature.
5. Implement Multi-Layered Security, Including Advanced Threat Prevention Technologies
In addition to traditional, signature-based protections like antivirus and IPS, organisations need to incorporate additional layers to prevent against new, unknown malware that has no known signature. Two key components to consider are threat extraction (file sanitisation) and threat emulation (advanced sandboxing). Each element provides distinct protection, that when used together, offer a comprehensive solution for protection against unknown malware at the network level and directly on endpoint devices.