Ransomware operators, spurred on by success, now brazenly advertise their services on underground forums. Along with this has come increased sophistication in attack methodology. Attackers are now overwhelmingly including threats of double and triple extortion to ransom demands, increasing pressure on victims to comply. A new Venafi survey shows that 83% of successful ransomware attacks feature double/triple extortion. Particularly worrisome to respondents is that attack methodologies are evolving faster than the security controls needed to protect against them.
Ransomware no longer operates as a relatively straightforward “lockout” that blocks access to an organization’s data by encrypting files then demanding a ransom to decrypt the files. Criminals now add additional features or stages to their attacks, most commonly manifested as double and triple extortion.
Double extortion, which emerged as a trend in the first quarter of 2020, extracts sensitive commercial data before encrypting a victim’s database, according to Check Point Research. Bad actors then threaten to publish the private data in effort to ratchet up the pressure. Triple extortion, a trend which followed suit soon after this, targets an organization’s customers or suppliers with threats to expose data that has been gathered from the victim organization.
A further breakdown of data shows these new forms of ransomware—such as those extorting customers—are more becoming more common, according to Venafi’s data on attack schemes.
Organizations surveyed who were hit by ransomware experienced the following tactics:
Especially troubling is organizations who paid the ransom but still had their data exposed. While 16% of the organizations that refused to pay the ransom had their data exposed on the dark web, 18% of companies who paid the ransom still had their exposed on the dark web. And of those victims who paid the ransom, 35% weren’t able to retrieve their data.
A serious challenge for companies is that ransomware attack methodologies are evolving faster than security controls, which is driving up spending on ransomware controls. And the additional pressure exacted by double/triple extortion makes it harder for organizations to reject demands.
"It is very easy and quick for ransomware developers to add new exploits or capabilities to their malware,” said Yana Blachman, Threat Intelligence Analyst at Venafi. “Every new exploit for a vulnerability that is exposed online can be used within a few days by ransomware developers in their attacks."
“For defenders, on the other hand, security controls are much harder to implement because it can take weeks or months to respond with patches and new controls,” according to Blachman.
But one of the most troubling trends involves sensitive data that has already been exfiltrated. This weapon of attack skirts typical defenses and ratchets up the pressure to pay, as the Cybersecurity and Infrastructure Security Agency (CISA) points out in an advisory. That data becomes yet more leverage for the bad guys. And increasingly customer data is part of the haul.
“Some of the actors are very, very aggressive” when contacting third parties, Jen Miller Osborn, Deputy Director of Threat Intelligence, Unit 42 at Palo Alto Networks, told Venafi in an interview. “They’ll say, ‘hey did you know that this was going on? Your data is involved. You know, there’s your banking information, there's private pictures.’”
At this point, typical defenses for ransomware such as backups and restoration of systems and data don’t apply.
“Attackers get their hands on sensitive and private data that perhaps the whole business relies on,” said Blachman. “They also understand that organizations have implemented recovery systems and backups—now that ransomware is practically everywhere—and this is their best shot at getting their targets to pay,” according to Blachman.
More than three quarters of those surveyed say governments need to step in and help companies combat ransomware and that companies and governments need to work together.
By the end of 2021, it’s estimated that an organization will be hit by ransomware every 11 seconds. The U.S. government has become more proactive in its efforts to combat ransomware. CISA now has a website, Stop Ransomware, devoted to providing best practices to mitigate the chances of a ransomware attack. And includes tools such as the Cyber Security Evaluation Tool (CSET), which has been updated to include a new module: Ransomware Readiness Assessment (RRA).
But that doesn’t mean ransomware is going to conveniently fade away.
“There is no single way to tackle ransomware. It’s going to happen,” said Eddie Glenn, Senior Product Marketing Manager at Venafi.
Glenn says methods such as preventing links from being clicked on in email, or email attachments from being sent, or macros being run within spreadsheets haven’t been effective.
“An easy thing that a company can do is to require all macros to be signed with a company-security-policy-approved code signing certificate that has been issued to an individual. This way the person receiving the macro can be assured that the macro originated with the trusted employee and not a malicious external third party,” Glenn said.
“Adopting more modern security practices, like code signing macros or a Zero Trust security model, can address these threats with minimal hit on efficiency,” according to Glenn.
“Machine identities—like code signing certificates and API keys—are the targets of today and the future. Just one more reason why machine identity management is the most important cybersecurity trend of the decade,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence at Venafi.