Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is Double Extortion Ransomware?

Double Extortion Ransomware

Over time, ransomware attacks have become more advanced, spreading through various methods such as phishing emails, vulnerability exploits and Ransomware-as-a-Service (RaaS). In the past, ransom payments were typically demanded through prepaid cash services, Western Union transfers, gift cards, or premium rate SMS services. However, nowadays, cybercriminals rely on cryptocurrencies like Bitcoin for payment.

In 2022, the FBI’s Internet Crime Complaint Center (IC3) received 2,385 complaints related to ransomware, resulting in victims losing over $34.3 million. This figure does not include the additional costs of lost business, time, wages, files, equipment, or third-party remediation. It is important to note that many ransomware victims do not report attacks to the authorities, leading to an underrepresentation of the actual number of incidents.

What is Double Extortion Ransomware?

A double extortion ransomware attack is an advanced form of cyber attack where the attacker not only encrypts the victim’s data and demands a ransom but also threatens to expose or sell the sensitive information if the ransom is not paid. This adds further pressure on the victim to pay and makes these attacks particularly harmful, especially for organizations that store large amounts of sensitive data. Backups may help with data restoration, but they cannot prevent the damage caused by stolen information being made public.

How A Double Extortion Ransomware Attack Works

Cyber attackers typically follow a specific sequence when executing a double extortion ransomware attack. Firstly, they gain unauthorized access to the victim’s system. They then survey the network for sensitive data, exfiltrate the data, and then deploy ransomware to encrypt it. The victim is denied access to the data and a ransom is demanded. If the ransom is paid, the data should be returned. Otherwise, the information may be leaked, destroyed, or sold, causing significant damage especially when there are no backups available.

How Ransomware Attackers Gain Access to the Target Network

Although not an exhaustive list, attackers can employ the following tactics to gain unauthorized access to the target network:

Phishing/social engineering

Ransomware attacks are highly dependent on both technology and human behavior. For example, attackers will often try to spoof a CEO’s email and use it to trick employees into clicking on a malicious link. For such attacks to be successful, they generally require extensive research on the company, its employees, and the industry. As the frequency of these attacks increases, social engineering is becoming increasingly prevalent in phishing attempts. Additionally, social media platforms are not only used by attackers to gather information about potential victims but also to distribute malware.

Malvertising/exploit kits

Attackers create malicious advertisements with hidden code, known as “Trojan pop-ups,” and if users click on them, they are secretly redirected to a landing page controlled by the attacker. The attacker will use an exploit kit to scan the user’s computer for vulnerabilities which they can exploit. If successful, the exploit kit delivers a ransomware payload to infect the victim’s computer. Exploit kits are attractive to cybercriminals because they are automated and can easily inject malicious code into a computer’s memory, making them difficult to detect by traditional antivirus software. They are also becoming more popular among less skilled ransomware attackers. With a small investment on the darknet, almost anyone can enter the online ransomware business.

Fileless attacks

The frequency of fileless ransomware techniques is on the rise. These types of attacks do not involve creating an executable file on the hard drive as their primary method. Instead, fileless ransomware leverages existing tools within the operating system, like PowerShell or WMI, enabling the attacker to carry out activities without the need for a malicious file to be executed on the compromised system. This method is favored by cybercriminals as it can evade traditional antivirus solutions.

Remote Desk Protocol attacks

The Remote Desk Protocol (RDP) enables individuals to establish a secure and reliable connection with a computer from any location worldwide. Although this tool offers numerous advantages such as enhanced workforce productivity and flexibility, it also presents security risks that can be exploited by malicious actors. Malicious individuals employ port scanning techniques to search the internet for open and vulnerable ports. Once found, they engage in brute force attacks or resort to other methods of stealing credentials in order to gain unauthorized access. Once inside, they can execute a ransomware attack, as well as create a backdoor for future access.

Examples of Double Extortion Ransomware

Some of the most notorious ransomware groups and strains that use the double extortion techniques are as follows:

DarkSide

The DarkSide ransomware group now operates a ransomware-as-a-service (RaaS) model, with double extortion being one of their main tactics. DarkSide is highly advanced in its RaaS operations, offering various attack methods such as exploiting public-facing applications through RDP, escalating privileges, and weakening victims’ defenses. They primarily target organizations using unpatched or outdated software and focus on English-speaking countries based on system language checks. Notably, they successfully attacked the Colonial Pipeline Company in May 2021, forcing a temporary shutdown of the crucial East Coast fuel transportation pipeline, which led the company to pay a $4.4 million ransom in bitcoins to prevent prolonged disruption.

Egregor

Egregor is a cybercriminal group that was formed by the operators of the notorious Maze ransomware group after Maze shut down in October 2020. Egregor gained recognition after successfully attacking Barnes & Noble, Crytek, and Ubisoft. In the Barnes & Noble attack, Egregor claimed to have accessed financial information but the company reported that customer data was not stolen. The group also claimed to have obtained source codes for upcoming releases in the Crytek and Ubisoft attacks. Egregor is one of many cyber threats taking advantage of the increased reliance on digital infrastructure during the pandemic, with some even targeting the healthcare sector. The group operates a ransomware-as-a-service model, with the double extortion technique being popular amongst its users.

Conti

Conti, a hacker group discovered in 2020, operates a ransomware-as-a-service model, enabling other criminals to use their malware. Every version of Microsoft Windows is susceptible to Conti’s attacks. In May 2022, the U.S. government announced a potential reward of $10 million for any information regarding this group. Double extortion has become the Conti Ransomware Gang’s new favourite sales tactic. If you refuse to pay its ransom, Conti will not only take your most important files from you, but also exfiltrate and publish them using its dedicated ‘Conti News’ website, or sell them directly to your competitors.

How To Prevent Double Extortion Ransomware

Cybercriminals do not follow ethical rules and there will be consequences if you do not pay their ransom. They do not care about the damage caused by releasing information, and even if you do pay the ransom, there is no guarantee that the information will be kept confidential or that you will regain access to it. As such, victims are strongly advised against paying the ransom. Naturally, it is better to prevent these attacks rather than dealing with the aftermath. Fortunately, there are steps you can take to protect your company from such attacks.

Implement a Zero-Trust architecture: Instead of assuming trust, your company should adopt a zero-trust policy. This means all applications, websites, emails, and links should undergo thorough authentication before gaining authorization. The zero-trust approach can help to prevent the spread of a double extortion ransomware attack by reducing the attack surface, limiting lateral movement, and continuous monitoring of all traffic for potential breaches.

Keep security software up-to-date: Outdated software is more susceptible to cyberattacks, so it’s crucial to prioritize security updates. Regular scans should be performed to check for available updates and install them promptly. Additionally, having recovery plans, multiple data backups, and two-factor/multi-factor authentication in place adds an extra layer of protection.

Conduct security awareness training: Educating employees about double extortion ransomware attacks and their consequences is vital. They should be aware of the signs to look out for and the actions to take in order to prevent facilitating such attacks. Training should be mandatory for all new employees, with follow-up sessions scheduled periodically.

Use a real-time auditing solution: Real-time monitoring and alerting is essential for staying protected against ransomware attacks. These solutions can identify vulnerabilities and provide detailed reports and important insights. Some advanced solutions can detect and respond to events that match a pre-defined threshold condition, such as when multiple files are encrypted within a given time-frame.

How Lepide Helps Prevent Ransomware

The Lepide Data Security Platform can help prevent ransomware attacks in the following ways:

Real-time file integrity monitoring: Lepide continuously monitors and tracks changes made to files and folders in real-time. This helps detect any suspicious or unauthorized activity, such as file encryption by ransomware, and allows for immediate action to be taken.

Real-time notifications: Lepide sends real-time alerts to IT administrators when it detects any potential ransomware activity. These alerts contain details about the suspicious activity, enabling administrators to take immediate action to prevent the spread of the ransomware.

Privileged user monitoring: Lepide monitors the activities of privileged users with access to critical data. This helps identify any misuse or unauthorized access, reducing the risk of ransomware attacks.

Automated responses: Lepide can be configured to automatically respond to threats that match a pre-defined threshold condition. For example, if a certain number of files have been encrypted, moved or renamed within a certain time-frame, the platform can automatically terminate suspicious processes, isolate affected systems from the network, roll back changes, and more.

Data discovery & classification: Lepide helps in classifying sensitive data based on predefined policies. This ensures that appropriate security measures are in place to protect critical data, making it harder for ransomware to successfully encrypt or access sensitive information.

Active Directory auditing: Lepide offers comprehensive Active Directory auditing capabilities. It helps identify any unauthorized changes to user accounts, group membership, or access controls, which are common tactics used by ransomware to escalate privileges and propagate across the network.

If you’d like to see how the Lepide Data Security Platform can help you defend against double extortion ransomware, schedule a demo with one of our engineers.