It was in 2019 when America’s security staffing company, Allied Universal, was hit by a cyberattack, that Double Extortion Attacks came into the picture. Fast forward 2021, just like WFH (work from home) amidst the COVID-19 pandemic, even double extortion ransomware attacks have become the new normal. Simply put this technique involves:
No doubt that double extortion attacks boost the threat actors’ chance of making profits, but it also highlights the various ways in which cybercriminals are improvising on their attack arsenal. Even in cases where data backup is available, it is the kind of pressure and potentially serious consequences – like reputation damage – which makes these attacks highly potent and dangerous. One best example of this case is the REvil group. Rather than simply leaking the data online, the group prefers to monetize the stolen data by auctioning it on the dark web – thereby increasing the pressure on its target.
Ransomware operators have traditionally relied on operational disruptions and reputational damage to force victims to pay the ransom. However, their tactics are consistently improving. Some operators are attempting to build trust with the victims by adhering to a set of “principles” and providing “guarantees”. Another approach may involve “Ransom DDoS attacks” (RDDoS) where the RDDoS attackers use the threat of taking down the organization’s network or other such aggressive approaches.
Ransom Distributed-Denial-of-Service (DDoS) attacks begin with a ransom note served to the targeted organization about an impending attack. This could be accompanied by a demo attack to prove the attacker’s intent and capability. If the targeted organization chooses to ignore this ultimatum, they could be inundated with attack traffic generated by either their botnets or by a DDoS service they hired. Such attack traffic is likely to target layers 3, 4, or 7 in the Open Systems Interconnection (OSI) model, ergo the Network Layer, Transport Layer, or the Application Layer. As a result, the targeted application or service slows down to a crawl or crashes completely. Usually, after their point has been proven, the attackers will renew their ransom demand.
In a world where downtimes equate to financial losses, the threat of RDDoS is likely to garner the potential victim’s undivided attention. Process-driven industries are attractive targets for ransomware attackers as a break in the supply chain and ecosystem would cause significant disruption, prompting the victim to pay the ransom rather than face reputational damage, loss of business, and the impending costs associated with recovery operations.
At present, ransomware operators are suspected to follow a 4-layer approach of targeting organizations which includes:
The double extortion attack, thus, is not only a milestone in the ransomware landscape – rather it is a clear indicator of how mature the cyberattack strategy has grown. Evolving from plain opportunistic attacks to a well-studied, planned, and executed maneuver – these attackers are pushing cybersecurity personnel to up their game.
To say that phishing, or rather spear-phishing (to be precise) is the primary way in which double extortion attacks are executed would be true and at the same time quite an understatement. If one were to look into the modus operandi of most double extortion attacks, there is a glaring pattern and a common denomination that is being exploited. These attacks usually thrive on the vulnerability of the on-premises devices – with internet-facing systems being their prime target. For instance, since the end of 2019, almost every VPN (virtual private network) vendor has suffered severe vulnerabilities. With VPNs being directly exposed to the internet and providing access to internal resources, it has emerged as an ideal target for double extortion attacks.
Some of the vulnerabilities affecting the VPN devices actively exploited to inject ransomware are CVE-2019-11510, CVE-2018-13379, CVE-2019-1579, CVE-2019-19781, CVE-2020-2021, CVE-2020-5902.
Apart from VPN concentrators, internet-facing systems like RDP (remote desktop protocol) is also providing double extortion opportunities to threat actors. While opening up the RDP connections directly on the internet is insecure, with the ongoing pandemic this was the route most organizations resorted to providing remote access to their internal resources. The extent to which this move exposed businesses to cyberattacks can be gauged from the FBI’s Private Industry Notifications to K-12 schools warning them about the risks of ransomware attacks leveraging open RDP connections.
Distributed denial of service (DDoS) attacks is the latest trend leveraged by ransomware groups to execute double extortion. With the COVID-19 pandemic and the subsequent WFH scenario, the DDoS attacks have made a major comeback. Not only has there been a rise in its frequency (surpassing 10 million attacks in 2020 as against 8.5 million in 2019), these attacks emerged more lethal and powerful. For instance, in September 2020, the SunCrypt ransomware adopted DDoS as an added tactic for double extortion. The surge in bitcoin prices in recent times is yet another reason why this tactic is used by ransomware gangs.
Thus, from being a seasonal event, DDoS extortion campaigns have morphed into an integral part of the threat landscape for organizations targeting nearly every industry since mid of 2020.
The trend is expected to continue given the growth in the use of connected and Internet of Things (IoT) devices.
Human-operated ransomware, DarkSide works on ransomware-as-a-service (RaaS) business model – with ransom demands ranging from $200,000 to $2,000,000, depending on the size of the compromised organization.
This ransomware group follows the double extortion tactic – meaning not only do they encrypt the user’s data, but also exfiltrate it and threaten to make it public in case the ransom demand is not met. The first step of their attack method is to harvest the clear text from the victim’s server, after which they encrypt it and demand ransom. Darkside ransomware group then make a backup of this data in its own servers.
The group prefers high-value targets such as banking and financial institutions as these are deemed as repositories of customers’ personally identifiable financial information (PIFI). For instance, the recent attack on Banca di Credito Cooperativo (BCC) in Rome was conducted by the DarkSide ransomware group. The attack affected the operations at 188 branches causing serious distruptions to the bank.
Similarly, the American subsidiary of a prominent Japanese manufacturer, Komari, was targeted by the DarkSide ransomware gang in March 2021. The incident resulted in the exfiltration of critical data including personal data of clients, details of agreements, information about company activities, etc.
Apart from leveraging the double extortion tactics, the modus operandi of DarkSide also reflects the growing trend of Ransomware-as-a-Corporation (RaaC). When it comes to its tactics, techniques, and procedures (TTPs) the operation of this group is similar to Maze, NetWalker, Sodinokibi, and DoppelPaymer. What differentiates the DarkSide ransomware group from other threat actors is its targeted attack methodology, highly customized ransomware executables for every target, and a communication process which is highly corporate-like.
Apart from making headlines for its aggressive attack tactics, the group gained attention for its ‘ethical’ principles which executing an attack. The DarkSide operation is never targeted towards vulnerable and critical bodies like hospitals, schools, and even governments – a silver lining in the era of double extortion ransomware attacks?
Organizations recovering from ransomware attacks must determine how the malware was able to enter their network, even before they start thinking about restoring it. The key learning from such an incident must be to understand the degree of compromise – the how, when, what, and why equation. It is possible that to install the ransomware, operators would have leveraged backdoor access to the network using remnants from a previous malware intrusion. Ransomware operators are increasingly leaving behind footholds that could be exploited in a future attack. By not examining how their network was originally compromised, potential victims are helping the ransomware operators’ cause.
Recently, UK’s National Cyber Security Centre (NCSC) wrote in a blog post about one such incident where the victimized company paid millions in bitcoins to secure their stolen files and restore the compromised network. Unfortunately, they failed to analyze how the cybercriminals originally infiltrated the network. In less than two weeks after the settlement, the same ransomware gang infected the now restored network with the same ransomware.
Updating all your internet-facing devices with the latest patches is the first step towards containing all kinds of cyberattacks, especially ransomware attacks. Restricting users’ ability (permissions) to install and run unwanted software applications is yet another way in which the attack surface can be reduced.
It will be wise to assess and deploy an advanced endpoint protection solution that provides detection/prevention for ransomware activities that do not rely on signature-based detection methods. We would also recommend organizations be prepared for ransomware attacks by constructing a business continuity plan that includes backup and recovery.
The best outcome would be to prevent the ransomware attack from occurring in the first place. This requires a telemetry system with insights into cybercrime in the making where defenders are equipped with early warnings to thwart an attack.