Up to three times a piece! New trends in ransomware.
Unlike physical attacks, digital ‘kidnapping for ransom’ with ransomware are characterized by a ‘more is more’ approach. Why should the victim pay the ransom only once to get his valuable data back and then return to his normal life when he can be attacked again or even extend the attack itself with additional sources and thus get more money?
- Re-encryption of systems. – The “excuse” for this type of action is to accuse those attacked of ignorance and failure to protect themselves against a recurring threat.
- Threat of disclosing stolen (before or after encryption) data. – After paying the ransom, hackers demand a second payment and threaten to publish the data on the Internet.
Recently, we can observe the growing popularity of double-encryption ransomware attacks. This method involves encrypting victim’s data using not one but two independent encryption mechanisms.
Emsisoft reports two scenarios:
- Victims receive two ransom letters at the same time, meaning the hackers want their victims to know about the double-encryption attack.
- Victims see only one ransom note and learn about the second layer of encryption only after paying to eliminate the first.
The company also identified two different tactics.
- Hackers encrypt data with Type A ransomware and then re-encrypt that data with Type B ransomware. For example: an attacker might use 256-bit AES symmetric encryption to initially encrypt the files and RSA asymmetric encryption to encrypt the result of the initial encryption.
- The second path is “side-by-side encryption” (Emsisoft’s proprietary name) in which attacks encrypt some of an organization’s systems with type A ransomware and others with type B ransomware. In this case, the data is only encrypted once, but the victim would need both decryption keys to unlock everything. In this parallel scenario, the two different strains of ransomware look very similar, so it’s harder for incident responders to figure out what’s going on.
However, the latest trend is the so-called triple-encryption ransomware, which consists in encrypting victim’s data using three independent encryption mechanisms. Previously, such situations occurred only when two groups of hackers simultaneously attacked an organization (which, by the way, was a very rare situation). However, there are now dozens of incidents where one attacker intentionally overlays two types of ransomware.
- The first case is the October 2020 attack on the Vastaamo clinic. A decent ransom was demanded from the organization, but surprisingly, smaller amounts were also demanded from patients who received the ransom demand individually in an email. In these emails, the attackers threatened to publish notes from the therapy sessions.
- February 2021. – REvil ransomware group announced that it has added two stages to its dual extortion scheme – DDoS attacks and phone calls to victim business partners and the media. The REvil ransomware group, responsible for distributing the Sodinokibi ransomware, operates under a ransomware-as-a-service business model. The group is now offering DDoS attacks and encrypted VoIP voice calls to journalists and associates as a free service to its affiliates, designed to put further pressure on the victim company to meet ransom demands within a set timeframe.
External victims, such as a company’s customers, collaborators and service providers, are heavily impacted by data breaches caused by ransomware attacks, even if their network resources are not directly targeted. Whether or not further ransom is demanded of them, they are powerless in the face of such a threat and have a lot to lose if the incident takes a bad turn.
For ransomware victims who don’t have adequate backups or don’t want to take the time to rebuild their systems from scratch, triple-encryption attacks pose an additional threat. Why? Because they undermine all “trust” in ransomware – by paying the ransom, we have no assurance that we won’t see another encryption after decryption.
In addition to having backups as highlighted above, it is recommended to have a Web Security Gateway class solution and a decent EDR (XDR is recommended). In the era of distributed architecture, using a Secure Access Service Edge class platform cannot be overestimated.