Blog

When a double extortion ransomware attack hits you, a cyber attacker tries to encrypt your information and demands a ransom. But next to the encryption of information, an attacker also takes the next step: threatening to publish your sensitive data on the dark web.

In that case, an attacker sells the data to the highest bidder (which might be a direct competitor of your organization) or destroy your data if you don’t pay the ransom they demand before the deadline.

My previous post showed the importance of a well-working backup in defending against a cyber attack. A well-working backup removes the threat of data encryption because you always have a good backup at your disposal, but it keeps the threat alive of stolen information getting out in the open.

A cyber attacker always has additional leverage to ensure that a victim pays the ransom. Sensitive information about corporate secrets and individuals getting out in the open could devastate organizations and employees that are victims of publicly disclosed data after an attack. Because of this, double extortion attacks are effective and dangerous.

In this post, I will show you how to double extortion works and how you can protect yourself against it.

The attacking process

A cyber attacker must access your system to access your sensitive data. Cyber attackers can do this in many ways:

• Phishing attacks. Based on my experience, 90+% of all cyber attacks start with a successful phishing attack. In this type of attack, a cyber attacker sends a fraudulent message that mimics those from managers of a company, asking for sensitive information. The goal is for a recipient to believe that the message came from a supervisor and willingly release the information.

• Malware. In this attack, a cyber attacker deploys malware on a server to disrupt your network. The goal of this is to obtain unauthorized access.

• Exploiting a vulnerability. With this attack, an attacker tries to find unprotected areas inside a network to exploit them. An example is to do this by finding holes in software that organizations use. Security patches are critical to prevent these exploits, so execute these patches immediately when they are available.

• Brute-force attacks on servers. With this tactic, a cyber attacker tries to get access by getting the proper login information to a server with the support of trial and error techniques to figure out the correct login credentials and encryption codes.

• Data leaks. Obtaining leaked data is a form of attack in which a cyber attacker tries to get publicly-accessible sensitive data in its possession, available because of poor network security inside a system.

• Stolen credentials. A cyber attacker can steal login credentials from an employee.   

The most popular double extortion ransomware that cyber attackers are currently using:

• Ransomware as a Service (RaaS). This type of ransomware has a subscription-based model for its affiliates. The affiliates use a set of ransomware tools developed by a third party. They carry out attacks, and when an attack is successful, they pay a percentage of the ransom payment to the ransomware developer. Cyber attackers develop RaaS as a double extortion model: it can encrypt and transfer (sensitive) data.

• Netwalker Ransomware. Cyber attackers designed this malware for Windows OS (Operating System). Netwalker encrypts all data and then moves this data to an external location. The victim receives a ransom demand and needs to pay to restore the data and prevent all data obtained from being sold or made public.

• Conti Ransomware. I described how this group works in a series of dedicated posts to the Conti Ransomware Group. I was baffled by the efficiency and professionality of how this group operates. This group’s ransomware is highly sophisticated and known for its encryption speed. It spreads and infects your systems very quickly, making them very dangerous compared to other types of ransomware. Conti also uses the tactic of double extortion, so the software transfers data very efficiently next to quick encryption. There are examples of Conti leaking data on the DarkWeb in case ransom was not paid by victims.

The Double Extortion Attack Sequence

In one of my posts, I explained how a ransomware kill chain works. The kill chain for double extortion ransomware is slightly different from a typical ransomware kill chain. With double extortion, you have two other methods of attack that are taking place during the perpetration of a system:

• Initial access: during this phase, the attacker successfully breaks into the system of a user or organization by using one of the attacks that I previously described.

• Network Reconnaissance and lateral movement. The cyber attacker surveys the security landscape to check for detection points that could expose them. When they are sure they have complete control over all resources and don’t run any risks, the cyber attacker moves throughout different parts of the network.

• Data exfiltration: the first step of the double extortion strategy. During this phase, a cyber attacker removes data from the system, but that data is not yet held hostage for ransom. In this phase, the cyber attacker does not notify the victim yet, and Cyber attackers don’t encrypt any data in this phase yet.

• Deployment of ransomware: the second step of the double extortion strategy. All ransomware attacks use this stage (also the attacks that don’t use the method of double extortion). During this stage, the ransomware is deployed and executed. The Cyber attacker encrypts all data during this phase. After the attackers have encrypted all the data, they notify the victim that they are holding the victim’s data hostage.

• Attack on victim’s website or network. During this stage, there is a full DDoS attack on the website or network of a victim to push a victim to negotiate ransomware. If the victim doesn’t want to pay ransomware, double extortion is initiated by publishing critical data (user credentials, sensitive data, and other critical information) to a leaked site.

Defense Against Double Extortion Attacks

Implementing a Zero Trust Security Policy is the best way to defend yourself against extortion attacks. Zero Trust, means no user and application is trusted, and everything is assumed to be hostile until proven otherwise by explicit authentication and authorization. You only get access by confirming your identity and context as a user. Even then, you only gain access to a minimal set of resources based on the least-access privilege. Zero trust architecture has three fundamental principles:

• Minimization of the attack surface: Cyber attackers can’t find you if you make users and applications invisible to the outside by securing access behind a proxy-based brokered exchange. Cyber attackers can’t discover any applications, so there is also no possibility of exploiting them.

• Elimination of all lateral movement. You can only encrypt or steal data if you see it. Techniques of micro-segmentation reduce data exposure and minimize damage. Microsegmentation manages your network access between workloads. With this technique, administrators manage security policies that limit traffic based on the principle of least principle. This way, you reduce the attack surface, improve your breach containment, and strengthen your compliance required for all kinds of governmental regulations.

• Monitoring for effective threat and data loss prevention. Continuous monitoring of all encrypted and unencrypted traffic entering and leaving your organization eliminates blind spots. It maximizes your chances of keeping attackers out of your network and securing your data inside your network. Routinely doing this is vital. To properly execute this process, your system admins need to do this regularly, and you require a backup in case a system admin is unavailable. A combination between on-site and outsourcing works great based on my own experience.

Next to a philosophy of Zero Trust, you should also implement a set of policies inside your organization to reduce your attack surface and mitigate a ransomware threat:

• Set up a response plan. Prepare for the worst by having cyber insurance, a robust data backup plan, and a response plan as part of your overall business continuity and disaster recovery program.

• Continuous awareness training. Keep your employees sharp by implementing a constant employee awareness training program.

• Implement a Secure Access Service Edge (SASE) architecture. This architecture provides authentication and enforces a consistent security policy: no matter what users work inside your organization.

• Keep all your software up to date. Implement a strict security patch policy in your installation that patches all applications at a fixed time. You have to do this for all your applications, so don’t limit yourself to the general OS updates. Also, update firmware and all other applications you use. You require a clear overview of your application landscape for this.

• Deployment of inline data loss prevention. Prevent the exfiltration of sensitive information and keep data leak sites to a minimum with trust-based data loss prevention tools and policies to defend against any double extortion technique.

Final Thoughts

In my opinion, the Zero Trust approach is the best way to defend your organization against cyber attacks. Briefly summarized, I would advise you to set up your first line of defense according to below bullet points:

• Having a solid backup and solid backup process (check this post for more details about backups). You also test the backup and backup plan by simulating an incident to ensure that everything works as it should.

• Locking away your data for intruders by a Zero Trust Approach

• Clear policies, ensuring that backup and Zero Trust are working as intended.

Feel free to contact me if you have questions or in case you have any additional advice/tips about this subject. If you want to keep me in the loop if I upload a new post, make sure to subscribe, so you receive a notification by e-mail.