Ransomware continues to be one of the most prevalent and destructive threats to enterprises and governments globally. In 2019, ransomware cost $11.5 billion as every 14 seconds a business got attacked. Added to this, there are now a high number of cyber insurance claims for ransomware attacks, standing at 41% of all the cyber insurance claims in the first half of 2020. This number may not surprise but the fact behind it can. The growing number of ransomware claims bring into the limelight a new modus operandi which hacker have lately resorted to – double extortion.
Increasing Double Extortion attacks
Earlier, hackers that performed ransomware attacks would breach a system to steal data and delete it if the victim didn’t pay a ransom fee. This prompted companies to make backup copies of their data thereby reducing chances of paying ransom. But hackers are quick to take a more rogue route each time their plan doesn’t work. Perhaps this is the reason that some of the notorious ransomware gangs such as Maze and DoppelPaymer have gone one step further. They are ensuring that their victims pay ransom even if they’ve got copies of encrypted data. These ransomware groups are now launching, what we know as, Double Extortion attacks. These gangs are exfiltrating data from hacked networks before encrypting it and threatening victims to release it on specialized leak sites or social media. The University of Utah, a case we discussed in an earlier blogpost, allegedly paid ransom to stop hackers from releasing their sensitive data online.
When double extortion attacks were first launched this year by REvil and then emulated by others, hackers maximize their chances of making a profit by giving their victims an additional reason to pay them ransom.
Why Double Extortion attacks are a serious issue
For organizations, double extortion attacks are a double whammy since they still have to pay the hackers for their assurance that their exfiltrated data would not be released online. Buying this assurance comes at a cost that can be as high as six times the average that we see in most ransomware cases. Coalition in its report points out this trend and underlines that many ransomware gangs such as Maze have become greedier than ever. Their ransomware demands have soared six times than the average. Businesses worry because double extortion attacks can kibash their recovery plans.
Building a shield against Double Extortion attacks
Since double extortion attacks do mean six times more ransom for ransomware-affected organizations, the suggested path forward is to have all the aces up their sleeves. They should:
- Buy a cyber insurance policy that covers Double Extortion Attacks. It is important that your organization makes cyber insurance an integral part of cyber strategy. For organizations that store financial, personal health, or other client data, it is mandatory to buy a cyber insurance plan. But organizations beyond this group should assess the risk and have an insurance policy in place that covers losses incurred in a ransomware attack. The Coalition report further highlights that insurers have begun to take cognizance of double extortion attacks.
- Make Zero Trust an integral part of your cyber strategy: Zero Trust focuses on reducing the attack surface and impact using various technological approaches such as identity validation, privilege management, and endpoint isolation. By incorporating the right Zero Trust solutions such as Remote Browser Isolation (RBI) into an organization’s security strategy, as stated in of Cyberinc’s whitepaper ‘Zero Trust: Reimagining Security for the Financial Services Industry’, it becomes possible to secure the entire portions of your attack surface by closing the entry point to threats. RBI will help you keep all web-based threats such as ransomware and malware out of your network.
- Have a plan to respond to a ransomware attack and test it: A cyber recovery plan covering ransomware response should be a standard part of business planning or crisis management. At the same time, test this plan from time to time for efficacy. Particularly prepare for a scenario where you’ve to explain to customers, suppliers, regulators, police, insurers and the media about the attack. Having a document is not sufficient. You need to test out all the assumptions you have made, because some of them may turn wrong in the actual scenario.
- Know what’s connected to your network: Computers and servers are the devices where your data resides. But you also need to be wary about other devices connected to your network including wi-fi routers, IoT devices, printers, smart vending machines, etc. You should be aware of the potential ransomware or malware risk to these devices spread across the network. Restrict access to your network by using the robust Identity and Access Management solutions.
- Train staff to use the internet safely and maintain cyber hygiene: The internet is the biggest source to inject ransomware and malware in organizational networks. You should train your employees to safely use the internet and not visit untrusted websites that might infect their systems. You should implement browser isolation on systems to prevent such attacks and make it mandatory to fend off all threats outside of your network.