Double extortion ransomware, also called duel extortion ransomware[1][2][3], a form of ransomware that combines data encryption with the threat of exposure, leveraging both privacy concerns and regulatory pressures. It involves hiding data and threatening to expose sensitive information from victims, making it a potent and damaging cyber attack[1][2][3]. The sophisticated tactic has become a staple of modern ransomware campaigns, posing significant challenges to organizations across various industries[1].
Background
The concept of double extortion within ransomware gained prominence in November 2019 when the Maze ransomware gang pioneered this sophisticated approach[4][5]. The group, known for its innovation in cyber threats, sent a message to a computer self-help website, Bleeping Computer, revealing a successful breach of a security staffing company[4][5]. In a departure from traditional ransomware tactics, Maze not only encrypted the company's files but also stole sensitive information in plaintext[5].
The success of Maze's double extortion approach prompted other ransomware groups to adopt similar tactics in the ensuing months[5]. Recognizing the strategic advantage over organizations employing data backup strategies, cybercriminals began demanding dual payments, exploiting the fear of data exposure and the potential regulatory consequences[5].
The impact of double extortion soon expanded beyond mere encryption, as demonstrated by a 2020 attack on a German hospital[5]. The hospital faced operational shutdowns, redirected patients, and tragically recorded the first fatality directly linked to a ransomware attack[5].
Double extortion continued to evolve, with attackers constantly refining their methods. The emergence of triple-extortion ransomware, combining distributed denial-of-service (DDoS) attacks, file encryption, and data theft, exemplifies the dynamic nature of these cyber threats[5].
Methods
Double extortion ransomware employs sophisticated tactics, utilizing a sequence of steps to maximize its impact on organizations[1][2][4]. The ransomware must gain access to the victim in order to hijack their data.
Initial Access
Ransomware actors gain initial access to the target organization through various means, such as phishing emails, exploiting vulnerabilities, or deploying malware[5]. The initial access phase often exploits human vulnerabilities and security loopholes to infiltrate the organization's network[5]. After gaining access, threat actors meticulously conduct network reconnaissance to identify critical and valuable data within the organization's infrastructure[5][6]. Cybercriminals employ advanced techniques to map the network landscape, identifying potential targets for data exfiltration[5].
Deployment
In a departure from traditional ransomware attacks, cybercriminals engage in data exfiltration before initiating the encryption process[1][2][4]. Stolen data during this phase may encompass a wide array of sensitive information, including contracts, medical records, encryption certificates, and other critical files[2]. As said above, the double-extortion tactic aims to cripple organizations by threatening them with privacy exposure and potential regulatory consequences[2]. Threat actors strategically select data that holds significant value, intensifying the impact on organizations and increasing the likelihood of ransom payment[2][4]. Following the exfiltration of sensitive data, the attackers deploy ransomware to encrypt files across the organization's systems[2]. The ransomware deployment phase is characterized by speed and precision, aimed at maximizing the disruption caused to the organization[4].
Demands
A hallmark of double extortion, cybercriminals issue dual ransom demands. One ransom is for the decryption of data, and the other is for the deletion of the stolen information[1][2][4]. Referenced earlier, Maze ransomware, a pioneer in this approach, demanded separate payments for data decryption and deletion, increasing the pressure on victims[4]. The double ransom demands strategically exploit the organization's predicament, offering a binary choice that significantly elevates the stakes[4].
Evolution of Tactics
The evolution of tactics in double extortion ransomware reflects a constant adaptation to exploit vulnerabilities and maximize the impact on targeted organizations.
"Name and Shame" Tactic
In late 2019, Maze ransomware gained notoriety for adopting a "name and shame" tactic, in which public-facing websites were made to publish stolen data of victims who refused to pay[7]. This placed all of the victims information and privacy on display, granting anyone using the internet free access. This practice adds credence to attackers' threats, heightening the prospect of widespread attention and reputation damage resulting from the hack[7].
Ransomware-as-a-Service (RaaS)
Ransomware-as-a-Service, or the RaaS model has become prevalent, enabling a broader range of hackers to use double extortion tactics, including less experienced actors employing more destructive tactics[6][7]. It involves users experienced in ransomware and code publishing their skills online for less experienced individuals to use as they please. This shift in the ransomware landscape has increased the accessibility of sophisticated attack methods, contributing to the rise in double extortion cases[6][7].
Triple-Extortion Ransomware
Triple-extortion ransomware takes double extortion ransomware a step further, combining DDoS attacks, file encryption, and data theft[8]. A Disturbed-Denial-of-Service (DDoS) attack is a major disruption that prevents any users from accessing the victims website or application during the attack, mounting a wall to anyone using the service. This advanced form of attack targets not only individual companies but also third parties, representing an escalation in the complexity and severity of ransomware tactics[8].
Notable Incidents
The Maze Ransomware Gang (2019) pioneered double extortion, demanding two ransom payments for data decryption and deletion of stolen information[4]. In November 2019, Bleeping Computer received a message from the Maze ransomware gang, indicating a successful breach of a security staffing company. The attackers stole information in plaintext, encrypted files, and threatened to publish sensitive data unless two ransom payments were made[4]. Maze's innovative double extortion approach influenced other ransomware groups, leading to a surge in similar attacks. Following the success of Maze, other ransomware groups, including 'REvil' and 'Sodinokibi', adopted the double extortion tactic[2][4]. These groups gained notoriety for their sophisticated and targeted attacks against enterprises, particularly in the professional and financial services sectors[2][4].
Vastaamo (2020), a Finnish psychotherapy service provider faced double extortion, targeting both the organization and individual patients[7]. Vastaamo experienced a data breach in 2018, with the attacker returning in 2019 to steal more records. In September 2020, the hacker attempted to extort the organization by leaking data of 300 patients and demanding payment in bitcoin to prevent exposing up to 40,000 more patients' information[7]. This case highlighted the disturbing misuse of patient records and underscored the vulnerabilities in handling sensitive data[7]. At the time, it emphasized the broader issue of healthcare organizations being prime targets for double extortion due to the critical nature of the handled data[7].
The Alabama hospital case in 2019 is believed to be the site of the first alleged ransomware-related death in the U.S., emphasizing the severe consequences of ransomware attacks on healthcare facilities[7]. Hospitals in Canada and the U.K. also fell victim to successful double extortion attacks, showcasing the global reach[7].
Impact
Healthcare Sectors
Hospitals, a common target for having a wide range of sensitive data for many patients, face increased legal costs and potential privacy exposure[5][6]. The healthcare sector, particularly hospitals, has become a prime target for double extortion ransomware due to the critical nature of the handled data[6]. The attacks on healthcare organizations often involve the compromise of sensitive patient records, which can include personal identity codes, medical history, and therapy session transcripts[6].
In the aftermath of a ransomware attack, patients face the distressing prospect of their personal and medical information being exposed online or on the dark web[3]. The psychological toll on individuals who seek therapy services can be particularly severe, as the breach not only jeopardizes their privacy but also undermines the trust they place in therapeutic relationships[3].
Healthcare organizations, compelled by the critical nature of the targeted data, are often more likely to accede to ransom demands[6]. The University Hospital New Jersey paid a $670,000 ransom to prevent the exposure of patient data, highlighting the high-stakes nature of these attacks[6].
Professional and Financial Services
Entities operating in the professional and financial services sectors have also found themselves in the crosshairs of double extortion ransomware gangs[5][6]. These organizations are lucrative targets because of the high value of the information they possess, ranging from legal documents and contracts to financial records and proprietary data[5][6]. Ransomware groups, such as REvil and Sodinokibi, have demonstrated a level of sophistication in their attacks on professional and financial services enterprises[2][6]. These groups often meticulously plan their campaigns, gaining access to networks, identifying valuable data, and strategically deploying ransomware for maximum impact[2][4][6].
The combination of data encryption and the threat of exposure places these organizations in a precarious position. The potential for reputational damage, regulatory scrutiny, fines, and lawsuits escalates when sensitive client information is at risk of being disclosed[7]. The Maze ransomware gang's "name and shame" tactic, where stolen data is publicly disclosed if ransom demands are not met, adds an additional layer of risk[7].
Prevention/Mitigation
Behavioral Indicators and Machine Learning
Incorporating behavioral indicators extracted from traces of hardware performance counters (HPC) has proven to be an effective approach in the early detection of ransomware[3][6]. HPC is a high performance amalgamation of computers that connect to a central source, creating a very efficient and powerful machine. Studies named HLMD and DeepWare utilize HPC to create behavioral signatures, enabling the swift identification of potential malware at its initial execution stage[6].
Machine learning models, including Convolutional Neural Networks (CNN) and Artificial Neural Networks, have been employed to convert HPC information into images for ransomware detection[6]. Techniques like RanStop utilize hardware performance counters at runtime to achieve high accuracy in distinguishing between benign and malicious executables[6].
Multi-Layered Prevention and Response
Adopting a multi-layered approach to prevention and response is crucial in defending against double extortion ransomware. Cybereason, for instance, emphasizes a comprehensive strategy encompassing prevention, detection, and response[3]. This includes real-time monitoring of indicators of behavior (IOBs) to visualize and shut down the attack chain[3][6].
The integration of hardware-level detection through performance counters further enhances the multi-layered defense against ransomware attacks[6]. By capturing unaltered traces at the hardware level, organizations gain a deeper understanding of ransomware behavior during its initial stages, facilitating early detection and response[6].
Data Backups and Recovery
As double extortion leverages the threat of exposing stolen data, organizations must prioritize robust data backup and recovery strategies. Having up-to-date backups reduces the leverage attackers have over victims, providing an alternative to paying ransoms[5][7][1]. Prevention efforts should extend beyond traditional antivirus solutions, incorporating tools and practices specifically designed to detect and mitigate ransomware threats. Continuous monitoring for unusual behavior and timely response to potential indicators of compromise are integral components of an effective prevention strategy.
Collaboration
Collaboration and information sharing among organizations, industry stakeholders, and cybersecurity experts play a crucial role in building collective resilience against ransomware threats[3]. Sharing threat intelligence and insights gained from incidents contributes to a more informed and proactive security posture. Public and private sectors, along with cybersecurity firms, should collaborate to establish best practices, standards, and frameworks for preventing and responding to double extortion ransomware attacks[3]. This collaborative effort can enhance the overall cybersecurity ecosystem and raise the collective defense against evolving ransomware tactics.