Attackers will vow to publicly release the stolen data, try to delete any backups and even deploy DDoS attacks to convince victims to give in to the ransom demands, says Sophos.
Cybercriminals who employ ransomware have gotten much bolder in recent years. Beyond stealing sensitive data, such criminals will turn to a variety of tactics to further persuade the victim to pay the ransom. A new report from security firm Sophos look at 10 ways attackers pressure organizations to pay the demanded ransom. The report also includes recommendations on how to defend yourself against these types of attacks.
SEE: Security incident response policy (TechRepublic Premium)
In the past, ransomware was a relatively straightforward matter. An attacker would breach an organization and encrypt critical data. Without a reliable or recent backup, that organization would have few options other than to pay the ransom in the hopes that the data would be decrypted.
Now, however, organizations have gotten more diligent about backing up important data, which means they may be less likely to pay the ransom. As a result, cybercriminals have turned to more aggressive and forceful tricks to demand that the ransom be paid.
- Vowing to publicly release the data. One common tactic employed by attackers is the double-extortion ploy. In this case, the criminal vows to publish or even auction the data online unless the ransom is paid. Even if the victim has reliable backups, they may feel pressure to pay the ransom rather than risk embarrassment and possible legal repercussions if the data is leaked.
- Contacting employees directly. To further pressure an organization, attackers will contact senior executives and other employees to warn them that their own personal data will be leaked if the ransom isn't paid.
- Contacting partners, customers and the media. In other cases, the attackers will reach out to business partners, customers and even the media and tell them to urge the victimized organization to pay.
- Warning victims not to contact law enforcement. Many organizations will contact law enforcement officials or other parties to seek their aid in resolving the incident. Such a move could help the victim recover their data without paying the ransom or put the attacker in the crosshairs of law enforcement. Fearing these outcomes, many criminals will warn their victims to keep silent.
- Enlisting insiders. Some criminals will try to convince employees or insiders to help them infiltrate an organization to carry out a ransomware attack. In return, the attackers promise the insider a portion of the ransom payment. The hope is that they'll find some disgruntled or dishonest employee who will willingly exploit their own employer.
- Changing passwords. After the initial attack, many ransomware operations will set up a new domain admin account through which they change the passwords for all other admin accounts. Doing so prevents the other administrators from logging into the network to resolve the problem or restore the encrypted files from backups.
- Launching phishing campaigns. In one incident noted by Sophos, attackers sent phishing emails to employees to trick them into running malware that provided full access to their emails. The attackers then used those compromised accounts to contact the IT, legal, and security teams to warn of more attacks if the ransom wasn't paid.
- Deleting backups. As ransomware attackers hunt through the network of a victim, they'll look for any backups of sensitive data. They'll then delete those backups or uninstall the backup software. In one case described by Sophos, the attackers used a compromised admin account to contact the host of the victim's online backups and told them to delete the offsite backups.
- Sending physical copies of the ransom note. Some criminals will inundate the victim's offices and employees with physical copies of the ransom note sent to connected printers and point of sale terminals.
- Launching Distributed Denial-of-Service attacks. Several ransomware gangs have turned to DDoS attacks to try to convince stubborn victims to pay the ransom. Such attacks not only overwhelm the organization's web servers but also distract IT and security staffers with yet another problem.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
To help defend your organization against ransomware attacks, Sophos offers several tips.
- Set up a training program for your employees to help them recognize the kind of emails that attackers use and the demands they might make as part of a ransomware attack.
- Establish a 24/7 contact point for your employees to report any suspicious activity on the part of a potential attacker.
- Implement a process to scan for possible malicious insider activity, such as employees who try to gain access to unauthorized accounts or assets.
- Constantly monitor your network security and note the five early signs an attacker is present to thwart ransomware attacks before they do damage.
- Disable any instances of internet-facing remote desktop protocol (RDP) to prevent attackers from accessing your network. If employees need remote access to an internal system, put it behind a VPN or a zero-trust connection and be sure that multi-factor authentication is in effect.
- Regularly back up your critical data and keep at least one backup instance offline. Adopt the 3-2-1 method for backups. That means backing up three copies of the data using two different systems, one of which is offline.
- To stop attackers from disabling your security, turn to a product with a cloud-hosted management console that offers MFA and role-based administration to restrict access.
- Set up an effective incident response plan and update it as needed.
- Infographic: The 5 phases of a ransomware attack (TechRepublic)
- Ransomware attackers are now using triple extortion tactics (TechRepublic)
- SolarWinds attack: Cybersecurity experts share lessons learned and how to protect your business (TechRepublic)
- How to prevent another Colonial Pipeline ransomware attack (TechRepublic)
- Cybersecurity technology is not getting better: How can it be fixed? (TechRepublic)
- Identity theft protection policy (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)