How ransomware attackers are doubling their extortion tactics

Cybercriminals are threatening not only to hold sensitive data hostage but also to release it publicly unless the ransom is paid, says cyber threat intelligence provider Check Point Research.

How to protect your organization and remote workers against ransomware
11:53

The rise of ransomware poses a threat to all types of organizations, from small businesses to large corporations to hospitals to government agencies. Cybercriminals rely on the expectation that at least some organizations will succumb to the ransom demands in hopes of getting back sensitive and often irreplaceable files. But to amp up the threat, attackers are now doubling their extortion tactics by also threatening to release the sensitive information publicly unless the victims pay up.

A report published Thursday by Check Point Research illustrates how these ransomware attacks work. In a trend seen rising during the first quarter of 2020, attackers extract large quantities of sensitive commercial information. Beyond demanding money to decrypt the stolen data, the criminals promise to publish it as a way to put more pressure on organizations unsure how to respond to the threat.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic) 

In one such case from November 2019, attackers used the Maze ransomware to steal sensitive data from American security staffing company Allied Universal and then demanded 300 Bitcoins (around $2.3 million) to decrypt it. After Allied Universal refused to pay the ransom, the criminals said they would use the stolen email and domain name certificates for a spam campaign impersonating the company. The attackers even published samples of the files, including contracts, medical records, and encryption certificates. They also later posted a link claiming to point to 10% of the stolen data along with a new ransom demand that was 50% higher.

ransomware-demand-allied-universal-check-point-research.jpg

Image: Check Point Research

In a recent case, hackers using the Sodinokibi ransomware (aka REvil) stole sensitive files from the National Eating Disorders Association and downloaded the information onto their servers. In a blog post, REvil warned the association that if it refused to negotiate, the information would be published on the blog. On April 4, the attackers followed through on their threat and leaked the files, according to online news site Medium.

ransomware-demand-national-eating-disorders-association-check-point-research.jpg

Image: Check Point Research

In a case that took place this past New Year's Eve, the REvil operators launched a cyberattack against foreign exchange firm Travelex in which they stole dates of birth, credit card information, and national insurance numbers. The attackers gave Travelex just two days to pay a ransom of $6 million. If not, the ransom demand would double. If no payment was received within a week, the operators promised to sell the entire database. Travelex was forced to go offline for three weeks to recover from the attack.

Hospitals are often a tempting target for ransomware attacks, especially during medical crises. Hospital employees can be so focused on patient care and on emergencies that they may forget proper security procedures. Hospitals also hold sensitive patient and health records, which are valuable on the dark web. Plus, hospitals may not be up to date on security products and patches.

With the coronavirus causing death and devastation around the world, some ransomware groups have promised to leave hospitals alone during this period. After being criticized for attacking a UK medical firm working on COVID-19, the Maze group issued a public statement saying it would stop all activity against medical organizations until the virus situation stabilizes. However, promises by criminals don't mean much, so hospitals still need to be on their guard against ransomware attacks, especially ones that use the double extortion tactic.

"Double extortion is a clear and growing ransomware attack trend," Loten Finkelsteen, Check Point's manager of threat intelligence, said in a press release. "In this tactic, threat actors corner their victims even further by dripping sensitive information into the darkest places in the web to substantiate their ransom demands. We're especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransomware attack would be very difficult. We issue caution to hospitals and large organization, urging them to back up their data and educate their staff."

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

For hospitals and other organizations susceptible to ransomware, Check Point offers the following advice:

  • Back up your data and files. It's vital that you consistently back up your important files, preferably using air-gapped storage [which is physically isolated from unsecure networks]. Enable automatic backups, if possible, for your employees, so you don't have to rely on them to remember to execute regular backups on their own.
  • Educate employees to recognize potential threats. The most common infection methods used in ransomware campaigns are still spam and phishing emails. Quite often, user awareness can prevent an attack before it occurs. Take the time to educate your users, and ensure that if they see something unusual, they report it to your security teams immediately.
  • Limit access to those that need it. To minimize the potential impact of a successful ransomware attack against your organization, ensure that users only have access to the information and resources required to execute their jobs. Taking this step significantly reduces the possibility of a ransomware attack moving laterally throughout your network. Addressing a ransomware attack on one user system may be a hassle, but the implications of a network-wide attack are dramatically greater.
  • Keep signature-based protections up to date. From the security side of things, it is certainly beneficial to keep antivirus and other signature-based protections in place and up to date. While signature-based protections alone are not sufficient to detect and prevent sophisticated ransomware attacks designed to evade traditional protections, they are an important component of a comprehensive security posture. Up-to-date antivirus protections can safeguard your organization against known malware that has been seen before and has an existing and recognized signature.
  • Implement multi-layered security, including Advanced Threat Prevention technologies. In addition to traditional signature-based protections like antivirus and IPS (intrusion prevention systems), organizations need to incorporate additional layers to prevent against new, unknown malware that has no known signature. Two key components to consider are threat extraction (file sanitization) and threat emulation (advanced sandboxing). Each element provides distinct protection, that when used together, offer a comprehensive solution for protection against unknown malware at the network level and directly on endpoint devices.

Also see

istock-803934282.jpg

Image: Zephyr18, Getty Images/iStockphoto