Cybercriminals who specialize in ransomware have already been using double extortion tactics in which they not only decrypt stolen data but also threaten to leak it publicly unless the ransom is paid. Now, some attackers have progressed to a triple extortion tactic with the intent of squeezing out even more money from their malicious activities. In a report published Wednesday, cyber threat intelligence provider Check Point Research describes how this latest tactic is playing out.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
Ransomware ramps up
The number of organizations affected by ransomware so far this year has more than doubled, compared with the same period in 2020, according to the report. Since April, Check Point researchers have observed an average of 1,000 organizations impacted by ransomware every week. For all of 2020, ransomware cost businesses worldwide around $20 billion, more than 75% higher than the amount in 2019.
The healthcare sector has been seeing the highest volume of ransomware with around 109 attacks per organization each week. Amid news of a ransomware attack against gas pipeline company Colonial Pipeline, the utilities sector has experienced 59 attacks per organization per week. Organizations in the insurance and legal sector have been affected by 34 such attacks each week.
Around the world, organizations in the Asia Pacific region have been victims of the highest number of ransomware attacks with 51 per week. On average, North American organizations have seen 29 attacks per week, while those in Europe and Latin America have each witnessed 14 attacks each week.
The double extortion tactic has proven extremely popular and profitable among ransomware gangs. Last year, more than 1,000 companies found that their data had been leaked publicly after they refused to cave into the ransom demands. Over that time, the average ransom payment jumped by 171% to around $310,000.
But, a tactic that started toward the end of 2020 and has continued into 2021, is triple extortion, Check Point said. In this scenario, the criminals send ransom demands not only to the attacked organization but to any customers, users or other third parties that would be hurt by the leaked data.
In one incident from last October, 40,000-patient Finnish psychotherapy clinic Vastaamo was hit by a breach that led to the theft of patient data and a ransomware attack. As expected, the attackers demanded a healthy sum of ransom from the clinic. They also emailed the patients directly, demanding smaller sums of money or else they would leak their therapist session notes. Due to the breach and the financial damage, Vastaamo was forced to declare bankruptcy and ultimately shut down its business.
In another example from this past February, the REvil ransomware group announced that it was adding more tactics to its double extortion ploy, namely DDoS attacks and phone calls to the victim’s business partners and the media. Freely offered to affiliates as part of the group’s ransomware-as-a-service business, the DDoS attacks and voice-scrambled VoIP calls are designed to apply greater pressure on the company to cough up the ransom.
“Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly,” Check Point said in its report. “Whether further ransom is demanded from them or not, they are powerless in the face of such a threat and have a lot to lose should the incident take a wrong turn. Such victims are a natural target for extortion and might be on the ransomware groups’ radar from now on.”
Check Point offers several tips to help organizations better defend themselves against the rise in ransomware attacks.
- Raise your guard around weekends and holidays. Most ransomware attacks occur on weekends and holidays when people are less likely to be on the lookout for them.
- Keep your patches up to date. When the infamous WannaCry attack hit in May 2017, a patch was already available for the exploited EternalBlue flaw. Many organizations had failed to install it, leading to a ransomware attack that affected more than 200,000 computers in just a few days. Be sure to keep your computers and systems up to date with the latest patches, especially ones considered critical.
- Use anti-ransomware tools. Some attackers send targeted spearphishing emails to trick employees into revealing account credentials that can open up access to the network. Protecting against this form of ransomware requires a special security tool. Anti-ransomware tools monitor programs on a computer for any suspicious behavior. If such behavior is identified, the tool can stop the encryption of sensitive files before any damage is done.
- Educate users. Train users on how to identify and avoid possible ransomware attacks. Many such attacks begin with a phishing email that coaxes the recipient to click on a malicious link. Educating employees on these types of emails can stop an attack before it’s too late.
- Stop ransomware before it starts. Ransomware attacks don’t start with ransomware—many start with malware infections. Scan your network for such malware as Trickbot, Emotet and Dridex as they can pave the way for ransomware.