This year has brought not only a pandemic but also a global remote workforce which requires access to sensitive data and enterprise networks. As a result, the industry has noticed a shift from ransom to double extortion. In this situation, ransomware first engages in data exfiltration before it encrypts the system. This compromises databases, password lists, accounting spreadsheets and Office documents, among other things.
Double extortion is a new approach among ransomware groups in 2020. Backups are now useless, as malicious actors will threaten to leak or auction off company secrets. Through double extortion, cybercriminals want to force the victim’s hand into payment. It is a direct response to the increased use of offsite and offline backups.
Companies have understood the growing threat of ransomware and have shielded themselves from damage by restoring their files from offline backups. Disconnected from the network, offline backups cannot be attacked by ransomware. Through data exfiltration, malicious actors can ensure the threat of leaking confidential information will lead to a ransom, whether the victim has backups or not.
Vendors, partners and customers of hard targets have also been collateral victims of double extortion ransomware, our research found. Third parties are attacked because they are a soft target from which data exfiltration is an easy process. In some cases, it is not even the victim’s fault that data has been stolen in a ransomware attack. Although a business follows best practices and secures its networks, third-party vulnerabilities, business partners and clients can still compromise their security.
Organized crime groups and their victims
Ransomware crime gangs have taken their operations to the next level, boasting on the dark web about their achievements. There are nine major groups that are using their websites to publish or auction off victims’ sensitive and confidential data: DopplePaymer, Maze, NetWalker, CLOP, Ragnar Locker, REvil, Pysa Mespinosa, Nefilim and Sekhmet. To prove they are not lying, some have published images of the stolen repositories, victim photos, passport screenshots, company emails and contracts stolen from a company server.
While the geographical distribution of successful attacks could simply be random, country wealth and size could explain some results. The United States, UK and France are some of the most developed countries in the world. While Canada has a much smaller economy and population, it has a long-standing history of collaboration with the United States. Thus the interlinked economies of Canada and the United States has resulted in clusters of companies on both sides of the border that regularly communicate with each other and are potentially spreading ransomware infections. Similar clusters are also visible in Europe, South America and Asia.
Size of business
Firms targeted by double extortion ransomware ranged from electronics manufacturers and textiles to defense contractors and commercial printers. Ransomware groups have a differential level of success, depending on the size of the target. Malicious actors tend to prefer companies that have between 50 and 200 employees, which accounts for over two-thirds of double extortion ransomware attacks.
The lowest number of attacks was experienced by the smallest and largest companies, likely because the firms with the smallest number of employees cannot provide much value, while the largest might have more robust security. Regardless of size, a reason some of the companies may have been targeted is their business connection with Fortune 1000 companies.
Backups are no longer effective in breach mitigation
Companies used offline backups in the past as an effective second line of defense to mitigate ransomware breaches. With cyber-extortion, a failure in security software means that backups, even those offline, are no longer effective. The mix of cyber-extortion with ransomware has increased the importance of external threats. Ransomware groups have always targeted corporate networks, but companies that developed mature security procedures and enforced their industry’s best practices could limit the number and impacts of breaches. Since ransomware groups are targeting third parties, companies are again vulnerable as they have little control over how the data they have shared with their business partners is protected.Even though there is no silver bullet for cybersecurity, companies can still take measures to protect themselves. Training employees to recognize threats, installing security software and deploying tools to monitor web pages associated with ransomware groups could help prevent data leaks and reduce the impact of an attack. These simple and accessible measures may help balance the struggle between companies and ransomware groups.