How Does It Work?
Good data backups can defeat traditional ransomware. If an organization has another copy of its data, it does not need to pay for a decryption key to restore it.
Double extortion ransomware overcomes this challenge by combining data theft with data encryption. By stealing data and threatening to leak it if a ransom isn’t paid, the ransomware operator can successfully extort ransoms even if an organization has backups and could otherwise recover without payment.
Attack Sequence of Double Extortion Ransomware
Double extortion ransomware adds additional stages to the attack chain of a ransomware infection, and likely includes the following steps:
- Initial Access: The malware gains initial access to the corporate network, likely via a user workstation.
- Lateral Movement: The malware moves through the corporate network to a higher-value target, such as a database server.
- Data Exfiltration: The ransomware exfiltrates sensitive information to the attacker before performing highly visible encryption operations.
- Data Encryption: The malware encrypts files on infected systems.
- Ransom Demand: The ransomware demands a ransom to decrypt files or delete stolen data.
Potential Risks and Impacts
A successful ransomware infection can be extremely damaging to an organization. Some of the most common impacts include the following:
- Financial Losses: Double extortion ransomware carries various potential costs to the business. In addition to the cost of remediating the incident, the company may lose sales during the attack and may need to pay legal and regulatory penalties.
- Reputational Damage: A successful ransomware attack may cause harm to an organization’s reputation and brand. The failure to protect customer data and the potential for interrupted services due to the attack may cause customer churn or force the company to pay restitution to affected customers.
- Data Loss: Some forms of double extortion ransomware encrypt data as well as steal it. Even if an organization pays the ransom or has backups, not all data may be recovered.
- Regulatory Penalties: A ransomware group stealing sensitive data is a reportable data breach. An organization may be liable to pay regulatory penalties as a result.
Examples of Double Extortion Ransomware
Many ransomware groups have adopted the double extortion methodology. Some of the most well-known include:
- Maze: The Maze ransomware group emerged in 2020 and pioneered double extortion ransomware attacks.
- REvil: REvil is a ransomware as a service (RaaS) group that was first detected in 2019.
- DarkSide: DarkSide is a RaaS group that emerged in 2020 and is famous for the Colonial Pipeline hack.
- BlackMatter: BlackMatter emerged in 2021 and claims to succeed the REvil and DarkSide groups, which are no longer in operation.
- LockBit: LockBit emerged in 2019 and is a RaaS that uses self-spreading malware in its attacks.
How to Prevent Double Extortion Ransomware Attacks
Some cybersecurity best practices to protect the organization against ransomware attacks include the following:
- Cybersecurity Awareness Training: Many ransomware variants use social engineering attacks, such as phishing, to gain access to an organization’s network. Training employees to identify these threats and respond appropriately reduces the risk of an incident.
- Data Backups: While double-extortion ransomware incorporates data theft, it also can encrypt valuable data. Data backups enable an organization to restore its data without needing to encrypt it.
- Patching: Some ransomware variants exploit software vulnerabilities to access and infect computers. Promptly applying patches and updates can help to close these security gaps before they can be exploited.
- Strong User Authentication: RDP and other remote access protocols are commonly used to infect corporate systems with ransomware. Deploying strong authentication — including multi-factor authentication (MFA) — can help prevent attackers from using compromised credentials to distribute malware.
- Network Segmentation: Ransomware groups will often need to move laterally through an organization’s network from the point of initial infection to high-value systems. Network segmentation — which breaks the network into isolated sections — can aid in detecting and preventing this lateral movement.
- Anti-Ransomware Solutions: Ransomware’s file encryption creates a distinctive activity pattern on a computer, and many variants have known signatures. Anti-ransomware solutions can identify and block or remediate ransomware infections before they cause significant harm to the business.
- Threat Intelligence: Knowledge of the latest ransomware attack campaigns is invaluable for protecting against them. Integrating threat intelligence feeds with cybersecurity solutions enables them to more accurately identify and block ransomware attacks.
Prevent Ransomware Attacks with Check Point
Double extortion ransomware attacks pose a significant threat to businesses since they can defeat backups as a ransomware defense. To learn more about defending against this threat, check out the CISO Guide to Ransomware Prevention.
Ransomware is one of many cyber threats that organizations face, as detailed in Check Point’s Cyber Security Report. Check Point Harmony Endpoint offers strong protection against ransomware and other endpoint security threats. To learn more about managing the endpoint security threat to your company, sign up for a free demo.