By the time you have finished reading this sentence, an organization somewhere in the world will have fallen victim to a and had at least some of its corporate data encrypted.  On average, the criminals behind ransomware attacks hit a new organization during 2020. Less than five years ago, the cadence of attacks was around one every – showing just how the cyber-crime economy relies on ransomware as a revenue generator. ransomware attack every 10 seconds 40 seconds It’s , according to Cybersecurity Ventures, that ransomware cost businesses worldwide around $20 billion in 2020, a figure that’s nearly 75% higher than in 2019.  And as if that wasn’t bad enough, criminals have added a new tactic to the familiar ransomware playbook which puts added pressure on victims to meet their demands. estimated This new approach is known as ‘double extortion,’ and involves two key stages.  First, the ransomware gang stealthily infiltrates the target’s network and steals volumes of sensitive data;  then having taken the data, they then deploy ransomware to encrypt files.  The attackers then threaten to release the breached data publicly unless the ransom payment is paid within the designated timeframe – and usually publish a sample of the stolen data on the public Internet to prove their intentions.  This puts additional pressure on victims to meet the attackers’ demands, as well as exposing the victim to penalties from data watchdogs for the data breach, and the need to alert affected customers, partners and consumers whose data was breached. In these instances, it really can feel like a lose-lose situation for companies that have been targeted. Perhaps that’s why so many victims are still willing to pay the criminals, even from the likes of the FBI.  A survey of more than 600 business leaders found that 7 in 10 had, at some point, paid a ransom to regain control of their data. This willingness to pay inevitably fuels further ransomware attacks, and the ‘double extortion’ method simply ratchets the pressure on victims to the next level. against strong recommendations Extortion escalates And over the past 12 months, double extortion attacks have become increasingly common as its ‘business model’ has proven effective. The data center giant Equinix was by the Netwalker ransomware. The threat actor behind that attack was also for the attack against K-Electric, the largest power supplier in Pakistan, demanding $4.5 million in Bitcoin for decryption keys and to stop the release of stolen data. Other companies known to have suffered such attacks include the French system and software consultancy Sopra Steria; the Japanese game developer ; the Italian liquor company ; the US military missile contractor ; the global aerospace and electronics engineering group ; travel management giant , who paid $4.5M in Bitcoin to the Ragnar Locker ransomware operators; business services giant ; even soccer club . hit responsible Capcom Campari Group Westech ST Engineering CWT Conduent Manchester United Research that in Q3 2020, nearly half of all ransomware cases included the threat of releasing stolen data, and the average ransom payment was $233,817 – up 30% compared to Q2 2020.  And that’s just the average ransom paid.  In a recent attack, the victim a remarkable $34 million.  And of course, even when ransom demands are met, there is still no guarantee that the attackers will honor their promise to release the files, and keep stolen data out of the public domain.   This is one of the main reasons why at Check Point, we don’t recommend paying ransoms, either from company funds or via cyber-insurance policies.  This merely feeds the criminal economy and encourages criminals to attack again. shows paid How to avoid being held to ransom So how should organizations defend themselves against both conventional ransomware and double-extortion attacks?  It’s important to note that in many cases, ransomware is not delivered directly to networks, but is preceded by an initial trojan infection planted by the ransomware gang – especially the Trickbot trojan.  IT teams should be vigilant for any signs of a trojan on their networks, and in preventing these pre-infections, regularly updated anti-virus software plays a key role.  We recommend running a full compromise assessment any time there are signs of intrusion. The other main infection vector involves RDP (Remote Desktop Protocol) ransomware. Threat actors identify open RDP servers and either perform a brute force login attack or utilise phished credentials to gain access to RDP servers.  Once on the server, the attacker obtains elevated privileges and moves laterally to plant ransomware on network endpoints.  To protect against this vector, organizations should patch relevant RDP vulnerabilities and protect their RDP servers with strong passwords and two-factor authentication. The other main infection vector involves RDP (Remote Desktop Protocol) ransomware. Threat actors identify open RDP servers and either perform a brute force login attack or utilise phished credentials to gain access to RDP servers.  Once on the server, the attacker obtains elevated privileges and moves laterally to plant ransomware on network endpoints.  To protect against this vector, organizations should patch relevant RDP vulnerabilities and protect their RDP servers with strong passwords and two-factor authentication.

Check Point

Target

How to Protect Your Organization from Double Extortion Ransomware

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Best Practice: Identifying And Mitigating The Impact Of Sunburst

47 Stories To Learn About Checkpoint

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Check Your Privilege: Designing Cloud Infrastructures According to the Least Privilege Principle

Cloud Sourcing as a Crucial Component in Threat Prevention

Cloud Threat Hunting: Investigating Lateral Movement

Best Practice: Identifying And Mitigating The Impact Of Sunburst

47 Stories To Learn About Checkpoint

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Check Your Privilege: Designing Cloud Infrastructures According to the Least Privilege Principle

Cloud Sourcing as a Crucial Component in Threat Prevention

Cloud Threat Hunting: Investigating Lateral Movement

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps