The ransomware industry has certainly come a long way, from the early days of the AIDS Trojan to the modern, very business-like Ransomware-as-a-Service model preying on businesses of all sizes. Now, a new ransomware technique called “double extortion,” which not only locks companies’ files but also forces them to pay ransoms or their data gets leaked publicly, is exploding in light of the pandemic.
This ransomware evolution puts companies, and the consumers who use those companies, in a difficult position, as ransomware attacks appear to be ramping up. And, looking at the numbers, it’s pretty easy to see why:
- 70% of enterprise ransomware victims have paid their ransoms, with sums between $20,000-$40,000
- Consumer ransomware victims are paying out $500-$1,000 ransoms
- Ransomware is expected to net cybercriminals $20 billion in 2021
- Cybercrime could cost companies $5.2 trillion over 2019-2023 in additional costs and lost revenue
To make matters even worse, the cybercriminal gangs are targeting organizations of all sizes: 62% of cybercrime victims in 2019 were small and medium-sized businesses.
But it isn’t only businesses that should be concerned about the rising threat of ransomware. Luca Mella, creator of a website that tracks a new ransomware tactic called double extortion, tells CyberNews that consumers should be more worried than the businesses’ press releases are letting on. “With the double extortion practice, a huge amount of data, in many cases even hundreds of GB [gigabytes], goes in the hand of criminals.”
This is very worrying, he says. “How would you feel knowing your personal data, ID document scans, CV, bills, payroll, purchase order, or any other kind of such information is now available to international criminal organizations, cyber-criminals and local fraudsters?”
Should these ransomware cartels sell consumers’ personal data, it can be used for anything from phishing attempts to identity theft. That’s why, in total, everyone should be worried about ransomware and it’s massive growth.
REvil’s double extortion tactic
REvil, also known as Sodin or Sodinokibi, is a ransomware group that is the first to use the “double extortion” tactic for ransomware, a two-pronged extortion approach of locking companies out of their own files, while also threatening to auction off this data to the public if the ransom isn’t paid.
REvil likely came from the now-defunct GandCrab gang, mostly based on the fact that REvil became active right after GandCrab exited, and the ransomware used by both groups have significant similarities. GandCrab for its part claimed to have made more than $2 billion in ransom payments, with its operators making $2.5 million per week.
REvil first used the double extortion tactic in June 2020, when it began auctioning off the stolen data of a Canadian agricultural production company that refused to pay the ransom.
Since then, competing ransomware groups such as the Maze and DoppelPaymer cartels have adopted the same strategy, unfortunately to much success.
For example, in late 2019 the Maze cartel attacked the University of Utah. While the university had successfully restored their data from backups, Maze had exfiltrated the data before encrypting it and threatened to leak student data. For that reason, the University of Utah was forced to pay the $457,059 ransom.
Without the double extortion tactic, the cybercrime cartel would have taken the loss.
Evolving business structure
One more important thing to note: ransomware groups have not only “evolved” in their tactics, but also their organizational structure. Where before a particular ransomware strain was linked to a particular group, now “cartels” have formed that operate similar to mafia or business organizations.
These cartels also have “affiliates” that do the work for them, such as privilege escalation. The main groups use backdoors and beacons left by the affiliate groups to implant ransomware and exfiltrate the data then pass on the stolen data and attack information. In return, they get a percentage payout.
Affiliate programs work by either the cartel giving assigned targets to small affiliate teams, or those teams coming up with their own targets. Once the targets’ networks have been infiltrated, they pass on the data to their cartels and collect their payments. The cartels then exfiltrate the data and encrypt that data on the targets’ systems.
Further, they collaborate with other cybercrime gangs in order to share resources, coordinate the leaks of victim data, and extort their victims. For example, the Maze cartel consists of the ransomware groups Maze, LockBit, Ragnar Locker. Conti and SunCrypt.
Beyond that, these ransomware cartels have also evolved their service offerings, mimicking the subscription-based Software-as-a-Service (SaaS) model. These cartels now offer Ransomware-as-a-Service, where new entrants – individuals or groups – to the ransomware industry no longer need to develop their own malware or have the necessary infrastructure. These groups have a “done for you” model that even non-technical attackers can utilize to attack and extort victims.
Measuring double extortion
When looking at the data from Luca Mella’s double extortion tracker over the last few months, we can see that there are spikes of public disclosures of breaches, rather than any consistent trend:
When we looked at the total amount of public databases made available for download on a popular hacking forum, we noticed the same trend:
It’s important to note that the real amount of companies affected by ransomware attacks is unknown. Mella told CyberNews, “In the double extortion practice we can notice just a little of the whole activity. Especially because the companies who negotiate the payment go unnoticed, and several cyber insurances cover the ransom payment too.”
One way to look at any trends is to simply look at how many breaches are being leaked by the attackers. This can be related to the double extortion tactic – cartels may leak parts of the affected company’s database in order to assist in their “negotiations.”
In fact, some of the leaks we’ve encountered have been posted for this exact reason, such as for Miami-based Intcomex:
However, looking at claimed or leaked breaches alone doesn’t really present a proper picture. When we look at the claimed leaks by ransomware actor, the trend becomes clearer:
While Mella’s analysis started only in August 2020, the trend is pretty clear here – ransomware is increasing over time, with different cybercrime gangs increasing their output over time.
The focus of their attack is pretty wide, with manufacturing and retail being the top attacked industries:
After running the tracker for a while, Mella came to a sobering conclusion: double extortion operators don’t seem to be discriminating at all in the targets they choose.
“I was initially thinking these groups were targeting only high value targets for huge payments,” Mella told CyberNews, “but the data showed me they actually attack any kind of companies: from the multi billionaires corporations down a $5 million local SMB.”
He also noticed that they generally go after a number of professional services, law firms and retail businesses, perhaps because these are traditionally less cybersecurity ready than mature sectors like banking.
“One of the things most surprised me was the profound variety of impacted industries, including also many health care and non-profit organizations.”
When looking at which ransomware groups or affiliates are leading the attacks, we can see that Conti, Netwalker and Maze comprise more than 53% of all attacks:
However, since the Maze cartel works with Conti and RagnarLocker, they can be seen as the leading attack group, with a combined 39% of all attacks.
Ransomware and the pandemic
According to Mella, who collected a majority of the data, the global Covid-19 pandemic accelerated the double extortion practice, with gangs targeting private and public organizations, profiting from business interruptions, expanding their affiliate programs, and adding botnets to their arsenal.
Mella believes that the pandemic was a catalyst for many digital phenomena, including double extortion. Both the threat of Covid-19 and the lockdown have worsened the impact of double extortion, with cyberattacks in general falling into two categories: a company’s IT changes and the external threat landscape.
“In a matter of days a lot of companies were forced to open the security perimeter, put a huge part of the workforce in smartworking and, at the same, introduce new technologies,” Mella tells CyberNews. “Too many changes in a very short time that only those who had a best-in-class security posture handled properly. Now, take these risk increasing factors, and apply them to each company’s suppliers.”
On the external side, he believes the cybercriminals realized these weaknesses and have started pushing harder. “At the end of 2019, double extortion affiliation services totalled just two or three; during 2020 they reached about a 10x increase,” he told CyberNews.
While all the data collected here should be taken with a grain of salt – cybercrime gangs claiming that they breached a company may be lying – it does present a sobering conclusion: ransomware was already a big problem in 2020, and its trajectory shows that it will be a much bigger problem in 2021 and beyond.
The evolution of ransomware tactics
The first instance of ransomware happened in 1989 in what is known as the AIDS Trojan written by Joseph Popp. This attack was not as effective as its modern equivalents: the files were not encrypted, but just hidden on the victim’s computer, and the only thing that was encrypted was the file names. Even then, the decryption key could be found in the code of the Trojan.
Fast forward to the mid-2000s, when ransomware began to increase in prominence. By 2006, malware such as GPCode began to appear on corporate computers, encrypting files on computer drives with extensions such as .doc, .html, .jpg, .xls, .zip and .rar. The ransomware would then drop a text file in each file directory instructing the victims to send an email to a specified address and about $100-$200.
Even then, victims could recover the data without paying any ransom.
However, as the cybercriminals became more sophisticated, they created their Trojans with ever-increasing RSA encryption key-sizes. In January 2006, GPCode used a 56-bit RSA public key (cracked in 56 hours), but in June 2008, it was using a 1024-bit RSA key, which is not feasible to crack–estimates go up to 2 million years (with current computers).
Ransomware really became much more profitable, and perhaps easier to operate, with the introduction of Bitcoin. In late 2013, the CryptoLocker ransomware spread, netting its creators roughly $27 million between 15 October and 18 December, 2013.
Ransomware ramped up, with new variants such as CryptoBlocker, OphionBlocker, and Pclock, which gave users 72 hours to pay 1 bitcoin in ransom. If the victims didn’t pay, the files would be deleted.
Then Chimera came into play in 2015. This particular strain of ransomware worked by duping a company’s employees into clicking on links to malicious files hosted on Dropbox. Once infected, the attackers would demand around $700 in bitcoin for the decryption key. However, in a break from the standard ransomware process, the Chimera creators threatened to publish the victims’ files on the internet if they didn’t pay the ransom. There’s no evidence that any victim’s personal data was ever released online, but this escalation of ransomware tactics may have fueled the new normal of ransomware, known as “double extortion.”
Due to the structure of the cartels – affiliates working loosely to infiltrate a target’s network – there is a wide variety of attack vectors that are being used by these ransomware groups. Maze cartel, for example, employed compromised RDP sessions, weak user credentials, social engineering and so on.
In fact, the affiliate program is ingenious in its own way since it allows for much more decentralized creativity or innovation: the cartel group in effect doesn’t care how it’s done, and affiliates don’t get paid until it’s done. This also allows for cartel groups to have multiple operations going on at the same time, which would be difficult to manage and maintain if all the operations were centralized.
In light of that, organizations are best served by employing a Zero trust security policy – a “don’t trust anyone” policy. Essentially, everything and anything inside or outside the organization trying to connect to its systems must be verified before access can be granted.
One crucial aspect, which is a mitigation strategy, is for organizations to have backups of their data so that their business operations aren’t interrupted in case of an attack.
However, that only covers one of the problems with double extortion. Businesses will also need a proactive strategy that includes:
- Preventing malware from being delivered to devices: filter allowed file types, block malicious websites, etc.
- Protecting remote access devices: patch known vulnerabilities, enable MFA, use a secure VPN, employ the least privileges model
- Preventing the spread of malware through the network: use MFA, patch VPNs, firewalls, antivirus, devices and infrastructure, keep obsolete platforms segregated
- Preventing any malware from running on devices: centrally manage devices, keep software up to date, install security updates ASAP and enable automatic updates
Nonetheless, Mella told CyberNews that prevention shouldn’t be the total focus of an organization’s strategy. Instead, businesses should be ready to respond. “With the right investment, a good security operation staff and quick cyber emergency response capabilities, it is possible to intercept the ransomware operators before they impact business and stakeholders trust.”