The Rise of Double Ransomware Extortion and How to Protect Against It

Data extortion is not a new tactic for threat actors. Big Game Hunting (BGH) is where actors steal and leak data to force ransom payments.  However, if this threat does not work and the victim does not pay this can result in an additional threat of releasing the data to someone else, usually a competitor – double ransomware extortion.

This blog will take a look at ransomware, BGH and extortion.



Ransomware and Big Game Hunting

Back in 2008 applications started to appear that showed phony alerts to victims and required payment to “clean up” malware infections. Payments were made via credit card until the credit card companies cracked down on these fraudulent transactions.  The next threat was the screen locker, which locked a victim out of their device until a payment was made. These methods usually claimed they had evidence of viewing pornography or that they had encrypted a person’s files.

By 2016 ransomware was mainly targeting businesses to enable them to demand bigger one-off payments instead of lots of smaller payments.

The techniques are not new

Cyber extortion itself is not new and has previously including email extortion, distributed denial-of-service (DDoS) extortion and data extortion attacks.

Email extortion is one of the most prolific and longest-standing form of cyber extortion.  Mainly because all the threat actor needs are leaked passwords or contact details.  These actors typically send an email to the victim with one piece of legitimate personal information, claim the victim was infected with malware and thus acquire more damaging information. The actor then demands a ransom payment in order to keep the information from being sent to the victim’s friends, family or colleagues.

A slightly more sophisticated version of this technique came with the emergence of DDoS extortion. In 2014 businesses started to get sent emails claiming that they would be subject to a DDoS attack to take down their services if the business did not pay the demanded ransom amount. Some even launched a DDoS attack before the threat to prove they could follow through, though for many just the threat was enough.

The next step was ransomware which exfiltrated data from corporate networks. The actor offers to “sell back” the data to the respective victims, threatening to sell the data to interested parties if the victim refused to pay.

Cyber Extortion with Ransomware

Organizations started restoring from backups to avoid paying ransom, so the threat actors needed to step it up by leaking compromised data.

In May 2019, CrowdStrike Intelligence discovered an image on the Tor hidden service hosted by the actors to establish communications with their victims. This contained sensitive information allegedly taken from a network.  The threat actors followed with further communications stating they would remove all collected information if the ransom was paid by a specified deadline.  Although this was not successful this was one of the first instances of data extortion to incentivize ransom payment.  This led to many more threat actors leaking data to ‘incentivize’ victims to pay ransoms – and they were more successful.

What can you do to protect yourself?

Nothing is fool proof but the more you do the less chance of an attack, or surviving it better if you do get attacked.

  1. Make sure your cyber insurance policy covers Double Extortion attacks. All organizations should assess the risk and have an insurance policy in place that covers losses incurred in a ransomware attack.
  2. Make Zero Trust part of your cyber strategy. Zero Trust reduces the attack surface. Secure the entire portion of your attack surface by closing the entry point to threats. Learn more about the right Zero Trust.
  3. Have a plan and test it. Prepare for a double ransomware scenario, make sure everyone knows about it and robustly test it.

activereach have teamed up with Guardicore to improve your security posture against ransomware. For more information on how Micro Segmentation can help with a Zero Trust model visit our solutions page, contact us here or call 0845 625 9025