Blog

In parallel with Internet and technology development, there is an increase in cyberattacks. Each time, cybercriminals develop new, more complex and dangerous ways to use networks and servers. Double extortion ransomware attacks first appeared in 2020. Now it’s a serious threat to the largest companies and organizations. Its actions can lead to devastating consequences. Therefore, to ensure the safety of the company is a high priority.

Ransomware is malware that steals data, encrypts it, and then demands a ransom for it. The ransom amount can range from hundreds to millions of dollars. Basically, the payment of the ransom is required in cryptocurrency.

Learn more about ransomware here

Double ransomware extortion is a new level of «traditional» ransomware attack. In this case, the cybercriminal also uses the victim’s data, files, server, etc., encrypts them and demands a ransom for them. However, in the double extortion case, the cybercriminal threatens to publish/sell the victim’s sensitive data on the dark web if the ransom is not paid within the specified time frame. Backups can help in the matter of data recovery, but the damage from getting confidential information to the dark web doesn’t reduce.

Typically, attackers target medical facilities, schools and other educational institutions, legal organizations, etc., where a large amount of confidential information is stored. The compromise of such data can completely destroy both organizations and people. This is what makes double extortion attacks so dangerous.

Ways to gain access to confidential data:

• Phishing attacks;
• Malicious software;
• Exploitation of vulnerabilities;
• Brute force attacks;
• Data leakage;
• Theft of credentials;

The most popular programs for double-ransomware extortion are:

1. Netwalker Ransomware – malware for the Windows operating system that encrypts and moves data and requires a ransom;
2. Egregor Ransomware – the program breaks into confidential data, encrypts it and demands a ransom payment for it within 3 days. Also, some of the data is published on the darknet as evidence that criminals have data;
3. Ransomware as a service (RaaS) is a subscription-based ransomware model for affiliates. Partners use a set of tools to carry out an attack, and if successful, receive a percentage of the ransom;
4. Sodinokibi (Ransomware Evil) – ransomware that encrypts data and then deletes the ransom message;
5. Conti – a rather dangerous type of attack due to the speed of encryption, it spreads very quickly and infects other systems.

The sequence for performing a double ransomware attack is:

• Gaining access to the victim’s system;
• Investigation of the network by an attacker for confidential data;
• Data extraction;
• Deployment of ransomware on the victim’s system;
• Data encryption;
• Denial of access to data by the victim;
• Requirement and conditions of ransom;
• If a ransom is paid, the data must be returned to the owner and access granted;
• If the ransom is refused, the data is sold or destroyed.

Cybercriminals don’t follow ethical norms and rules. If the victim refuses to pay the ransom, there will definitely be consequences. But even if the ransom is paid on time, there is no guarantee that the data will be fully and safely returned to the legal owner. Attackers don’t care whose lives or companies they destroy. They have their own interest, which must be satisfied.

How to prevent this type of attack:

• Implementation of a zero-trust architecture (applications, websites, emails, links must go through a strict authentication process);
• Application and compliance with security protocols and policies;
• Ensuring security and regular updating of software and protocols;
• Training of users to understand the essence of the attack, its devastating consequences and influence at the company and the individual employee, possible ways to prevent attacks, etc.;
• Implementation of comprehensive solutions to protect against ransomware attacks.