In parallel with Internet and technology development, there is an increase in cyberattacks. Each time, cybercriminals develop new, more complex and dangerous ways to use networks and servers. Double extortion ransomware attacks first appeared in 2020. Now it’s a serious threat to the largest companies and organizations. Its actions can lead to devastating consequences. Therefore, to ensure the safety of the company is a high priority.

Ransomware is malware that steals data, encrypts it, and then demands a ransom for it. The ransom amount can range from hundreds to millions of dollars. Basically, the payment of the ransom is required in cryptocurrency.

Learn more about ransomware here

Double ransomware extortion is a new level of «traditional» ransomware attack. In this case, the cybercriminal also uses the victim’s data, files, server, etc., encrypts them and demands a ransom for them. However, in the double extortion case, the cybercriminal threatens to publish/sell the victim’s sensitive data on the dark web if the ransom is not paid within the specified time frame. Backups can help in the matter of data recovery, but the damage from getting confidential information to the dark web doesn’t reduce.

Typically, attackers target medical facilities, schools and other educational institutions, legal organizations, etc., where a large amount of confidential information is stored. The compromise of such data can completely destroy both organizations and people. This is what makes double extortion attacks so dangerous.

Ways to gain access to confidential data:

• Phishing attacks;
• Malicious software;
• Exploitation of vulnerabilities;
• Brute force attacks;
• Data leakage;
• Theft of credentials;

The most popular programs for double-ransomware extortion are:

1. Netwalker Ransomware – malware for the Windows operating system that encrypts and moves data and requires a ransom;
2. Egregor Ransomware – the program breaks into confidential data, encrypts it and demands a ransom payment for it within 3 days. Also, some of the data is published on the darknet as evidence that criminals have data;
3. Ransomware as a service (RaaS) is a subscription-based ransomware model for affiliates. Partners use a set of tools to carry out an attack, and if successful, receive a percentage of the ransom;
4. Sodinokibi (Ransomware Evil) – ransomware that encrypts data and then deletes the ransom message;
5. Conti – a rather dangerous type of attack due to the speed of encryption, it spreads very quickly and infects other systems.

The sequence for performing a double ransomware attack is:

• Gaining access to the victim’s system;
• Investigation of the network by an attacker for confidential data;
• Data extraction;
• Deployment of ransomware on the victim’s system;
• Data encryption;
• Denial of access to data by the victim;
• Requirement and conditions of ransom;
• If a ransom is paid, the data must be returned to the owner and access granted;
• If the ransom is refused, the data is sold or destroyed.

Cybercriminals don’t follow ethical norms and rules. If the victim refuses to pay the ransom, there will definitely be consequences. But even if the ransom is paid on time, there is no guarantee that the data will be fully and safely returned to the legal owner. Attackers don’t care whose lives or companies they destroy. They have their own interest, which must be satisfied.

How to prevent this type of attack:

• Implementation of a zero-trust architecture (applications, websites, emails, links must go through a strict authentication process);
• Application and compliance with security protocols and policies;
• Ensuring security and regular updating of software and protocols;
• Training of users to understand the essence of the attack, its devastating consequences and influence at the company and the individual employee, possible ways to prevent attacks, etc.;
• Implementation of comprehensive solutions to protect against ransomware attacks.

The number of cyberattacks in recent years has been continuously increasing. Its victims are individuals or organizations with a poor cybersecurity system. There is no area that cybercriminals have not affected: medicine and healthcare, government, finance, culture, manufacturing, insurance, etc. Any company anywhere in the world can become a victim.

The first place in the popularity of cyber-attacks is the ransomware attack. There were approximately 623 million incidents in 2021. A reliable information security system, as well as an understanding of such programs operation principles, can reduce the risks of infection and the consequences.

Ransomware is malware that aims to steal and encrypt files, sensitive data, or personally identifiable information. File recovery is possible with the help of a special decryption key. Cybercriminals use extortion tactics to force the victim to pay the ransom. The data is held by cybercriminals as collateral until the victim pays a set ransom for it. Poor security and unpatched vulnerabilities are bait for attackers. This gives them the ability to access the network and inject ransomware-laden malware onto the victim’s computer or mobile device. As a ransom, cybercriminals began to ask for cryptocurrency (for example, bitcoin) more often. Such a payment system is known for its ability to hide financial activities. Tracking ransom payments is difficult, but still possible. Ransomware is especially dangerous and destructive for those organizations that depend on encrypted data to carry out their day-to-day activities.

Types of ransomware:

• Crypto/Encryptors are the most common type of ransomware. They encrypt all target data, and after they require a decryption key to unlock;
• Lockers – the program completely blocks the device and prohibits its usage. Often, a ransom notice and conditions are displayed on the lock screen;
• Scareware – the program simulates a problem with a computer (detection of a virus, malware etc.) and directs the user to a special page to solve this problem, where personal information is stolen;
• Doxware/Leakware – the program threatens to publish confidential information on the Internet and tricks the victim into paying a ransom to prevent it.

How you can get infected with ransomware:

1. 1. Phishing emails are the main cause of infection. It occurs by opening or downloading malicious attachments (pdf, .exe applications, Word documents, .zip files, etc.), following infected links that lead to a malicious website (spyware, trojans, keyloggers). Also, the attack can be carried out using a series of SMS messages with an image or a link to a website where you need to enter confidential information.
2. Infected web pages are used to distribute malware. By clicking on a link or going to an unverified site, the user runs the risk of automatically starting the ransomware download process. Users should practice safe web surfing and also check the spelling of the URL. A decoy site can be identified by a misspelled address that mimics a legitimate site. If you’re not sure, don’t go.
3. Malicious advertising is malware that is disguised as false advertising in the legal space. Legitimate advertising spaces can contain malicious ads and look like a real banner. Such an ad causes ransomware to be downloaded when clicked. The user should be careful with ads about free offers, message notifications, videos, animations, adult images.
4. Attack on the Remote Desktop Protocol (RDP – a feature of Microsoft Windows that allows users to remotely connect to another network or server). An RDP attack is characterized by a hacker infiltrating a system, attempting to steal data or install malware.
5. Social engineering – attackers impersonate legitimate representatives (law enforcement, support services, etc.) to force the victim to «accidentally» reveal personal or confidential information. Such an attack can be carried out through emails, text messages, phone calls, online chat, and social networks. After obtaining the necessary information from the victim, the attackers use it to launch a larger cyberattack.

How to prevent ransomware attacks:

1. Creating a backup copy of data and storing it on an external hard drive or on a cloud server;
2. Updating systems and applications – outdated systems and applications with old security protocols can lead to ransomware infections;
3. Installation of anti-virus software and firewall;
4. Protection of all endpoints – one vulnerable endpoint can infect the entire network. Consider installing EPP or EDR;
5. Network segmentation – it is much more difficult for a cybercriminal to cover the entire network of a company if it consists of several small ones;
6. Expedient access management within the company;
7. Regular security testing;
8. Training of staff in cybersecurity.

The number of ransomware attacks is constantly rising. According to the research, the number of such attacks in 2021 has doubled. Eastern European countries are the most targeted region for such attacks. Their share is 55% of the total number of malware infections.

Ransomware is malware that encrypts victim’s files, databases, and programs for purpose of ransom. After infection the victim receives a message about the possibility of data decrypting by paying a ransom. Usually, the ransom is paid in cryptocurrency. Ransomware can also use the «triple ransomware» technique, that helps them to create a «digital hostage». That is, a cybercriminal receives victim’s data copies before the encryption process, that they later threaten to make public if the victim refuses the ransom.

Ransomware as a Service (RaaS) is a subscription-based model. This model allows affiliates to use ransomware tools to carry out an attack. From each successful attack and paid ransom, partners receive a percentage. RaaS (Ransomware-as-a-service) proved to be an effective way to increase profits,  helped transform digital ransomware into a successful and prosperous business.

RaaS is built on the principle of SaaS (software as a service) that makes it even easier to carry out an attack. Like SaaS, RaaS does not require special skills and experience from users. Even inexperienced hackers can carry out sophisticated cyberattacks. RaaS software has a high probability of successful penetration and a low probability of detection. The low technical entry barrier and huge earning potential make RaaS solutions popular that increases the number of victims.

RaaS solutions bring high dividends to partners. Users can register with a one-time payment, as well as with a monthly subscription. They are provided with documentation with step-by-step instructions for launching attacks. Some distributors provide a dashboard to track the status of each ransomware attack. Attracting partners takes place on the dark web.

Most hacks happen through phishing attacks (a method of stealing confidential information). An email is sent to the victim that contains a link. By clicking on this link, the victim unknowingly activates a malware downloading. Email looks very convincing, so more often the victim is led to a provocation.

Once downloaded, ransomware disables firewalls and antivirus programs, and may also initiate additional components downloading. Thus, the malware can spread freely and silently, and encrypt the victim’s files, making them inaccessible. With the end of the attack, the extortion begins. The victim receives a TXT file containing the ransom text in exchange for a decryption key. Cybercriminal can also threaten the victim to publish the data on the dark web if the payment is not made within the agreed timeframe.

Since the darknet is a criminal network, any information leak can provide free access to confidential data and customer data. Such consequences force a victim to obey cybercriminal demands. Payments are made through the darknet using a special payment gateway.

The best defense against ransomware attacks is a combination of staff training, security measures, and ongoing system monitoring for vulnerabilities.

Recommendations to protect ransomware:

• Control of all requests for connection to endpoints, installation of verification processes;
• Staff training on how to detect phishing attacks, social engineering training;
• Configuring DKIM and DMARC to prevent criminals from using the domain for phishing attacks;
• Vulnerabilities monitoring and elimination;
• Monitoring the security status of partners to prevent hacking by third parties;
• Regular backup;
• Use of anti-virus and anti-malware solutions.