zephyr_p - stock.adobe.com

Check Point sounds alarm over double extortion ransomware threat

Researchers say double extortion ransomware attacks are likely to increase in frequency, and warn organisations to be on guard

Hospitals and enterprises alike should double their guard against the developing threat of so-called double extortion attacks, a new kind of ransomware attack in which cyber criminals seek additional leverage to ensure their victims pay up.

A double extortion attack is very similar to a traditional ransomware attack, but incorporates an additional stage. Before encrypting their victim’s data, cyber criminals will exfiltrate it from the organisation and threaten to leak it unless ransom demands are met, placing extra pressure on their victims.

Often, to prove the validity of their threat, the attackers will leak a small amount of sensitive information onto the dark web.

“Double extortion is a clear and growing ransomware attack trend,” said Check Point threat intelligence manager Lotem Finkelsteen. “We saw a lot of this during Q1 2020. With this tactic, threat actors corner their victims even further by dripping sensitive information into the darkest places in the web to add weight to their ransom demands.

“We are especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransomware attack would be very difficult. We are issuing a caution to hospitals and large organisations, urging them to back up their data and educate their staff about the risks of malware-spiked emails.”

The first known case of such an attack was in November 2019 on the systems of Allied Universal, a US-based supplier of security and janitorial services to large enterprises, and involved Maze ransomware.

In this case, the cyber criminals demanded a ransom of 300 bitcoins, about $2.3m, and threatened to use data extracted from Allied Universal, as well as stolen email and domain name certificates, in a spam phishing campaign impersonating it.

The attackers published a number of Allied Universal files, including contracts, medical records and encryption certificates. When this did not work, they posted a link on a Russian hacking forum to what they claimed was 10% of the stolen information and made a new, higher, ransom demand.

Read more about ransomware

  • Purple notice issued to alert police forces around the world of ransomware attacks against hospitals and other healthcare institutions.
  • Following a swathe of high-profile ransomware attacks, the UK’s National Cyber Security Centre has made changes to its guidance, emphasising the importance of offline backups.
  • By subverting kernel memory settings in Windows 7, Windows 8 and Windows 10, the RobbinHood ransomware can now delete cyber security defences from target systems.

Other double extortion attacks involving the criminal gang behind the Maze ransomware have included UK-based HMR, a medical research group, and cyber security insurance firm Chubb. The group has also taken to publishing the details of other victims who have not given in to its demands to try to shame them. Finkelsteen said it was highly probably that many other companies had been turned over, but did pay.

Although clearly pioneered by the group behind Maze, which, as other researchers have noted, have a tendency to showboat and taunt threat researchers, the double extortion tactic is now spreading as other groups catch on to the idea.

Among other cyber criminal gangs adopting the technique is the group behind Sodinokibi, which recently published details of 13 such attacks and information stolen during them, including on the non-profit National Eating Disorders Association (Neda).

The fight against ransomware is ongoing, but as always, the worst impacts are very easy for organisations to avoid by taking a few relatively simple steps.

These include: backing up all organisational data and files using air-gapped storage where possible; educating and training employees in how to spot spam and phishing emails – the most likely vectors for ransomware to hit your network; limiting user access only to the information and resources they need to do their job, which can reduce the chance of a ransomware attack moving laterally throughout your network; maintaining up-to-date signature-based protections; and implementing more advanced threat prevention and detection technologies, preferably incorporating components such as threat extraction for file sanitisation, and threat emulation for advanced sandboxing, both of which can help guard against new and unknown varieties of malware.

Read more on Hackers and cybercrime prevention

Data Center
Data Management