‘Name-and-shame’ ransomware attacks increasing in prevalence

At least a tenth – and possibly more – of all ransomware attacks are now thought to include a so-called double extortion threat to intentionally leak the victim’s sensitive exfiltrated data, further blurring the lines between a ransomware attack and a full-on data breach, according to Emsisoft’s Malware Lab.

The name-and-shame tactic is thought to have been first adopted by the cyber criminal group behind the Maze ransomware in late 2019, and is now being used increasingly as a means to extort more money from the victim – and possibly as a means to draw more widespread attention to the incident – as happened with the recent Sodinokibi/ReVIL attack on the systems of a prominent law firm.

Indeed, Emsisoft’s researchers said that organisations working in the financial services, healthcare and legal sectors were most at risk of falling victim to such tactics, as they are increasingly perceived as organisations that have the most to lose from their data being leaked, and are therefore more likely to pay.

Emsisoft dug into numbers available on the ID Ransomware checking service, and found that out of a total of 100,101 reports of ransomware attacks on both businesses and public sector bodies made from 1 January to 30 June 2020, 11,642, or 11.6%, were by groups that steal and publish data, such as Maze.

The implications of the growth in this type of cyber attack are severe because it increases the risk that victims will find themselves subject not just to the costs of disaster recovery, but also regulatory or legal penalties, reputational damage, loss of competitive information and more.

Emsisoft said that double extortion attacks – which it is terming exfiltration and encryption (E+E) – also open a path for future attacks because the stolen information could be used to phish employees, clients, business partners, or conduct business email compromise (BEC) attacks. The consequences for public sector victims could be worse still, and it’s thought this is already happening – of 60 US public sector organisations impacted by ransomware in Q1 and Q2 data, 8% had data stolen.

The firm said that even if initial investigations into ransomware attacks do not turn up evidence that data had been exfiltrated, it’s wise to assume it will be, and to notify potential victims down the line with speedy and honest disclosures, and not by issuing statements asserting no data has been lost.

According to Emsisoft, E+E attacks are likely to become standard practice in short order, further increasing the risks and costs of ransomware attacks to their victims.

Exactly how an organisation responds to a ransomware attack is a matter for its leadership – many do choose to pay up, but going down this path can have dangerous consequences. It’s far better to be prepared by taking a number of steps to prevent ransomware from infecting the network in the first place, or to limit its impact.

These include backing up all organisational data and files with air-gapped storage if possible; training employees in how to spot attacks, such as phishing emails, that may contain ransomware; limiting user access to essential tools, limiting the chances of ransomware encrypting other systems; maintaining up-to-date, signature-based protections; and implementing threat prevention and detection services.