Ransomware actors have been a continuous threat to organisations for years, and the scale of the attacks keeps advancing. In the last twelve months alone, thirty-seven percent of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO), with seventeen percent recording more than one incident.
Improving cyber security protection has forced attackers to evolve their strategies, making it harder for businesses to keep control of their assets. Even the motivations of the cyber criminals are changing, moving on from holding organisations to ransom for financial gain to causing as much disruption as possible, including large scale shutdowns of life-critical services.
Earlier this year, we saw a halt in services for Colonial Pipeline in the US due to a ransomware attack that forced the private company to pay an estimated $5 million in Bitcoin to regain control and continue services. In the same month, Ireland’s Health Service Executive was put under pressure to deliver a ransom fee of $20 million in order to save their patients personal data going public. Even after an agreement was made, 520 records still made their way onto the dark web.
This is where the evolution of ransomware attacks has come to. Rather than just encrypting data and holding the owner to ransom, double extortion ransomware involves the attacker exfiltrating the data first, rendering standardised data backups and data recovery plans obsolete. Criminals have found another avenue for extortion, so how can organisations overcome this new threat?
Double-extortion ransomware: What is it and how real is the threat?
Double-extortion ransomware allows criminals to not only demand a ransom for the stolen data, but also use it as a faux pledge to keep it from being released publicly. If the ransom is not paid in the timeframe required, criminals will publish it for all to see, including possible competitors.
They threaten a public and/or customer “name-and-shame” campaign if you don’t pay up and, according to Emisoft research, the number of cybercriminals adopting the “name-and-shame” tactic is growing. The research found that out of 100,101 received reports of ransomware attacks on both businesses and public sector bodies, 11.6 percent of those were by groups that steal and publish data in “name-and-shame” style attacks.
There is also a growth in crimeware-as-a-service by nation-state actors, which are increasingly adding to geopolitical tensions. Nation-states are buying tools and services from the dark web, while tools developed by nation-states are also making their way onto the black market.
So, how can organisations overcome this growing threat?
Doubling down on a data recovery plan
For an attacker to be successful in extorting a ransom, they must first make sure recovering useful data is impossible, otherwise they run the risk of decision makers failing to pay up. So, they disable or destroy backups, making it near on impossible to recover any valuable data. Then, they turn their hands to the available production data.
By developing a dedicated compromised data risk management plan, businesses are able to improve their odds and make recovering cyber compromised data far more likely compared with if they were to use a standardised data recovery process. Ransomware demands have never been higher and readying an organisation requires rethinking existing data recovery plans.
To address these recurring challenges, organisations need to plan for the five most critical steps to recovering damaged data:
- Identify ― Identifying and justifying the organisation’s Vital Data Assets (VDA). This is the data that requires an additional level of protection. It’s the businesses must-have data.
- Protect — Capabilities to improve the odds that you will have current clean data to restore, for example a failsafe copy that is safe from a cyberattack.
- Detect ― Identifying vulnerabilities of weaknesses in your controls that can increase the organisation’s risk of access to its VDA’s.
- Respond — The plans, the processes, the procedures to be followed in the aftermath of a successful data compromising event.
- Recover ―The rehearsals, tests, and exercises that prepare the teams for this eventuality.
Ensuring the plan works
All organisations are susceptible to zero-day attacks. The constantly evolving tactics of cyber criminals mean that detection and prevention tools that already exist are unable to keep up and alert those who are in danger of losing data. On top of outside threat actors, every organisation is susceptible to internal threats such as a disgruntled employee with privileged access to the network. In spite of awareness training, human error is still a risk and network access is only one accidental embedded link click away.
Ultimately, it’s up to each organisation to look at the big picture, based on their unique points of view and the perspectives that inform it. The threat of a ransomware attack is significant, but one that is capable of destroying brand reputation and customer trust could be even more business critical. Before a successful double-extortion ransomware attack forces an organisation to act, they should have briefed the entire business as well as working closely with executive management on which data should be the priority during a recovery mission. Only then can businesses be prepared enough to ensure they have time to act before a ransomware attack takes control.