Double Extortion Ransomware – Threat Detection Expert Comments

Attackers want to get paid so they are looking for whatever possible leverage they can find. Combining the business shutdown impacts of encrypting files through ransomware with the threat of data being leaked publicly increases urgency and reduces options for the victim. The scheme described in this research also highlights the increase in sophistication of attacker tools. Whereas historically malware tended to be fairly single purpose and disposable, modern malware much more resembles an attacker operating system with many different services and tools for accomplishing a wide range of attacks. An analogy would be the simple operating that is in your microwave which has a single purpose - heat your food - versus the sophisticated operating system on your laptop which plays sound, plays video, creates files, communicates with the internet. When an attacker compromises a computer with modern, modular malware they now have a slew of tools at their fingertips. They can execute a ransomware attack while at the same time traversing the network and exfiltrating data. This allows them to combine attacks and increase the likelihood of accomplishing their objectives. Chris offers the following timeline of how Red Canary has observed ransomware evolve over the last 7 years since it was first seen: Phase 1 - 2013 (Cyptolocker, Cryptowall, Locky, TelsaCrypt and others) - attacker tries to just ransom high value targets (e.g. get the CEO's laptop) and charge large ransoms in hopes there was unrecoverable data so the company had no choice but to pay. Phase 1a - 2016ish (SamSam, others) - attacker does the same thing as above but tries to spread to as many computers in a high-value target company to extort a larger ransom. Phase 2 - 2017 (WannaCry, NotPetya, etc.) - commoditization/scaleout of ransomware. Less targeting, attempting to get small ransoms from a huge number of individuals and companies. Phase 3 - 2018 (Emotet/Trickbot/Ryuk trifecta, Maze) - combination of tactics in 1/1a with more traditional data stealing/extortion tactics. Ransoms go up a lot because of the compound damage of business being offline with data theft. Phase 4 - (the future) Note that these phases don't end, they overlap. So Phase 1 and 2 is still very active while attackers have ramped up Phase 3.  Read Less