Chris Harris explains what double extortion ransomware is, explores the growing challenge that it poses for businesses, and looks at prevention tactics that can be implemented as part of a zero trust approach to cyber security.
Ransomware perpetrators are increasingly adopting more sophisticated tactics, and in a cost-of-living crisis, they’re more motivated than ever to strike for financial gain. According to a recent market study (1), 71 percent of individuals surveyed said double and triple extortion tactics have grown in popularity over the last 12 months, and 65 percent agree that these new threats make it tougher to refuse ransom demands.
These attacks have also become much more dangerous as they have evolved beyond basic security defenses and business continuity techniques like next-gen antivirus and backups. However, perhaps more concerningly, there is a knowledge gap with many businesses not yet aware of these double and triple extortion ransomware tactics in the first place, let alone how they impact their data protection strategies.
With a knowledge gap comes a security gap, with businesses not sufficiently clued up on how to prevent or deal with double and even triple extortion attacks when they arise, and without the infrastructure in place to mitigate attacks. In fact, 72 percent agree that ransomware attacks evolve quicker than the security controls required to protect against them, meaning businesses are one step behind and are continually playing catch up.
The threat of double extortion ransomware
To pay or not to pay?
According to Thales’ 2022 Thales Data Threat Report, which surveyed nearly 2,800 respondents across 17 countries, 21 percent of all respondents have experienced a ransomware attack, and 43 percent of whom were significantly impacted. When asked to rank their top threats, more than 60 percent ranked malicious insiders with financial motivations among their top four.
Under such circumstances, 22 percent said they have paid or would pay ransom for their data. On top of this hefty payout, wider business recovery doesn’t come cheap either – lost productivity, recovery costs and breach notifications are rated as having the greatest financial impact by 19 percent, 18 percent and 16 percent of the respondents respectively.
Paying the ransom in cases of double extortion is not a guaranteed quick-fix; even if you pay, there’s still a risk that the perpetrators will keep coming back to ask for more money because they will still have your data at their disposal. According to Checkpoint’s Ransomware Study, 18 percent of the businesses that paid the ransom still had their data exposed on the dark web. 35 percent of the victims who paid the ransom were unable to get their data back.
Data: a valuable commodity
Already-exfiltrated sensitive data constitutes one of the most concerning risks that this breach tactic poses. Once in criminals’ hands, ransomware gangs may become aggressive and divulge the data breach to the victim's customers, revealing that their sensitive personal or financial data was compromised. With privacy and data security a top priority for many citizens nowadays, revelations of this type create a wave of distrust and fury. In fact, compromised data lends the risk of damaging relationships with clients to the point where contracts and partnerships are ended, and they often push formerly loyal customers to the point of no return; it’s incredibly difficult to re-establish trust post-breach.
Preventing double extortion ransomware
Governments have already taken steps to help businesses mitigate the threat of ransomware attacks. But that does not mean ransomware is going to conveniently fade away. Businesses need to take their security into their own hands. By prioritising these security steps, businesses can optimize their ransomware protection tactics:
- Develop a ransomware recovery plan that covers not only the availability of your systems and data, but also how to deal with the exfiltration and public exposure of that data. It’s not just about prevention, but about preparedness for when a successful breach does occur.
- Ensure your teams are properly prepared and resourced to securely build, deploy, and manage their systems with appropriate defenses to minimize the ability for ransomware gangs to get a foothold in the enterprise.
- Invest in security awareness training to familiarise personnel with common ransomware attack vectors such as phishing, social engineering, and how to recognise and securely handle sensitive data.
- Protect sensitive data against ransomware attacks through the discover, protect, and control paradigm.
- Leverage vulnerability management programs to prioritise and address security vulnerabilities that hostile actors could exploit to drop ransomware on businesses' systems.
- Ensure sensitive data is already encrypted. In which case, even if the attacker exfiltrate’s the sensitive data, it will be of no use to them if it indecipherable to anyone outside the controlled environment without appropriate encryption keys.
- Keep the encryption keys for said encrypted data in secure, tamper-proof key management hardware so they cannot be extracted.
- Take a look at how and where your sensitive data is stored and protected in the first place. As per Thales’ Data Threat Report 2022, only 56 percent of respondents were very confident or had complete knowledge of where their sensitive data was being stored, and only 25 percent of respondents said they could actually classify all of their data.
These measures should be viewed in the broader context of a zero trust approach to cyber security, where businesses should hope for the best but prepare for the worst by ensuring they have an effective ransomware plan in place. Secure human identities and machine identities are the foundation for limiting the chances of a ransomware actor gaining access to our sensitive data. In this regard, ransomware preparedness and secure key management are essential to protecting against double extortion ransomware attacks.
Chris Harris, EMEA Technical Director at Thales
- Venafi global survey of IT decision makers on the use of double and triple extortion in ransomware attacks.