- Sean Peck
The Double-Extortion Paradigm: Ransomware 2.0
The term ransomware has become nearly a household term. The primary concept of most attacks I’ve been involved in remediating is simple: all of your data is encrypted with a key only the bad actor can provide. Traditionally, there have been two options: pay the ransom demand in exchange for a (hopefully) working key, or rebuild using backup datasets. The victim organization either paid or restored everything from backups.
Recent developments in the ransomware arena have been plentiful. Arguably, the largest development has been the introduction of double extortion: before your data is hopelessly scrambled, the bad actor takes copies of key data, or all data, for themselves. This shifts the odds of victims paying the ransom demand by a wide margin.
Let’s say your organization were struck by such ransomware, but you manage to find and restore from suitable backups. When everything has been rebuilt, and secured, all is well, right? Not necessarily.
The bad actor will now typically set a deadline by which if the ransom demand is not paid, the copies of your data that were made will be published to the public Internet for all to see. The effects of this second form of extortion may be more damaging. Victims’ financial data, customer lists, trade secrets, and if you are a contract manufacturer, clients’ data – contracts, specifications, schematic diagrams, all could become public. This exact thing happened to a large contract-manufacturer named Quanta. They make electronics for many major brands – including Apple, Inc., who presumably was not very happy that technical schematics of yet-unreleased products were posted for all to see, likely breaching non-disclosure as well as other critical and very binding contracts.
Merely having good, off-site backups are no longer a foolproof defense against ransomware or other cyber-attacks. It has become crucial to have a solid overall security posture incorporating multiple layers of threat detection, data loss protection, and user education. Anti-virus software just isn’t enough (and has not been for some time) – you need security products that look at behaviors, not just whether a file contains a known snippet of code, since the newest breeds of threats will encrypt themselves, and otherwise evade traditional definition-based detection techniques.
Cyber-attackers are not practicing “black magic” – the initial attack vector could be anything from an unpatched or end of life product, a user clicking on an e-mail attachment or link, visiting a malicious website, using personal devices for business purposes, or conversely, using their issued business devices for personal purposes, or infiltrating an insecure firewall or hosted internet application.
Buckle up. Along the same lines as Software as a Service (SaaS), developers of ransomware and other malicious code are known to offer these as-a-service as well, complete with support services. It no longer takes being a bona-fide hacker with hyper-specialized skills to target and impact organizations. Simply having a desire to make money and a little money to pay the developers of these tools allows someone to stand up a cyber-attack operation in staggeringly little time. The more people that do this, the more prevalent these attacks will become. The more prevalent these attacks become, the more diverse and indiscriminate the targets become. If bad actors have your data, it probably includes your financials, so ransom amounts can be tailored based on this information.
Contact LinkTech today about our best-in-breed offerings bundled into a multi-faceted, tried-and-true, complete security suite.