Double-extortion: an evolution of ransomware
We have previously reported both on the increase in the number of ransomware incidents, and sophistication of those incidents over the past 12 to 18 months. The proliferation of “double-extortion” incidents has been of particular concern, which can make the payment of an extortion demand more compelling for an affected business or result in multiple extortion demands.
A double extortion ransomware incident is where a threat actor implements multiple measures to demand the payment of a ransom. This most commonly occurs when that threat actor encrypts the data held on the systems of an affected business and then also exfiltrates what it has identified as the most sensitive of that data.
As a result, businesses that can recover their encrypted data and systems from backups or other redundancy mechanisms, and would not otherwise entertain paying a ransom, are now forced to think twice, as the threat actors then threaten to release the sensitive data they have exfiltrated.
Threat actors have also used double extortion techniques to make additional ransom demands after receiving payment of an initial ransom. This is particularly where an affected business pays a ransom to decrypt its impacted systems not knowing that data had also been exfiltrated. The threat actors then inform the business of the exfiltration and then threaten to publish the data online or use the exfiltrated data to inform clients of business about the incident. Either prospect will naturally have serious consequences for any impacted business.
Of course, even if a ransom is paid, there is no guarantee a threat actor will follow through with its promise to delete exfiltrated data once it receives payment, and businesses are generally unable to verify that exfiltrated data has been deleted.
With double extortion ransomware increasingly becoming standard practice of cyber crime groups, businesses need to look beyond simply having sound backup and redundancy measures in place to protect their data and systems.
Various proposed initiatives that have been canvassed may assist. For example, the Ransomware Payments Bill 2021 recently introduced to the Federal Parliament, which proposes that most entities (excluding small businesses, sole traders, unincorporated entities and charities) be required to notify the Australian Cyber Security Centre of a ransomware payment, may assist other businesses being targeted by the same threat actor.
However, businesses ultimately need to do more to improve their cyber resilience and we expect future legislative reforms will focus on improving general cyber security standards. Businesses should understand the data they hold and identify that which is most sensitive and critical (which goes well beyond examining personal information held). Appropriate steps then should be taken to protect that data, which includes having additional measures in place to limit the prospect of that data being exfiltrated.
There are many other matters businesses should consider when evaluating their cyber security, which is increasingly and rightfully an identified risk of key concern.
If you need assistance to review your cyber resilience, or to deal with a cyber incident, we can assist with a range of services and expertise.