Why stop at ransoming a main victim and stealing sensitive data when you can also extort the victim’s entire supply chain?

The USA’s FBI recently announced that a professional cybercriminal group called DarkSide was responsible for the ransomware attack on the Colonial Pipeline network.

DarkSide is known to be part of a trend of ransomware attacks that involve systems rarely seen by the cyber community, like ESXi servers. This has led to suspicions that the ICS (industrial control systems) network was involved. The ransomware is known to have been deployed in numerous targeted ransomware attacks including other oil and gas companies such as Forbes Energy Services and Gyrodata.

Following other large scale attacks such as the one on the city of Tulsa, and the REvil ransomware that tried to extort Apple, it is clear that ransomware attacks are a major concern globally. Yet, there is a real lack of action by organizations in preparing for incidents or even trying to protect themselves in the first place.

The threat of triple extortion
Since the onset of the pandemic, double extortion ransomware has been increasing in circulation. While not all incidents (and their outcomes) are disclosed and published, statistics collected by Check Point Research during 2020-2021 reflect the prominence of the attack vector.

The average ransom payment in its telemetry has increased by 171% in the last year, and is now approximately US$310,000. Over 1,000 companies suffered data leakage after refusing to meet ransom demands in 2020, and about 40% of all newly discovered ransomware families incorporated data infiltration into their attack process. As the numbers reflect a golden attack technique, which combines both, a data breach and a ransomware threat, it is clear that attackers are still seeking methods to improve their ransom payment statistics, and their threat efficiency.

Prominent attacks that took place at the end of 2020 and the beginning of 2021 point at a new attack chain: essentially an expansion to the double extortion ransomware technique, integrating an additional, unique threat to the process: Triple Extortion.

The first notable case is the Vastaamo clinic attack, where not only the healthcare provider, but also its patients were individually extorted by email. On a wider scale, in February 2021 the REvil ransomware group announced that they had added two stages to their double extortion scheme: DDoS attacks and phone calls to the victim’s business partners and the media.

This is part of the group’s new arsenal which includes DDoS attacks and voice-scrambled VoIP calls to journalists and colleagues as a free service for its affiliates, aimed at applying further pressure on the victim´s company to meet ransom demands within the designated timeframe.

Ransomware: getting personal

It seems that even when riding the wave of success, threat groups are in constant quest for more innovative and more fruitful business models. We can only assume that creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks has led to the development of the third extortion technique.

Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly, according to Check Point researchers.

Whether further ransom is demanded from victims or not, the latter group are powerless in the face of such a threat, and have a lot to lose should the incident take a wrong turn. Such victims are a natural target for extortion, and may end up on the ransomware groups’ radar from now on.