No one saw it coming, but cybercrooks are starting to publish sensitive data to taunt victim organizations to pay up.

Cybersecurity researchers have spotted a rising trend in a new ransomware tactic.

In what they call “double extortion”, the tactic involves threat actors adding an additional stage to a ransomware attack: prior to encrypting a victim’s database, hackers will extract large quantities of sensitive information, and then threatening to publish it unless ransom demands are paid. This double threat will place more pressure on victims to meet the ransom demands.

To prove the validity of the threat, threat actors leak a small portion of sensitive information to the dark web, dangling intimidation that more is to follow if ransom goes unpaid.

The “Double Extortion” genesis

According to Check Point Research, the first published case of double extortion took place in November 2019 and involved Allied Universal, a large American security staffing company.

When the victims refused to pay a ransom of 300 Bitcoins (approximately US$2.3m), attackers, who used “Maze” ransomware, threatened to use the sensitive information extracted from Allied Universal’s systems, as well as stolen email and domain name certificates, for a spam campaign impersonating Allied Universal.

To prove their point, the attackers published a sample of the stolen files including contracts, medical records, encryption certificates and more. In a later post on a Russian hacking forum, the attackers included a link to what they claimed to be 10% of the stolen information as well as a new ransom demand that was 50% higher.

Since then, Maze has published the details of dozens of companies, law firms, medical service providers and insurance companies who have not given in to their demands. It is estimated that many other companies avoided publication of their sensitive data by paying the ransom.

How the attack process works

This is the general sequence for a double extortion ransomware attack:

  1. Threat actor gains entry into a victim’s network
  2. Threat actor extracts sensitive data, such as customer details, financial and employee details, patient records, and more
  3. Threat actor encrypts the files and demands ransom from victim
  4. Threat actor threatens leak of gathered sensitive data
  5. To prove validity of threat, threat actor leaks small portion of extracted information to dark web

Cybercriminal groups have followed the new double extortion tactic, opening their own sites to publish and leak stolen information as a means to apply additional pressure on their victims to pay ransom. Attackers utilizing Sodinokibi ransomware (aka REvil) published details of their attacks on 13 targets, including proprietary company information stolen from their targeted organizations. The National Eating Disorders Association was the most recent in the list of victim organizations.

Additional attacks that have joined the trend include Clop ransomware, Nemty, DopplelPaymer and more. Information published on these sites was soon found to be offered for sale by the ransomware group itself or by other criminals who collected the data from the dumpsites.

Hospitals are in their sights

Check Point Research is issuing caution to hospitals, given that their exposure to the current pandemic makes them prime targets for ransomware attacks.

Since 2016, ransomware attacks have affected more than 1,000 health care organizations in the United States alone, with costs totaling more than US$157m. according to a recent analysis.

In 2017, dozens of British hospitals and surgeries were affected by ransomware known as WannaCry, which resulted in thousands of canceled appointments and the closing of some accident and emergency departments. In 2019, several US hospitals had to turn away patients after another spate of ransomware attacks.

In the ongoing fight against constantly-evolving ransomware tactics, the best defence is to prevent becoming a victim in the first place. Check Point has previously detailed its best practices to help businesses avoid being a ransomware victims:

  • Back up data and files
  • Train employees to recognize potential threats
  • Limit access to only those who need it
  • Keep signature-based antivirus software updated
  • Implement multi-layered security

Lotem Finkelsteen, Manager of Threat Intelligence, Check Point Software Technologies, notes that: “Double Extortion is a clear and growing ransomware attack trend. We saw a lot of this in Q1 of 2020. We’re especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransomware attack would be very difficult. We issue caution to hospitals and large organization, urging them to back up their data and educate their staff.”