While we still refer to them as ransomware attacks, such incidents are no longer just about encrypting the files of a targeted victim. Ransomware attacks today are about gaining leverage on someone using whatever means necessary to get paid.
The principle of a double extortion strategy is simple. If the first extortion approach isn’t producing the necessary results, the perpetrators simply proceed to step two and try a different angle. In some cases, ransomware gangs are extending this concept further to triple or even quadruple extortion—whatever it takes in the end.
What’s Different About Double Extortion
In most cases, a double extortion ransomware attack exfiltrates the data of a target organization to an offsite location and then encrypts it within the victim’s network. Once both stages of the attack are complete, the attackers issue an initial ransom in exchange for decryption key.
This initial ransom demand, however, is just a starting point. Should the victim refuse to pay or somehow recover the files on their own, the attackers then threaten to release the data to the public. They may sell the data on the dark web or just simply release it to whoever wants it.
It’s important to distinguish how these two extortion methods differ. File encryption attacks are about disruption. The more data a ransomware gang can encrypt, the greater the disruption to the organization’s services and operations. The wider the net, the more likely it will result in a higher ransom demand.
This isn’t necessarily true for the backup extortion threat. In this case it’s not about disruption. It usually concerns the threat of embarrassment and a loss of organizational credibility once the data’s released. In other cases, it might simply be about selling the stolen data to the highest bidder.
Either way, it’s not about the volume of the data—it’s about the qualitative value of the data and the ability to monetize it.
Risk Analysis
In the movies, the bad guys strive to get the greatest leverage on their victims. It usually involves threatening a family member or loved one to obtain the information they need to complete their objective.
It’s the same with double extortion threats—the personal data of customers, employees, or patients offers the greatest leverage.
The two industries targeted the most for data exfiltration are financial services and healthcare. In the case of the financial industry, a company’s reputation among its customer base is one of its most important assets.
According to a ZDNet report that studied what type of data has the greatest risk potential, 82% of these types of incidents involving the financial industry targeted the sensitive data of customers. HR data such as the personal identifiable information of employees was the next most prevalent, at 59%. While intellectual property was low on the priority list in most cases, it was involved in 43% of all incidents involving the pharmaceutical industry.
One reason third-party personal information is so desirable is that it’s the easiest to monetize. In addition to the possible embarrassment caused by the data release, hackers can easily sell information such as social security numbers on the dark web. They can also utilize personal information to launch attacks on the unknowing victims whose data they now possess.
Prioritize Your Data
Because some data is worth more than others to ransomware gangs, you need to secure it better than general data. Here are some of the first things to do:
- Segment high-value data from the rest of the network
- Protect that data with an internal firewall
- Restrict access to that according to the principle of least privilege
Yes it’ll take extra effort, but will pay off big-time when the inevitable attack hits your organization and comes after your crown-jewel data.