Ransomware Keep Evolving: Multiple Extortion

Ransomware attacks are currently causing extensive havoc worldwide, becoming one of the biggest cyber threats nowadays. More and more companies and organisations have been materially affected. According to a ransomware report, the average ransomware payment in 2021 Q1 was US$ 220,298, (HK$ 1.72 million), up 43% from 2020 Q4 ^[1].

HKCERT published two security blogs last year on ransomware gangs using double extortion tactics to increase their chance of getting paid. As time passes, new extortion tactics have emerged with ransomware gangs opting to engage in multiple extortion in recent months.

What is Multiple Extortion?

For traditional (single-extortion) ransomware attacks, ransomware gangs would simply encrypt the victims’ data and demand a ransom for its recovery. But if the victims have performed regular offline backup, they can restore backup data to resume operation, effectively safeguarding critical data against crypto ransomware and rebuking the extortion attempt.

As the single-extortion tactic became ineffective, ransomware gangs turned to a new tactic – double extortion. The attackers would extract a large quantity of sensitive information from victims before encrypting data, and then threaten to release or sell the stolen information, exerting greater pressure on the victims to pay the ransom. The ransomware gang called Maze was the first to use this tactic. Then, more and more threat actor groups followed suit.

In the latest development, ransomware gangs have resorted to applying different extortion methods to heighten the pressure and threat on victims for a greater amount of ransom payment. We have observed at least four new extortion methods in action. They include distributed denial-of-service (DDoS), contacting victims’ customers, short selling victims’ stock and affecting infrastructure systems. As this tactic involves more than two extortion methods, it is called multiple extortion.

In the next section, we will analyse the four new extortion methods.

New Extortion Methods Analysis

1.   DDoS Extortion

A DDoS attack is to paralyse targeted websites or network services by flooding them with a huge volume of network traffic in excess of their handling capacities.

In October 2020, two ransomware gangs, SunCrypt and RagnarLocker, used DDoS attacks against the victim’s network or web site as an extra weapon to force them to pay a ransom ^[2]. Then a third ransomware gang, Avaddon, started to use the same tactic, performing DDoS attacks to take down the victim’s site or network until the victim would contact them for ransom payment negotiation ^[3]. In May 2021, it hit the Asia division of a large insurance company, disrupting its IT operations ^[4]. Subsequently, more and more ransomware groups added DDoS extortion to their arsenal.

As we observed, ransomware gangs have considered data encryption and exfiltration no longer menacing enough to make the victims pay the ransom. So, they would try to cause a more direct impact of service interruption to increase pressure on the victims. Also, services on launching DDoS attacks with cyber criminal-controlled botnets are readily available on the dark web market. In some cases, it may help persuade some victims that speedy ransom payment is the least painful option.

2.   Contacting Victims’ Customers and Partners

Some ransomware gangs have deployed another pressure tactic. They will email or call the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up ^[5].

The Clop ransomware gang is the first group observed to have used this tactic, by posting several gigabytes of data from the victim’s files, containing employee tax and financial records, on their victim shaming site. In February 2021, the REvil ransomware group announced that they had added a new stage, calling the victim’s business partners and the media, to their double extortion scheme ^[6].

Understandably, nobody wants to get involved in any data breach incident, no matter the incident happens in their organisations, service providers or partners. Contacting victims’ customers and partners about the data breach will naturally raise more concerns and create public pressure on the victims to settle the incident as soon as possible. The ransomware gangs may get a higher chance of the victims being convinced to pay up quickly.

3.   Short Selling Victims’ Stock

In April 2021, the DarkSide ransomware group hatched a new method to ratchet up force on those victims listed on stock markets by short selling their stocks. The gang would post a message on their dark web portal, saying they would inform short-sellers in the market in advance to enable them to start shorting the victim’s stocks before going public ^[7].

The attack factors believed that the negative impact of showing a traded company intruded would be sufficient to force down the stock price and allow a short-seller to make a profit. The short sell announcement also worked as a method to threaten the hacked companies as failures to pay the ransom could have a negative impact on their stocks, thereby pushing the victims to pay the ransom.

4.   Disruption Critical Infrastructure Systems operated by Victims

Some cybercriminals not only target information technologies (IT), but also use ransomware to target unsecured operational technologies (OT), that help run physical processes in industrial equipment or critical infrastructure.

In May 2021, one of the largest pipeline operators in US proactively closed down operations and suspended IT systems after becoming the victim of the DarkSide ransomware. It took nearly a week to resume operation, and pump price rose dramatically during the outage ^[8]. The company admitted they have paid a US$ 4.4 million (HK$ 34.3 million) ransom for the decryption key ^[9].

Taking down those systems responsible for a company’s day-to-day business operations can inflict financial and reputation damage. Attackers know perfectly well that a suspension of OT systems will cause a significant financial loss, and there exists the urgency to resume the operations with social and government pressure. Vaious institutions such as hospitals, manufacturing companies, and critical infrastructure organisations have fallen victim to these attacks recently. We foresee such attacks on critical infrastructure systems to continue to increase in the future.

Recommendations

To protect your company from ransomware attacks using multiple-extortion tactics, please adopt the below recommendations to protect your networks, data and IT and OT systems:

1. PolIcy and Assessment
   1. Establish a data protection policy to cover the complete information lifecycle, from collection, processing data to destruction of data;
   2. Conduct security assessment regularly and plug loopholes found;

2. Protect your systems
   1. Minimise the number of users with privileged access (e.g. domain administrative rights) to confine the scope and impacts in case of an attack, and use general account in day-to-day operation;
   2. Implement endpoint security protection solutions to inspect emails and web content for malicious payloads, detect and quarantine malicious programs to prevent malware infection;
   3. Harden the network infrastructure and minimise the points of exposure to the Internet;
   4. Build data privacy policy which consists of sensitive data encryption and password policies and handling of encryption keys in isolation;
   5. Consider applying DDoS protection solutions or services to defend against DDoS attacks;

3. Monitor your systems and detect malicious activities
   1. Ensure network monitoring and security detection are in place and ready to carry out immediate incident response if any abnormal network activities are detected;
   2. Build cyber threat intelligence capability to keep track with most recent threats, and exchange information with peer organisations to pre-empt emerging attacks;

4. Respond to attacks
   1. Conduct cyber security drills regularly, such as phishing drills and ransomware attack drills, and training to improve employees’ security awareness;
   2. Build incident response plan to respond to ransomware, data leakage, DDoS attacks in a timely manner;
   3. Build business contingency plan to minimise the impact to business in case of ransomware, DDoS and OT systems outage incident;
   4. Do not pay the ransom as it merely sponsors ransomware gangs’ operation; and
   5. In case of cyber security issue, contact HKCERT for enquiry or assistance.

References

[1] https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound

[2] https://www.bleepingcomputer.com/news/security/ransomware-gangs-add-ddos-attacks-to-their-extortion-arsenal/

[3] https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/

[4] https://www.zdnet.com/article/asia-division-of-cyber-insurance-company-axa-hit-with-ransomware-attack/

[5] https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/

[6] https://blog.checkpoint.com/2021/05/12/the-new-ransomware-threat-triple-extortion/

[7] https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/

[8] https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/

[9] https://www.zdnet.com/article/colonial-pipeline-ceo-paying-darkside-ransom-was-the-right-thing-to-do-for-the-country/