Threat actors are leveraging stolen data to enhance ransomware attacks. Data leaks and ransomware - once considered two distinct threats - are overlapping into a hybrid tactic known as double extortion. While traditional ransomware attacks deny access to valuable systems and data, double extortion threatens to leak sensitive data if the ransom is not paid.
Data Leaks on the Rise
In Q1, more than 8.4 billion records were exposed, signifying a dramatic increase from last year. One of the contributing factors to this is the accelerated transition to remote work during the pandemic. Hastily-configured applications, uncontrolled processes, and general confusion have created favorable conditions for adversaries to compromise sensitive data.
The types of data often exposed in ransomware attacks can include:
- Sensitive internal files and communications
- Proprietary source code
- Credit card data
- Bank identification numbers (BIN)
- Personally identifiable information (PII)
- Protected health information (PHI)
Threat actors leak stolen information on the surface web, dark web, or social media. They also advertise leaked information on personal web pages and blogs. In an effort to further pressure ransomware victims and maximize monetary gains, some ransomware operators have created auction sites where they sell stolen information to the highest bidder.
PII being auctioned on the dark web
Ransomware Operators Have Evolved
Ransomware campaigns are less indiscriminate than in the past. Threat actors have demonstrated a more strategic approach with who they target and how they deliver payloads. A recent campaign specifically targeted healthcare providers, taking advantage of their low tolerance for downtime in the midst of a pandemic.
Another trend is conducting surveillance on systems before stealing or encrypting data. This allows threat actors to research financials and internal communications, and as a result help them understand whether the targeted organization is capable of paying a ransom. For high value targets, they may monitor internal company communications during the ransom process to gain further leverage during negotiation. They are also able to gather employee information that can be used for future attacks like Business Email Compromise (BEC).
Ransomware families have also expanded their horizons by linking up with other malware families and cybercrime operations. Some ransomware operators are delivering "Ransomware-as-a-Service" where they franchise their tools to other cybercriminals. This gives less sophisticated threat actors the ability to carry out ransomware campaigns without having to first build out their own infrastructure.
Ransomware Delivery Methods
Phishing continues to be a primary delivery vector for ransomware. Coronavirus-themed spear phishing attacks are one example, where cyber criminals capitalize on employee fears during the pandemic. The success of these emails isn’t due to innovative or well-crafted messaging, but because they contain subject lines, content, or attachments that imply updates from management or changes to business protocol.
Threat actors use email phishing lures to deliver malware loaders (such as Emotet or Bazar) via links and attachments. The loader then installs other malware (such as Trickbot) or other tools that can be used to move within the network and compromise high value systems (such as domain controllers). From that point, attackers can deploy ransomware throughout the environment to cripple operations and/or exfiltrate data that can be used to extort the compromised organization.
Vulnerable Remote Desktop Protocol (RDP) configurations are also being exploited to deliver ransomware. In March, there were approximately 200,000 daily RDP attacks in the U.S., and by mid-April, this number skyrocketed to 1.3 million. Along with phishing emails, RDP is a top attack vector for ransomware.
The Game Has Changed
Traditionally, victims of ransomware had two choices:
- Pay the ransom to get the decryption key
- Don’t pay and restore data from backups
Clearly, having ransomware-proof systems for data backup and recovery was a good strategy for managing ransomware risk. Now ransomware attacks have evolved so that organizations must also contend with the risk of sensitive data being compromised and leaked online. And even if they do pay the ransom, there is no guarantee the stolen information won't be sold anyway.
Those relying primarily on strong data backup and recovery to mitigate ransomware risk should re-evaluate their strategy. Preventing ransomware delivery is the most efficient way to reduce risk. Additional layers of email security can be impactful, especially those that excel at stopping threats that make it past filters and into user inboxes.
Improved detection and response capabilities will also strengthen resiliency against modern ransomware attacks. Loaders and other tools associated with ransomware campaigns can be detected and removed before the attacker is able to progress.
Additionally, external data leak intelligence can be used to monitor for signs of compromise. If threat actors are promoting or threatening to publish sensitive data online, this intelligence can help organizations assess the risk and formulate response strategies. If sensitive data is leaked on public websites or social media, it can often be taken down to reduce exposure.