Cybersecurity has long been a game of cat and mouse, with hackers constantly working to get around new security measures as businesses, schools, government entities and nonprofit organizations increase their efforts to keep sensitive systems and data safe. The latest ransomware tactic takes a two-pronged approach also known as “double extortion ransomware” to force payments from victims even if their preventative measures leave them well equipped to carry on as usual despite the attack.
Ransomware is a popular method of attack that uses computer viruses to prohibit authorized users’ access to the organization’s data by encrypting files. To get the data back, organizations are instructed to pay a ‘ransom’ to the cybercriminals who stole it – which may or may not actually result in the data being safely returned. Tip: While the FBI does not advocate paying a ransom, it does encourage reporting the incident (www.ic3.gov) for tracking and future prevention.
To counteract that threat, many organizations have been investing more effort and resources in making sure all data is securely backed up, with “air-gaps” that create physical as well as digital distance to ensure backups won’t be touched even if hackers manage to breach the system.
In the newest ransomware twist, hackers gain access to the system (often using social engineering tactics), extract, and then encrypt the data, as usual. This is followed by a demand for bitcoin or another form of payment in exchange for the ransomed data’s decryption key. But if the organization feels confident enough to ignore that threat, knowing backups are current, complete, and can be easily accessed, hackers are ready with their fallback plan.
Instead of simply walking away and seeking a less-prepared victim who might be more inclined to meet their demands, the hackers then change the terms of the ransom to “double-up”: Pay up or we’ll make the data public, thus creating massive liability issues and reputational damage to the organization. Individuals whose data was affected by the release then face the hassle of trying to monitor for identity theft and other types of fraud for decades to come. Tip: Doxing is a term used by hackers for documenting or gathering information about a target and making it public.
Data made public can include all manner of information organizations would prefer to keep private, as well as info they are legally required to protect:
- Proprietary secrets
- Sensitive internal communications
- Business financials
- Customer credit card numbers
- Bank account numbers
- Protected health data
- Treatment records
- Customer names, addresses, phone numbers and ages
- Fundraising and donation records
- Social security numbers
- Student records
August and September saw a number of high-profile incidents of this type, including attacks on school districts in Nevada and Connecticut as well as Brown-Forman, the company that makes popular Tennessee whiskey, Jack Daniels. When school district leaders in Clark County, Nevada refused to meet hackers’ demands, hackers published private data on students and staff. In the case of Brown-Forman, the hacking group Sodinokibi, commonly known as REvil, will likely leak out in smaller doses the 1TB of company data it claims to have stolen, in hopes that sooner or later company leaders will pay up in order to limit the damaging exposure.
Attackers will continue to be more creative in finding multiple ways to monetize a security breach. In fact, ransomware as a service (“RaaS”) continues to grow whereby the infrastructure, tools, and techniques are shared with everyone on the dark web for a license fee or percentage of ransom. With Covid-19, Virtual private networks (VPN) and remote desktop protocol (RDP) technologies used in increasing remote working environments have had several vulnerabilities exploited in these attacks.
This kind of digital crime isn’t breaking any new ground; it’s just one more kind of cyber extortion doubling the pressure on the organization to pay a ransom. It should, however, serve as a wake-up call to organizations that may feel ransomware isn’t a serious threat because solid backups are in place. Tip: Backups are a clear necessity but think twice before stopping there.
Keeping systems and sensitive data secure is a critical priority for every organization today. Organizations of all sizes should strongly consider seeking a professional cybersecurity assessment that includes rigorous penetration testing. The steps you take to identify and minimize cyber-risks can deliver benefits many times in excess of their cost, in addition to priceless peace of mind. For help keeping your business safe, contact the cybersecurity consultants at Mauldin & Jenkins.