Triple-Extortion Tactics on the Rise for Ransomware Gangs

Cybercriminals have hit the ransomware trifecta by melding file encryption, data theft, and DDoS attacks.

Triple-Extortion Tactics on the Rise for Ransomware Gangs

Like any smart entrepreneur, threat actors know that their business is only as successful as their latest innovation. And when it comes to parting unsecured organizations from their money, those innovations never stop.

The latest involves integrating attacks into a ransomware-as-a-service (RaaS) portfolio to create the so-called triple cyberextortion attack. It’s a little bit ransom, a little bit DDoS extortion, and a lot of trouble. Here’s how it works:

  1. File encryption. With the traditional ransomware attack method, cybercriminals breach a network and encrypt valuable data, making it (and sometimes the entire system) unavailable to the victim organization. The attackers then demand payment in return for a decryption key.
  2. Data theft. Here, cybercriminals exfiltrate the data before locking the victim out. They then threaten to expose and/or sell the stolen data publicly unless paid. This second level of extortion makes it harder for victims to ignore ransomware threats, because even those who can use backups to restore data remain at risk of data exposure. Clearly, it’s a valuable monetization tool: Coveware estimates that nearly half of ransomware cases in the third quarter of 2020 used exfiltration tactics.
  3.  DDoS attacks. Commonly used as a standalone extortion method, DDoS attacks now are on the list of services RaaS operators offer. This further ratchets up the pressure on the victim in a couple of ways: First, it emphasizes the seriousness of the adversary. And second, maintaining availability also adds another stressor to a security team already dealing with the first two events.

By combining file encryption, data theft, and DDoS attacks, cybercriminals have essentially hit a ransomware trifecta designed to increase the possibility of payment. According to Bleeping Computer, SunCrypt and Ragnor Locker were early users of this tactic. Since then, other ransomware operators have jumped aboard, including Avaddon and Darkside, the perpetrator of the Colonial Pipeline incident.

From the threat actor’s perspective, adding DDoS attacks to a list of ransomware services is a smart business move. DDoS attacks are incredibly cheap and easy to launch, and they might increase the chance that a victim will pay. What’s not to like? After all, this is a very lucrative business, and bad actors are constantly adding new weapons to their multifaceted attack campaigns. (We are even seeing operators add the equivalent of support centers to help victims with decryption.)

The bottom line is that increasing pressure tactics ups the likelihood of a payoff, making ransomware an increasingly disruptive form of cybercrime that affects not only companies but also governments, schools, and public infrastructure.

We are seeing responses to the crisis, such as the Ransomware Task Force (RTF) created by the Institute for Security and Technology. Made up of a broad coalition of experts in industry, government, law enforcement, civil society, and international organizations, the RTF recently released key recommendations to combat what the group characterizes as an urgent security risk. It’s a start, but it will take a sustained global effort to put a dent in ransomware activity.

In the meantime, companies must adhere to some fundamental protections:

  • Avoid the network breach. Best practices include educating users on proper cybersecurity hygiene and employing network and endpoint cybersecurity protection solutions to detect malware, anomalous activity, or indicators of compromise (IoCs).
  • Pay attention to the basics. Back up valuable data and test data restoration plans. Run vulnerability assessments, patch, and update computer systems accordingly to avoid compromise.
  • Deploy continuous threat intelligence. Staying abreast of the latest threat intelligence helps companies detect, investigate, or proactively hunt for IoCs that could precede a ransomware attack.
  • Use proper DDoS protection. DDoS attacks are increasing in size, frequency, and complexity. Best practices in DDoS mitigation include a hybrid, intelligent combination of cloud-based and on-premises DDoS mitigation.

Finally, organizations should also look to deploy specialized cybersecurity solutions that can help thwart all facets of a triple extortion attack.

Learn more about defending triple extortion threats

Visit our resource center