Ransomware Attackers’ New Tactic: Double Extortion
Need another reason to defend against ransomware instead of ending up having to find a solution other than paying it? Double extortion may be it.
So, what is double extortion? When did it start? With this tactic, ransomware actors steal a victim’s data before their malware strain activates its encryption routine. They then have the option of demanding two ransoms. The first one is the provision of a decryption utility. The second one guarantees verbal confirmation of having deleted the victim’s data from their servers. They can also leverage that data theft to pressure victims — even those that have a robust data backup strategy.
In November 2019, the Maze gang struck a security staffing firm. Bleeping Computer received an email from someone who claimed to be a member of the Maze Crew. It informed the computer self-help website that they had breached the security staffing firm and stolen some of their data.
“If they don’t begin sending requested money until next Friday we will begin releasing on public everything that we have downloaded from their network before running Maze[sic],” the individual explained.
The security staffing firm missed its deadline to pay. So, the Maze ransomware group published 700 MB worth of its data. The threat actors told Bleeping Computer that the leak represented about 10% of the total number of stolen files. As such, the attackers threatened to release the rest of them if the victim continued to refuse to pay.
The use of double extortion picked up from there. For its part, Maze helped some ransomware groups experiment with the tactic through its cartel, while other ransomware groups created data leaks sites on their own. This led to an increase in double extortion over H1 2020. During that period, ID Ransomware received 100,001 submissions pertaining to ransomware attacks. Just over 11% of those submissions, or 11,642 of them, related to attacks that involved data theft, noted Emsisoft.
Ransomware actors took their efforts one step further at the end of 2020 and the start of 2021. They began using triple extortion, a technique where they singled out customers and third parties for their own ransom payments. As noted by WIRED, the first case occurred in October 2020 when a Finnish psychotherapy clinic experienced a data breach that involved a ransomware attack. Those responsible for the infection demanded a ransom from the clinic, but they also demanded smaller sums from individual patients via email.
The second instance of triple extortion occurred in February 2021. At that time, Bleeping Computer reported that the REvil/Sodinokibi ransomware gang had begun placing phone calls to the victim’s business partners and media. The purpose of those calls was to publicly embarrass the company and create even more pressure for the victim to fulfill the attackers’ ransom demand(s).
Even more layers of extortion emerged in the months that followed. For instance, in October, the FBI warned that the HelloKitty group had begun threatening to target victims’ public-facing websites with distributed denial-of-service attacks if they refused to pay the ransom or didn’t do so quickly enough. KnowBe4 reported that other ransomware actors had begun threatening to repeat the attack and delete all their victims’ data if they decided to contact law enforcement or professional negotiators following an infection.
All these levels of extortion are driving up ransomware costs. Specifically, they’re giving attack groups more impetus to raise their demands. The average ransom asks increased to between $50 million and $70 million in the first half of the year. Many victims end up paying a fraction of that, as they might be able to negotiate those requests down and/or rely on a cyber insurance policy to cover at least part of those costs. In either case, they legitimize ransom demands of that amount and encourage attackers to keep making them. It’s, therefore, no wonder that ransomware costs are expected to reach a collective total of $265 billion by 2031.
Double, triple and all the other extortion levels discussed above have helped to elevate ransomware into a multi-faceted threat. SonicWall logged 470 million ransomware attacks through the third quarter of the year. That’s a 148% year-over-year increase. That company detected 190.4 million attacks in Q3 2021 alone, a figure which nearly overtook the 195.7 million ransomware attacks detected in the first three quarters of 2020.
Looking ahead, the firm estimated that ransomware totals would reach 714 million attack attempts by the end of December, making 2021 the most prolific year on record. These volumes explain why the U.S. federal government is working to combat ransomware by sanctioning cryptocurrency exchanges that have moved money for ransomware actors and by introducing bills that could require victims to publicly disclose ransom payments.
Even so, organizations can’t rely on the federal government alone to keep their systems and data safe. They need to focus on their ransomware prevention strategies by prioritizing three security measures. First, they can invest in their security awareness training to educate all employees and cultivate their familiarity with ransomware attacks. Second, they can use their vulnerability management programs to prioritize and remediate security weaknesses that malicious actors could exploit as a means to drop ransomware onto organizations’ systems. Finally, they can use data encryption as a means to protect their data against ransomware attempts.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip…
4 min read – This is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries. When talking about…
3 min read – Corporate clients and cloud service providers (CSPs) are both responsible for cloud security. Clients remain accountable for governance and compliance. However, their other duties will vary depending upon the type of cloud deployment. What can cloud-native security controls do for…
4 min read – Will people ever live in a digital world 24/7? Nobody knows for sure, but the metaverse is certainly expanding rapidly. As the world dives deeper into the digital realm, companies need guidance on how to protect their assets and intellectual…
Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure.…
In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and use the correct criteria to…
The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is…
Today, many leading industries and modern enterprises have switched from processing and acting on data stored in databases to data in flight. How? Through real-time applications. One way to enable this is WebSocket, but it comes with vulnerabilities as well. What Is WebSocket? Real-time applications operate within an immediate time frame; sensing, analyzing and acting on streaming data as it…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
Biden to create cybersecurity standards for nation’s ports as concerns grow over vulnerabilities
WASHINGTON (AP) — President Joe Biden on Wednesday signed an executive order and created a federal rule aimed at better securing the nation’s ports from potential cyberattacks.
The administration is outlining a set of cybersecurity regulations that port operators must comply with across the country, not unlike standardized safety regulations that seek to prevent injury or damage to people and infrastructure.
“We want to ensure there are similar requirements for cyber, when a cyberattack can cause just as much if not more damage than a storm or another physical threat,” said Anne Neuberger, deputy national security adviser at the White House.
Nationwide, ports employ roughly 31 million people and contribute $5.4 trillion to the economy, and could be left vulnerable to a ransomware or other brand of cyberattack, Neuberger said. The standardized set of requirements is designed to help protect against that.
The new requirements are part of the federal government’s focus on modernizing how critical infrastructure like power grids, ports and pipelines are protected as they are increasingly managed and controlled online, often remotely. There is no set of nationwide standards that govern how operators should protect against potential attacks online.
The threat continues to grow. Hostile activity in cyberspace — from spying to the planting of malware to infect and disrupt a country’s infrastructure — has become a hallmark of modern geopolitical rivalry.
For example, in 2021, the operator of the nation’s largest fuel pipeline had to temporarily halt operations after it fell victim to a ransomware attack in which hackers hold a victim’s data or device hostage in exchange for money. The company, Colonial Pipeline, paid $4.4 million to a Russia-based hacker group, though Justice Department officials later recovered much of the money.
Ports, too, are vulnerable. In Australia last year, a cyber incident forced one of the country’s largest port operators to suspend operations for three days.
In the U.S., roughly 80% of the giant cranes used to lift and haul cargo off ships onto U.S. docks come from China, and are controlled remotely, said Admiral John Vann, commander of the U.S. Coast Guard’s cyber command. That leaves them vulnerable to attack, he said.
Late last month, U.S. officials said they had disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure. Vann said this type of potential attack was a concern as officials pushed for new standards, but they are also worried about the possibility for criminal activity.
The new standards, which will be subject to a public comment period, will be required for any port operator and there will be enforcement actions for failing to comply with the standards, though the officials did not outline them. They require port operators to notify authorities when they have been victimized by a cyberattack. The actions also give the Coast Guard, which regulates the nation’s ports, the ability to respond to cyberattacks.
Why Was Sam Altman Fired? Possible Ties to China D2 (Double Dragon) Data from Hackers
Theories are going around the internet why Sam Altman was fired. On an insider tech forum (Blind) – one person claims to know by third-hand account and how this news will trickle into the media over the next couple of weeks.
It’s said OpenAI had been using data from D2 to train its AI models, which includes GPT-4. This data was obtained through a hidden business contract with a D2 shell company called Whitefly, which was based in Singapore. This D2 group has the largest and biggest crawling/indexing/scanning capacity in the world 10x more than Alphabet Inc (Google), hence the deal so Open AI could get their hands on vast quantities of data for training after exhausting their other options.
The Chinese government became aware of this arrangement and raised concerns with the Biden administration. As a result, the NSA launched an investigation, which confirmed that OpenAI had been using data from D2. Satya Nadella, the CEO of Microsoft, which is a major investor in OpenAI, was informed of the findings and ordered Altman’s removal.
There was also suggestion that Altman refused to disclose this information to the OpenAI board. This lack of candor ultimately led to his dismissal and is what the board publicly alluded to when they said “not consistently candid in his communications with the board.”
To summarize what happened with Sam Altman’s firing:
1. Sam Altman was removed from OpenAI due to his ties to a Chinese cyber army group.
2.OpenAI had been using data from D2 to train its AI models.
3. The Chinese government raised concerns about this arrangement with the Biden administration.
4. The NSA launched an investigation, which confirmed OpenAI’s use of D2 data.
5. Satya Nadella ordered Altman’s removal after being informed of the findings.
6. Altman refused to disclose this information to the OpenAI board.
We’ll see in the next couple of weeks if this story holds up or not.
AMAZON says cloud operating normally after outage left publishers unable to operate websites…
SEATTLE (AP) — Amazon’s cloud computing unit Amazon Web Services experienced an outage on Tuesday, affecting publishers that suddenly found themselves unable to operate their sites.
The company said on its website that the root cause of the issue was tied to a service called AWS Lambda, which lets customers run code for different types of applications.
Roughly two hours after customers began experiencing errors, the company posted on its AWS status page that many of the affected AWS services were “fully recovered” and it was continuing to recover the rest. Soon after 6:30 pm E.T., the company announced all AWS services were operating normally.
Amazon said it had experienced multiple error rates for AWS services in the Northern Virginia region where it clusters data centers. The company said customers may be dealing with authentication or sign-in errors when using some AWS services, and experiencing challenges when attempting to connect with AWS Support. The issue with Lambda also indirectly affected other AWS services.
Patrick Neighorn, a company spokesperson, declined to provide additional details about the outage.
AWS is the market leader in the cloud arena, and its customers include some of the world’s biggest businesses and organizations, such as Netflix, Coca-Cola and government agencies.
Tuesday’s outage was first confirmed shortly after 3 p.m. ET. and it was unclear how widespread the problem extended. But many companies, including news organizations such as The Verge and Penn Live, said they were experiencing issues. The Associated Press was also hampered by the outage, unable to operate their sites amid breaking news that former President Donald Trump was appearing in court in Miami.
Morgan Durrant, a spokesperson for Delta Air Lines, said the company experienced “some slowing of inbound calls for some minutes” on Tuesday afternoon. But he said the outage did not impact bookings, flights or other airport operations.
The episode on Tuesday is reminiscent of a much longer AWS outage in December 2021, which affected a host of U.S. companies for more than five hours.
The outage comes as Amazon is holding a two-day security conference in Anaheim, California to tout its cloud offerings to its clients or other companies that might be interested in storing their data on its vast network of servers around the world. Companies have been cutting back their spending on the unit, causing growth to slow during the most recent quarter.