Ever hear of double extortion? It’s a technique increasingly employed by ransomware attackers. A malware payload steals a victim’s plaintext information before launching its encryption routine. Those operating the ransomware then go on to demand two ransoms — one for a decryption utility and the other for the deletion of the victim’s stolen information from their servers. In doing so, ransomware actors hope to trap all their victims into paying up. Backups can help to negate the need for a decryption utility, the logic goes, but they mean next to nothing in the aftermath of data theft. Take a look at how to defend against double extortion and double encryption as attackers double down.

Double Extortion: A Means to an End for Ransomware Attackers

What makes double extortion so useful is that it is a means to an end, not an end unto itself. Just look at what ransomware actors have done with double extortion since its inception in 2019.

Some have decided to create new attack infrastructure. Take the Maze crew, for example. This group of attackers created its own data leaks website for publishing the data of victims who refused to pay. The group also formed a cartel with other ransomware gangs, an arrangement that featured shared use of its data leaks website as a central benefit. (Attackers’ experience of using Maze’s double encryption apparatus also helped other actors like the LockBit crew to register their own website.)

Others have elected to weaponize double extortion for the sake of repeat ransom demands. All this requires is for crypto-malware crews to not honor when a victim pays a ransom. Those threat actors can then return whenever they want in the future and issue a ransom demand for the same data.

Download the Definitive Guide to Ransomware

What Is Double Encryption?

Double extortion is not the only new technique that’s using two of something to reshape the flow of a ransomware attack. So too is double encryption, a tactic where malicious actors are encrypting victims’ data with two (or more) ransomware strains.

Emsisoft first warned about the threat of double encryption in mid-May. This attack commonly takes on one of two forms.

In the first type, known as layered encryption, a malicious actor encrypts a victim’s data with one ransomware strain. The attacker then re-encrypts that encrypted information using a different ransomware sample.

In the second type, called side-by-side encryption, the attacker uses one ransomware strain to encrypt some systems and another ransomware sample to encrypt other systems.

Two Birds, One Ransomware Stone

Double encryption is like double extortion in two ways. First, it aims to maximize the amount of money that attackers are capable of collecting using a ‘single’ infection. Multiple payloads require victims to pay for multiple decryption utilities, thus increasing the overall cost of a ransomware attack.

Ransomware attackers understand this. Under the model of double encryption, they can work together to share in the profits of a company that’s willing to pay. Or, they can combine several of their ransomware strains together into a single attack.

Cryptomalware crews can also leverage double encryption to expand the types of options that are available to their affiliates. Indeed, developers can create new tiers in their affiliate programs that enable would-be attackers to string two or more malware payloads together, for instance. When made available under an established ransomware-as-a-service platform, such offerings would lead to even more money ending up in ransomware actors’ pockets.

Second, double encryption makes recovery more difficult. If a victim chooses to pay the ransom, the attacks could send a decryption utility for each ransomware strain involved. The issue is that the onus falls on the attackers to adequately describe how to use the decryption utilities to recover all their data. If the attackers used side-by-side encryption, for instance, they would need to instruct the victim about which decryptor to use for which system. With layered encryption, they would need to specify which decryption utilities to use first.

That’s a lot to assume given the fact that many attacker-created decryption tools already don’t work on their own. (That’s what happened with ProLock.) All these moving parts increase the likelihood that organizations could suffer data corruption following a ransomware attack.

Why Organizations Shouldn’t Pay Ransoms

Whether single encryption or double encryption is involved, paying the ransom carries several risks for victims. First, paying the ransom doesn’t guarantee they’ll be able to recover their data. Some decryption utilities fail, as discussed above, and some attackers refuse to honor a ransom payment.

Second, paying a ransom doesn’t ensure that a victim will be able to recover their data right away. Decryption is often a manual task that requires victims to recover individual files one at a time. This process can become even more complex when multiple ransomware strains and their corresponding decryptors get involved.

Lastly, organizations could incur financial penalties by paying a ransom. In 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) revealed that it could impose civil penalties on those who paid threat actors on OFAC’s cyber sanctions program. That penalty comes into play even if the victim didn’t know the attacker was on the sanctions list.

Defending Against Ransomware in the Age of ‘Double’ Tactics

Double extortion was always a means to an end in more ways than one. This technique didn’t just extend the possibilities of how a ransomware actor could get paid. It also changed how a ransomware attack could look.

Taken together, these techniques highlight the need for organizations to defend themselves against ransomware. Having backups is a crucial step of that process. But there are other important steps, too, like the following:

  • Crafting a data theft prevention strategy
  • Applying user behavior analytics to identify potential threats
  • Implementing multi-factor authentication to secure accounts
  • Leveraging penetration testing to identify weak points on the corporate network.

These fundamentals can help keep organizations safe against ransomware, regardless of what encryption and extortion techniques a campaign is using.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…