From the JBS attack that impacted our agricultural sector, to the high-profile attack on Nine Entertainment, ransomware has not been far from the headlines this year. But despite this, the
egregious threat of double extortion has had scant attention.

So, what is it, why has it become so popular and why should Australian organisations be prepared for it?

What is double extortion ransomware?
Traditionally, ransomware consisted of malicious code rapidly encrypting files with public-key RSA encryption, and then deleting those files if the victim did not pay the ransom.

However, after the infamous WannaCry and NotPetya ransomware campaigns over 2017, companies ramped up their cyber defence. More emphasis was placed on backups and restoration processes, so that even if files were destroyed, organisations had copies in place and could easily restore their data.

In response, cyber-criminals adapted their techniques. Now, rather than just encrypting files, double extortion ransomware exfiltrates the data first. This means that if the company refuses to pay up,information can be leaked online or sold to the highest bidder. Suddenly, all those backups and data recovery plans became worthless.

An ever-evolving threat
In late 2019, Maze ransomware emerged as the first high-profile case of double extortion. Other strains soon followed, with the Sodinokibi attack — which crippled foreign exchange company
Travelex and hit UnitingCare Queensland— occurring on the final day of that year.

By mid-2020, hundreds of organisations were falling victim to double extortion attacks, various websites on the dark net were leaking company data, and the Ransomware-as-a-Service (RaaS)
business was booming as developers sold and rented new types of malware.

Globally, we also saw cyber security regulations weaponised by cyber-criminals who could leverage the threat of having to pay a hefty compliance fine to encourage their victims to keep quiet by offering them a ransom smaller than the penalty fee.

Despite new legislation being written regularly to try and mitigate these attacks, they aren’t slowing down. According to a recent study by RUSI, there were 1,200 double extortion ransomware incidents in 2020 alone, across 63 different countries.

Last month, the cyber-criminal gang known as REvil released details about Apple’s new MacBook Pro on their site ‘Happy Blog’, threatening to release more blueprints and demanding a ransom of US$50 million. And last month, Colonial Pipeline purportedly paid US$5 million in bitcoin to recover from a devastating OT ransomware attack.

The type of personalisation you really don’t want
Darktrace has detected a huge upsurge in double extortion ransomware threats in the last year, most recently at an energy company based in Canada. The hackers had clearly done their homework,tailoring the attack to the company and moving quickly and stealthily once inside

The initial infection vector is not known, but the admin account was compromised most likely from a phishing link or a vulnerability exploit. This suggests a trend away from widespread ‘spray and pray’ ransomware campaigns of the last decade, towards a more targeted approach.

As with the majority of ransomware incidents, the encryption happened outside of office hours – overnight in local time – to minimise the chance of the security team responding quickly. Through the use of artificial intelligence (AI) to monitor for attacks, suspicious behaviour was reported to the security team who could quickly identify the scope of the infection and respond accordingly.

The stakes around ransomware are changing and with the current discussion about mandatory reporting of ransomware in Australia, we may be reaching a point where keeping it quiet is not an option. With the rise of double extortion, if the blast doesn’t get you then the fallout will. The stakes are too high to gamble that you can spend your way out of the problem or outfox malicious actors. The only solution is to use cutting-edge technology like AI to interrupt the threat in its very earliest stages.