Ransomware Gangs Use New Triple Extortion Tactics
After the DarkSide ransomware attack on Colonial Pipeline, a number of ransomware gangs have stopped activity or have executed guidelines that their affiliates are required to follow, which include stopping all attacks on critical infrastructure companies, medical care companies, and government institutions. A few well-known hacking forums are separating themselves from ransomware and have prohibited ransomware gangs from promoting their RaaS programs. Nonetheless, there are lots of threat actors executing attacks and not everyone is cutting down their campaigns. It is uncertain whether attacks will really be lessened, even temporarily.
Thus far in 2021, attacks are happening at high levels; the medical care and utility industries are the most attacked. Check Point Research’s analysis of attacks revealed that since April 2021, there are about 1,000 ransomware attacks per week, having a 21% rise in affected companies in the first 4 months of 2021 and 7% higher in April.
There’s a 102% increase in the number of attacked companies from a similar period of time in 2020 and in April 2021, healthcare organizations report an average of 109 ransomware attacks every week; the utility sector report 59 attacks each week, and the legal/insurance sector report 34 each week. Ransom payments have likewise gone up by 171% from a similar time period last year, with a current average payment of $310,000.
Starting early 2020, ransomware gangs are utilizing double extortion strategies to boost the possibility of victims making ransom payments. Rather than just encrypting files and requiring payment for the decryption keys, before data encryption, the threat actors exfiltrate any sensitive information they could get. Threats are then given to expose the information when payment isn’t made.
Today, the latest strategy recognized by Check Point researchers is the triple extortion attacks. Just like the double extortion strategies of breaching a healthcare system, exfiltrating information, and requiring a ransom for the files decryption keys and stop the selling or exposure of stolen information on leak websites, a number of threat groups are likewise targeting people whose information was stolen. They as well are given a ransom demand to avoid the selling or publishing of their personal and health information.
This strategy has been seen starting late 2020 and has persisted to get traction in 2021. The first identified case involved the Vastaamo Clinic in Finland last October 2020. In that incident, the attackers stole a massive volume of information and gave ransom demands to the healthcare provider and patients. Patients also received a threat to post their psychotherapy notes when they do not pay to avoid the information leak.
Although the REvil ransomware operation didn’t issue ransom demands to individuals, their strategies have included calling individuals by phone to notify them about the attack to put on the burden on the breached entity to give ransom payment.
Check Point Research explains that a wise and creative analysis of the complicated situation of double extortion ransomware attacks has resulted in the creation of the third extortion strategy. Third-party victims, for instance, business clients, external co-workers and service providers are greatly influenced, and ruined by data breaches brought on by these ransomware attacks, even though their network assets aren’t targeted directly. Such victims are a normal target for extortion, and may be on the radar of ransomware groups starting now.