Ransomware continues to be a cybersecurity pandemic as organizations are being forced to either rebuild their systems from scratch or pay six-figure ransoms for a decryption tool from the hackers that might not even work that well.
However, cybercriminals are getting smarter and are adopting new methods and techniques, and having your data held hostage is now the least of your worries, according to cybersecurity experts.
Now, ransomware operators are stealing sensitive data from that compromised network and threatening to leak the contents of that data unless a ransom is paid, which complicates an organization’s efforts to simply wipe the compromised systems clean and restore from backups.
Recent research shows that even when an organization pays a ransom, that operator will attack the same victim again, suggesting that companies need to do more to harden their defenses and prevent network access in the first place.
In case you were wondering, the answer is no, you cannot trust ransomware gangs to leave you alone and give you back all your data after a successful attack.
It’s not just about the encryption anymore
In fact, there are some cases in which ransomware gangs are demanding double payment. The first is to decrypt the data, and the other is so that stolen sensitive data does not wind up somewhere on the internet, said Katie Nickels, director of intelligence at cybersecurity firm Red Canary, during a recent RSA Conference session.
According to Nickels, Maze, one of the more infamous ransomware groups, in 2019 began leaking victim data if victims didn’t pay.
“Since then, unfortunately, may started an unfortunate new trend,” Nickels said. “All of these different ransomware groups have started doing this exfiltration of data, and then extortion.”
According to an April report from ransomware prevention software provider Coveware, the vast majority of ransomware attacks now involve data exfiltration. This allows the attacker to exfiltrate data from the most convenient file server and escalate privileges and deploy ransomware on as many endpoints as possible.
The company’s report found that 77% of ransomware attacks in the first quarter of this year followed that trend, which is up from 70% in the quarter prior.
“This might seem obvious, but there is no honor among thieves,” Nickels said. “These people are criminals — you cannot trust them.”
How you can keep your organization safe from these attacks
- Basic cybersecurity best practices. This includes not clicking on links in suspicious emails, implementing multi-factor authentication, practicing good password security, keep anti-malware software up to date and deploying email security solutions.
- Store backup data offline. This is the low-hanging fruit of ransomware mitigation. Store data offline so an attacker can’t access it through the internet, and conduct regular restoration tests.
- Detection. In addition to looking for signs of encryption and signs of deleted volume shadow copies (a Windows service that creates backup copies of files in the background), organizations should also look for signs of exfiltration.
- Disable unnecessary file-sharing tools. If a ransomware attacker is successful in penetrating your network, they can use those to exfiltrate your data.