Ransomware is highly popular among cyber-criminals. Their new tactic is double-encryption ransomware, forcing victims to pay twice.
Criminals of all kinds are forced to change the way they do things in order to continue their nefarious activities without being caught. Cyber-criminals are no different. It’s long been known that threat actors, hackers change their tactics on a regular basis. Once a vulnerability is patched, they move on to look for the next one while continuing to exploit machines that haven’t been updated. Phishing schemes have evolved to look like legitimate emails, and because those are so effective, ransomware is fast becoming a tool of choice for hackers. Now, though, there’s a new tactic popping up that businesses must be aware of: Double-encryption ransomware.
While ransomware is seen most often in the healthcare industry and other so-called soft-target industries, it is applicable and has been seen in every industry. The most common vector for ransomware is a phishing scheme. Someone clicks a bad link and, boom, malware implanted. The malware works its way through business systems and locks everything down. The business receives a note demanding ransom for the decryption key. With standard ransomware, if the business chooses to pay the ransom, they get the key and move on with the cleanup process. With double-encryption ransomware, a second key is required, meaning that the victim has to pay up again.
There are a variety of ways this can work. In the past, double-encryption has typically involved two separate groups compromising the same victim at the same time. But Emsisoft, an antivirus company, says it has seen dozens of incidents where only one group or hacker intentionally layers two types of ransomware on top of each other.
“The groups are constantly trying to work out which strategies are best, which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.”
There are two distinct tactics identified by Emsisoft. One sees threat actors encrypting data with one form of ransomware and then re-encrypting it with a second form. The second tactic is a “side-by-side encryption” attack. In this case, some business systems are locked with one form of malware and other systems are locked with a different form. The victim doesn’t know they can’t access all of their data after the first decryption key is given and it doesn’t unlock everything. In the second case, bad actors take steps to ensure that the two strains of malware used look similar enough to confuse incident responders.
“Even in a standard single-encryption ransomware case, recovery is often an absolute nightmare,” Callow says. “But we are seeing this double-encryption tactic often enough that we feel it’s something organizations should be aware of when considering their response.”
He’s right that recovery is a nightmare after an attack. Even if you pay the ransom and get the decryption key and it actually works, there’s often major cleanup that has to happen. It shines a light on the importance of a proper backup system. Because if someone attacks your business with ransomware, once you’ve dealt with the incident, it’s much easier to start fresh from backups than to have to clean old systems and data before they can be used again. This is why it is important to use the cloud, where there are backup guarantees. Even if it’s not feasible to put everything in the cloud, there are definitely instances where local storage is necessary, putting as much there as possible is recommended.
Hackers continually change their tactics, it’s something we’ve discussed many times. In order to continue with their form of work, they have to adjust and adapt. Double-encryption ransomware attacks are an easy way for threat actors to capitalize on their activity, it doubles their financial gain in one attack.
It’s also important to note that threat actors will target the same business more than once, especially if ransom is paid. It’s always about cost-effectiveness when it comes to paying ransom, but there are consequences to doing so. Keep in mind that whether it’s a double, side-by-side or repeat attack, once someone pays the ransom and are in it, they are more likely to pay again to get out of it because of the sunk cost fallacy.
Businesses should remember that even if they do pay the ransom, which goes against everything law enforcement says to do, they still need to contact the authorities and report the attack. Law enforcement needs to know about attacks so they can spot trends and make other businesses aware.
Make sure your business is prepared, bring in an expert to review your security protocols and ensure you are properly using your cloud services. Have them analyze your backup system and make sure that critical information is regularly backed up and secured, and have them review your incident response to ensure all steps are covered.