Blog

Double Extortion – Ransomware at Another Level

posted by: Paula Boyden date: Nov 30, 2020 category: All, Expert Explanations comments: 0

The first Ransomware attack was launched in 1989 by Evolutionary biologist Dr. Joseph L. Popp. He infected 20,000 floppy disks with the Trojan AIDS (or AIDS Information Introductory Diskette) and mailed them to participants of the World Health Organization’s AIDS conference in Stockholm. The disks contained a survey that was designed to find out if someone could be infected with AIDS or not.  Once the program was activated, it would sit quietly on the infected machine until the computer had been rebooted 90 times and after that it would execute its payload. The outcome was an extortion attempt, on the infected computer, claiming to be a legitimate license renewal. It would only allow that computer to be unlocked if a payment of USD $189 was made to a nominated account with remittance forwarded to a listed email address. It was a Ransomware 101 attack that aimed to haul in as much cash as possible from infected users. This is a pretty effective tactic, because the ransom amount is low enough that some affected users would probably just pay it, but it’s not so high that they’d go and seek help from an expert to solve the problem. Ultimately though, the infection didn’t have good encryption, and once security analysts were onto it, they decrypted it pretty quickly and put protections in place for end users.

Image 1: The AIDS request for payment. Source: Wikipedia

 

 

 

 

 

 

 

It was many years before smarter ransomware attacks started appearing and these were launched on a much larger scale.  The use of RSA keys (to encrypt data) was a common feature of ransomware in 2005, and in 2006 the Trojan Archiveus was brought to life. Users were told they had to buy items from a particular website to get the password to decrypt their files.  By May 2006, the password had been cracked. In 2008, Bitcoin arrived on the scene and attacks ramped up, because it was so easy to use digital currency to blackmail victims. Over the years, ransomware has become more and more complex and new types of attacks have started to pop up, like Leakware and Double Extortion.

In the beginning, a ransomware attack only involved encrypting the data and blocking the victim from accessing it until the ransom was paid. Payment was not always a guarantee of getting the data back though. For Leakware attacks, data encryption is not the goal. Instead, a threat is made to release the data on the Internet if the ransom is not paid. In attacks using Double Extortion, the files are encrypted, and if the ransom is not paid, the files are released to the public. It’s a double-whammy extortion, and lots of companies have been targeted with this new method. These companies have a few options.  They could: a) report the attack (which could damage their reputation anyway); b) decide to pay the ransom (to stop their data from being released – although there’s no guarantee); or c) not pay the ransom, but use other methods to try to recover their systems. The danger with this option is, even though it may be cheaper than paying the ransom, the company could still pay a high price if their files go public and their brand (as well as staff and clients) are dragged through the mud.

 

The First Attack

The first reported Double Extortion attack targeted Allied Universal, a leading security and facility services company.  They were hacked in 2019 by the Maze group and had to pay 300 bitcoin – roughly USD $2.3 million – to decrypt their entire network.

The hacker group broke into the Allied Universal network, stole important company files, installed the ransomware on the network and gave the company a deadline to pay the ransom. The Allied Universal was told that if the ransom was not paid, they would leak a small part of the data (which they did – almost 700 MB) to prove they had access to the files and to increase the pressure. The 700MB was released via a link on a Russian forum, and they hiked up the value for the remaining data by 50%, to a staggering $3.8 million dollars. Allied Universal decided not to pay the ransom, so as promised, the Maze hackers released the data to the public.

 

How a Double Extortion Attack Works

Double Extortion attacks are different to other ransomware attacks and are generally well-planned and executed. Instead of using a Trojan in a large-scale campaign, Double Extortion attacks target a particular company, hacking their infrastructure and systems, extracting their files (to use as leverage) then encrypting their network and/or devices, before demanding a ransom in cryptocurrency.  If the ransom is not paid, the stolen data is leaked to the public.

But the Maze group are not the only ones targeting companies with double extortion ransomware. Other hacker groups are also part of the mix, such as DoppelPaymer, Clop, Sodinokibi and others, as shown below:

Image 2: DoppelPaymer’s website

 

 

 

 

 

 

Image 3: Clop’s website

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Image 4: The Happy Blog – Sodinokibi’s website

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The Happy Blog also has an “Auction” option, where part of the data can be won in a bet with a minimum starting price:

Image 5: The Happy Blog Auction

 

 

 

 

 

 

 

 

 

 

If the ransom is not paid, the data goes public.

Image 6: The Happy Blog – Data leak from Elsa LLC

 

 

 

 

 

 

 

Attack Vectors

Hacker groups do their research and plan every detail of an attack, right down to who is targeted and how the attack is carried out. They quite often scan a company’s servers to detect possible vulnerabilities, such as Remote Desktop Protocol (RDP), system and application vulnerabilities (where patches are not up-to-date), Zero Days and misconfiguration. They also use phishing, with social engineering, to trick users into opening and executing files or visiting fake websites, where credentials are then stolen.

It is extremely important that systems and software are always kept up-to-date with the latest software updates, that security settings and policies are installed on servers and end-user machines, and that all users are trained on how to recognise a possible cyber-attack.

A Recent Attack by Maze

In September 2020, the school systems in Fairfax County, Virginia, USA, were compromised by Maze, in a series of attacks against all levels of the education system, from Kindergarten to 12th Grade. The terrible timing of this, being at the start of the school year, and during the Coronavirus Pandemic, has put extra pressure on students, teachers and everyone involved. The case is currently under investigation with the FBI, to identify the extent of the damage, as well as the nature and scope of the attack.

Comments are closed.