Double extortion attacks resulting in substantial enterprise disruption
Complex double extortion assaults focusing on necessary industries is creating considerable organization disruption, a new report has discovered.
The Ransomware Report from cloud safety company Zscaler attributes examination of critical ransomware trends and aspects about the most prolific ransomware actors, their attack practices and the most vulnerable industries currently being qualified.
The Zscaler ThreatLabz embedded study staff analysed around 150 billion platform transactions and 36.5 billion blocked attacks amongst November 2019 and January 2021 to determine rising ransomware variants, their origins, and how to halt them.
The report also outlines a growing danger from double-extortion assaults, which are being ever more utilized by cybercriminals to disrupt businesses and hold knowledge hostage for ransom.
Deepen Desai, CISO and VP of Protection Research at Zscaler says that in excess of the previous couple of a long time, the ransomware risk has become significantly perilous, with new approaches these types of as double extortion and DDoS attacks creating it simple for cybercriminals to sabotage organisations and do lengthy-term damage to their reputation.
“Our group expects ransomware assaults to become more and more specific in mother nature in which the cybercriminals hit organisations with a bigger chance of ransom payout,” he states
“We analysed new ransomware assaults wherever cybercriminals had the understanding of items like the victim’s cyber insurance coverage coverage as effectively as significant offer-chain distributors bringing them in the crosshairs of these attacks,” Desai states.
“As this sort of, it is significant for organizations to much better comprehend the danger ransomware represents and get proper precautions to stay clear of an attack.
“Normally patch vulnerabilities, educate personnel on spotting suspicious e-mails, back again up knowledge routinely, employ info loss prevention system, and use zero trust architecture to minimise the attack surface area and protect against lateral motion.”
In accordance to the World Financial Discussion board 2020 World Danger Report, ransomware was the 3rd most popular, and 2nd most damaging type of malware attack recorded in 2020.
With payouts averaging US $1.45M for every incident, Desai states it is really not tricky to see why cybercriminals are ever more flocking to this new fashion of large-tech extortion.
“As the rewards that outcome from this variety of criminal offense enhance, dangers to authorities entities, firm base lines, reputation, info integrity, consumer self confidence, and company continuity also expand.”
According to the organization, Zscaler’s exploration supports the narrative not long ago proven by the U.S. federal authorities, which classifies ransomware a countrywide protection threat underscoring the need to have to prioritise mitigation and contingency actions when protecting in opposition to these ongoing threats.
Double-Extortion – the New Favored Strategy
In late 2019, ThreatLabz seen a escalating preference for double-extortion assaults in some of the far more energetic and impactful ransomware people. These assaults are outlined by a combination of undesirable encryption of delicate knowledge by malicious actors and exfiltration of the most consequential information to hold for ransom.
Impacted organisations, even if they are equipped to recuperate the details from backups, are then threatened with community publicity of their stolen knowledge by legal teams demanding ransom.
In late 2020, the crew discovered that this tactic was more augmented with synchronised DDoS assaults, overloading victims web sites and placing additional force on organisations to cooperate.
According to Zscaler ThreatLabZ, lots of various industries have been targeted over the previous two a long time by double-extortion ransomware assaults.
The most specific industries consist of the pursuing:
- 
- Production (12.7{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3})
- Companies (8.9{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3})
- Transportation (8.8{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3})
- Retail & wholesale (8.3{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3})
- Know-how (8{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3})





More than the last 12 months, ThreatLabz has discovered seven family members of ransomware that ended up encountered additional generally than other folks.
The report discusses the origins and practices of the next leading 5 remarkably active groups:
Maze/Egregor: Initially encountered in May possibly 2019, Maze was the ransomware most commonly utilised for double-extortion assaults (accounting for 273 incidents) right up until it seemingly ceased operations in November 2020. Attackers utilised spam electronic mail campaigns, exploit kits this kind of as Fallout and Spelevo, and hacked RDP services to achieve accessibility to programs and efficiently collected large ransoms after encrypting and thieving data files from IT and technologies firms. The top 3 industries Maze specific were being superior-tech (11.9{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}) producing (10.7{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}), and expert services (9.6{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}). Mase notably pledged to not goal health care providers in the course of the COVID-19 pandemic.
Conti: Initial spotted in February 2020 and the second most typical assault family members accounting for 190 assaults, Conti shares code with the Ryuk ransomware and appears to be its successor. Conti works by using the Home windows restart manager API before encrypting data files, allowing for it to encrypt extra documents as section of its double-extortion method. Victims that wont or are not able to pay back the ransom have their information consistently posted on the Conti information leak internet site. The prime a few industries most impacted are production (12.4{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}), products and services (9.6{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}), and transportation expert services (9.{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}).
Doppelpaymer: First found in July 2019 and 153 documented attacks, Doppelpaymer targets a assortment of industries and generally requires substantial payouts – in the 6 and seven figures. At first infecting devices with a spam electronic mail that has possibly a malicious website link or malicious attachment, Doppelpaymer then downloads Emotet and Dridex malware into contaminated systems. Doppelpaymers top 3 most qualified organizations were production (15.1{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}), retail & wholesale (9.9{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}) and government (8.6{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}).
Sodinokibi: Also recognised as REvil and Sodin, Sodinokibi was initial noticed in April 2019, and has been encountered with increasing frequency with 125 attacks. Comparable to Maze, Sodinokibi uses spam email messages, exploit kits, and compromised RDP accounts, as perfectly as regularly exploiting vulnerabilities in Oracle WebLogic. Sodinokibi commenced employing double-extortion tactics in January 2020 and experienced the best impact on transportation (11.4{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}), production (11.4{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}), and retail/wholesale (10.6{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}).
DarkSide: DarkSide was to start with noticed in August 2020 after putting out a push release promoting its providers. Employing a Ransomware-as-a-Company design, DarkSide deploys double-extortion techniques to steal and encrypt data. The team is community about its targeting manifesto, writing that it does not assault health care organisations, funeral companies, training services, non-income organisations, or federal government entities on its web site. As a substitute, the key targets of decision are companies (16.7{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}), production (13.9{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}) and transportation expert services (13.9{14cc2b5881a050199a960a1a3483042b446231310e72f0dc471a7a1eddd6b0c3}). Very similar to Conti, these that can’t spend the ransom have their knowledge released on the DarkSide leak internet site.