Though we may be stuck with endless COVID-19 scams and a gradual visible rise in all manner of cryptocurrency hijinks, the old school attacks are as perilous as ever; CISA, the Cybersecurity & Infrastructure Security Agency, have released their 2021 report detailing the increasing globalised threat of the ransomware menace.

It covers a lot of ground, but many of the main findings won’t come as any surprise to those dealing with attacks over the last few years. Some of the more familiar efforts in the attack pipeline include:

  • Phishing and stolen RDP credentials used to break into networks and then fire up the ransomware cannon
  • Moving away from “big game” targets in order to go after much smaller ones. This keeps defenders with small security budgets on their toes, and also perhaps contributes to ransomware groups sailing under the radar. Nothing generates heat faster than major international attacks and lots of police involvement.
  • Attacking Managed Service Providers (MSPs). This allows Ransomware authors to potentially take down several targets at once, should they manage to compromise the MSP.

Attacking the cloud is also popular. Not just because many instances of cloud applications are vulnerable to exploits, but also because a lot of businesses have their backups in the cloud, too. Your corporate backup plan in case of a ransomware attack won’t help if threat actors manage to encrypt all of the backups.

These are some of the techniques and strategies we’ve all come to see and also expect. But what else are they getting up to?

The triple threat

One of the most interesting parts of the report is the shift in how ransomware authors demand money, and also how they receive it. The days of the standard “Your PCs are encrypted, give us X amount in Bitcoin or you don’t get your files back” are no longer how everyone does it. The CISA summary highlights a type of ransomware attack that’s been growing in popularity for a while now:

Diversifying approaches to extorting money. After encrypting victim networks, ransomware threat actors increasingly used “triple extortion” by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident. The [Australian Cyber Security Centre] continued to observe “double extortion” incidents in which a threat actor uses a combination of encryption and data theft to pressure victims to pay ransom demands.

Not just regular extortion, or double extortion, but triple extortion! Telling everyone how badly you got it wrong, doubling down on shame and embarrassment, is going to have an impact. They’re plugging into the fear of the “big reveal” in a way that makes organisations fail to disclose ransomware incidents, or even wire fraud or anything else for that matter.

Ransomware authors in the driving seat

Triple threat extortion attempts featured heavily in the news halfway through last year. Any hopes they may have become a passing phase seem to be sadly mistaken.

As the years pass, so too does the threat escalation. Informing people and organisations you know, or work with, is one final insult. It’s the sextortion panic technique applied to the business environment. There’s nothing to stop the ransomware authors from doing what they want after getting onto the network, so why not? It’s win-win for them, which makes it essential to ensure they don’t ever get that far.

There is no end to ransomware attacks, or the type of data leaked via double or triple threat extortion. Here’s one such double-hitter from last Friday, and you can bet there’s a lot more happening this very second. One wonders what the quadruple-threat ransom will bring…