CyberCube - Cyber Insurance Analytics

Ransomware and the “Double-Dipping” Trend

Written by Darren Thomson | Jul 15, 2020 1:36:41 PM

I was recently conducting my daily scour of the dark-web and various cyber security-orientated media outlets and stumbled across an article discussing current ransomware trends on the excellent “Krebs on Security” blog. The article made reference to a recent trend in advanced, enterprise-grade ransomware that sees confident cyber criminals (they are confident right now, having demonstrated very clearly that enterprise-class ransomware attacks are both possible and lucrative) stage attacks that demand not one but two ransom payments. Interested, I thought that I would dig a little deeper to see what I could find…

Traditionally, ransomware attacks have either targeted individual computer users (normally demanding a sum of less than $1,000) or, more recently, focused on corporations (often demanding hundreds of thousands or even millions of dollars). The typical ransomware model has indicated that the successful payment of a ransom will deliver a decryption key that will release data from an encrypted state and allow the victim the luxury of continuing to function without the disruption of trying to retrieve data from backups.

More recent ransomware attacks, such as the “Maze” attacks of 2019 have started to do more than just encrypt data. Lately, criminals have taken to making a copy of the targeted data outside of the victim’s network (“data exfiltration”, in cyber security parlance) as well as encrypting it in-situ. This provides the opportunity for the criminal to make an initial ransom demand in return for a decryption key and a second, separate demand, to ensure that the copied data does not fall into the wrong hands. Clever, eh?

Of course, victims of ransomware attacks, regardless of how sophisticated they are, have never been able to guarantee that they will see their data again once a ransom is paid. Attacks that we have seen in the past occasionally deliver decryption as promised but they often do nothing of the kind and, sometimes, are so badly written that they were never capable of delivering this outcome in the first place. In the case of these new “double-dipping” ransomware attacks, we can assume that these dynamics will continue and that any promise made by a criminal should be met with fundamental distrust.

An example of a “double-dipping” attack occurred in 2019 at Allied Universal, an American security staffing company. When Allied Universal denied its attackers ransom money, (approximately US $2.3 million), the thieves threatened to use sensitive information extracted from Allied Universal’s systems for a spam campaign impersonating Allied Universal. The “second dip” here was a second ransom demand which requested more than double the original sum.

As somebody who spends a significant amount of time thinking about information security, the “data exfiltration” trend unsettles me. When my data is encrypted by a criminal, I will either manage to decrypt it or I won’t… but at least I know where it is (still sitting on a storage device of my choosing, possibly in an unusable state). Once my data has been spirited away by my attackers and is stored as a copy, that feels like it is being taken hostage indefinitely. This is a very uncomfortable position for an individual, let alone a corporation subject to data regulation and, potentially, severe penalties related to data loss from both a financial and customer trust perspective.

Insurers should make sure that cyber-oriented staff are fully briefed on this trend so that they can advise customers appropriately and so that insurance products can be properly priced and managed. I think that it is reasonable to expect that this ransomware trend, along with the general move towards targeting corporations with ransomware will increase severity and impact in the ransomware domain in the months and years to come.