In examining the way ransomware has evolved over the past couple of years, we can undoubtedly predict that data exfiltration will increase and evolve as we move forward. We’re seeing ransomware groups, nation states, and even individual bad actors exploit stolen data in new and sophisticated ways. And these new attacks are exposing gaps in the traditional security stack. Ransomware readiness today needs to go beyond perimeter defenses and backup/recovery plans to include tools to detect and block an attack in progress, and actively combat the new generation of data exfiltration attacks.
What is Double Extortion?
A double extortion attack, sometimes referred to as an exfiltration ransomware attack, is commonly one in which data, or a copy of the data, is stolen from an organization or individual and used as leverage against the victim for monetary gain. In most cases, the hacker threatens to publish the stolen data unless a ransom is paid. Since the first reported double extortion case emerged in 2019,1 we’re now seeing this tactic exploited in over 83% of reported cases2 and expect it to climb even further in 2023.
At Calamu, we saw the threat of data exfiltration as a turning point that could not be ignored. The tactic has proven to be a boon for cyber criminals as the threat of published data provides a strong incentive to pay the ransom, and pay big. Beyond the monetary gains, stolen and published data has further security implications that we’re starting to see take shape.
How Does Double Extortion Expose a Security Gap?
Until double extortion attacks emerged just a couple short years ago, ransomware protection included network perimeter defenses such as firewalls and endpoint security that were intended to keep malware out. If the perimeter was breached, backup and recovery solutions could be relied upon to recover the data and ensure business continuity. Immutable backups went a step further to ensure that the data in the backup environment could not be wrongfully manipulated or altered in any way. This solution worked well against ransomware 1.0 attacks in which primary data was encrypted and held for ransom. However, all bets are off when the data is stolen out of the storage environment, or the backup repository itself is targeted for exfiltration. Successfully exfiltrated data can be used as a weapon against the organization. While the backup can still offer an important safety net, it cannot stop the leaked data from being exposed or published. Due in part to this gap, ransomware groups have been able to successfully grow their payload amount by 71%.3 Today’s ransomware solutions need to solve for the exfiltration element which is quickly growing in sophistication and severity.
Double Extortion Threatens Public Safety and Health
The most common forms of ransomware target files or databases that contain large sets of personally identifiable information, PII. This type of data is an attractive target because it typically impacts a large number of parties beyond the targeted organization, includes information that can be used for financial fraud and thus can fetch a high price on the dark web, and has the ability to shake the trust and credibility of the victimized organization who allowed the data to be stolen. Similarly, intellectual property is an attractive target. Organizations have been willing to pay big ransoms to keep their stolen source code or trade secrets from leaking. Last year, ransomware gang Lapus$ even demanded chip maker Nvidia publish its GPU drivers as open source in addition to paying the ransom.4 We expect to see intellectual property attacks continue to grow as we move into 2023.
Yet while theft of PII and intellectual property can wreak havoc for companies and individuals, it is the attacks on critical infrastructure and healthcare that threaten health and human safety and thus provide the biggest cause for concern. Over the past year we saw a ramp up of attacks targeting healthcare such that the ransomware is now linked to test and procedure delays and even an increased mortality rate.5
In addition, ransomware that targets critical infrastructure for blueprints, schematics and program logistics have even further reaching security implications. This data can offer a guideline for physical security attacks that can cut utilities and public services like power to communities with deadly consequences.6 As recent attacks on utilities have proven, critical infrastructure will be a key ransomware target in 2023, and it is now more important than ever to protect against data theft and exfiltration ransomware to prevent such far reaching consequences.
Double Extortion Centers on Reputational Damage
In tracking the ways double extortion ransomware is evolving, we’re also seeing a slight transition in intent. Typically, a ransomware group will exfiltrate PII data and threaten the victim to pay a ransom to keep the data from being published. Yet a recent shift shows that some ransomware groups are now studying that stolen PII and using it to threaten reputational damage – both against the organization it was stolen from and against the individual. They are upping the game and threatening to not just leak it on the dark web but to also send copies to the victims’ partners, competitors, friends, and the press.7 While the goal remains the same: receive payment to keep the data private, the goal to inflict as much reputational damage as possible is indicative of how ransomware is shifting in 2023. The brazen cruelty suggests an increase in confidence levels to both infiltrate the victims’ network and evade consequences.
How to Prepare for Increased Double Extortion Ransomware Attacks
With double extortion ransomware firmly established as a common cyber threat, cybersecurity tools and data storage practices need to evolve to keep pace. It is no longer enough to secure the network perimeter and rely on backup data to recover when the defenses fail. The goal for 2023 and beyond is to maintain the integrity of the data, even if the perimeter fails, and ensure it remains safe to its rightful owners. Luckily the industry has recognized this need and responded. Cyberstorage, a category recently coined by Gartner for their Hype Cycle report,8 is a layer of security that merges high-performance security features with the data storage and processing environment to protect it at the data level and block an attack as it is happening. Today’s organizations need tools that not just attempt to stop ransomware from getting in but actually thwart an attack in progress. And as the cyberstorage category is expected to grow by 6x over the next three years, 2023 is prime time to take part in the growing trend.
Ready to prepare for 2023 with data-first cyberstorage? Click below to schedule a custom demo with our export.