Hackers aren’t breaking in – they’re logging in. What is double-extortion ransomware, and how should you respond?

The rise of double-extortion ransomware

Gone are the days when adversaries had to sift through hundreds of lines of code to penetrate a network. Today’s bad actors don’t break in; they log in.

More than 24 billion usernames and password combinations are currently available on cybercrime marketplaces. By using authorized credentials, threat actors can log in and move laterally across a network to access data stores. Under the guise of legitimate users, attackers can easily break into organizations of all sizes. Worse, these types of attacks often go undetected.

Once they enter your systems, malicious actors often rely on a tactic known as double extortion—a type of ransomware attack that increased by 120% in the last year. Double extortion is a two-step attack in which the attacker encrypts the data and exfiltrates it as additional leverage.

In the past, malicious hackers would encrypt important data and demand ransom in exchange for the key. If a security or IT team had previously backed up their data, they would simply need to restore their backups. But today, double-extortion means that attackers not only destroy the data inside your system but also exfiltrate it and threaten to sell or expose it. Simply leveraging a backup is not enough in these cases.

Protecting your data from double extortion takes a two-faceted, cyber-resilience approach to data security. In addition to preventative measures to protect against inevitable cyber attacks, it’s important that security and data governance teams have a strategy for resilience and recovery.

What is double-extortion ransomware?

Double-extortion ransomware signifies a particularly menacing form of cyber threat. Unlike conventional ransomware attacks that merely encrypt a victim’s data, double-extortion ransomware takes an extra threatening step. With this type of attack, cybercriminals not only lock away the victim’s data but also steal it. This dual-pronged approach provides the attacker with increased leverage for demanding ransom, making it a highly formidable threat across various sectors. The danger lies in the dual risk of losing access to crucial data and the potential exposure of confidential information.

Due to double-extortion and similar threats, half of organizations have lost data.

How does double extortion-ransomware work?

Double-extortion ransomware operates in a two-fold process that amplifies the threat for its victims. Initially, cybercriminals infiltrate the victim’s network using a variety of techniques, such as phishing emails or brute-forcing weak passwords.

Once inside, they don’t immediately activate the ransomware to encrypt files. Instead, these malicious actors first exfiltrate crucial data from the network. This could include sensitive data like customer records, financial information, intellectual property, or anything else of value.

Following data theft, attackers then initiate the second phase of their attack, deploying ransomware to encrypt the victim’s files. This leaves the victim unable to access their own data.

Victims are then faced with a double threat: to regain access to their encrypted files, and to prevent the stolen data from being leaked publicly, sold in the dark web, or used for other nefarious purposes. The cybercriminals demand a ransom, usually in cryptocurrency, for both the decryption key and the promise not to disclose the stolen data.

It’s this combination of data encryption and data theft that gives “double-extortion” its name and makes it a particularly dangerous form of cyber attack.

How double-extortion ransomware affects today’s cloud-based businesses

The modern enterprise produces massive amounts of valuable data each day. This data is spread out across different departments, locations, cloud regions, and SaaS applications. Since we live in the age of data democratization, organizations aim to have their data accessible to all employees who need it plus relevant third-party vendors and contractors.

Because of data democratization and today’s cloud-based business model, it’s becoming increasingly difficult for IT and security teams to keep track of all of the data on a network. Developers and data scientists are continually spinning up new data stores and constantly moving, changing, or duplicating sensitive data—often without security and IT’s knowledge. This enables users to disperse sensitive data across several stores (often unintentionally) and increases the number of users who can access them.

The constantly shifting cloud landscape significantly widens the attack surface, and makes it easier for bad actors to conduct double-extortion ransomware, misuse user credentials, breach cloud storage, and ultimately exploit the organization’s sensitive data and unknown or “shadow” data. When an attacker successfully steals data, businesses can face numerous financial, reputational, and legal consequences.

According to Rubrik’s Ransomware in Focus study, CISOs are concerned about ransomware—including double-extortion ransomware—for a few reasons, such as:

• Exposure of sensitive data
• The hard cost of recovering and restoring operations after a successful ransomware attack
• Loss of revenue from operational disruption
• Damage to brand reputation

Because ransomware causes significant business impacts, most CISOs consider it their most serious threat.

Shifting mindset: from cyber-prevention to cyber-resilience

To respond to double-extortion ransomware, businesses must think about cybersecurity differently.

Traditional cybersecurity approaches focus on preventative measures, such as patching vulnerabilities and misconfigurations, fixing anomalies, and keeping out unauthorized network users. However, today’s threat actors typically leverage minor errors that “slip through the cracks” in an ephemeral cloud environment.

For instance, an employee with access to sensitive data might fall for a phishing scheme and reveal their credentials. Or a developer trying to solve a quick problem might have accidentally copied confidential information into a public S3 bucket and forgotten to delete it later.

Simply preventing attackers from entering your system isn’t enough. Today’s businesses must also prepare as though a security incident will happen. They must plan a course of action to safeguard their data from an intruder and restore their operations as soon as possible.

“We need to reframe the discussion, saying, prevention is important, but just relying on prevention is failure to plan. We need to have a strategic cyber defense cyber defense initiative, which assumes that attacks are inevitable.” – Rubrik CEO Bipul Sinha

A multi-faceted approach to cyber-resilience

Building up cyber-resilience against double-extortion attacks takes a multi-faceted approach: preparing to respond to data deletion with robust data protection and cyber recovery capabilities and preventing data theft with data posture security management (DSPM).

Rubrik Security Cloud enables data protection and recovery with air-gapped, immutable, and access-controlled backups and recovery workflows in the case of a successful breach. In addition, Laminar Security, a Rubrik company, provides a DSPM solution for data security best practice enforcement, data threat detection, and data observability. The Laminar Platform can help you

1. Eliminate Redundant Data: Laminar assists organizations in identifying and removing redundant data. Eliminating redundant data minimizes the risk of data breaches by reducing the attack surface of your environment and decreasing the amount of sensitive data you have to monitor and protect.
2. Enforce Least Privilege with DAG: Laminar’s platform enforces the principle of least privilege, which is paramount to reducing the risk associated with overly broad access permissions. DAG reduces exposure and limits the fallout from data leaks by controlling user and machine access to sensitive data, ensuring adherence to the least privilege principle.This ensures that users and systems only have the permissions necessary to perform their tasks, thereby enhancing overall data security.
3. Minimize Damage with Data Detection and Response (DDR): Equipped with advanced threat detection capabilities, Laminar’s platform can swiftly identify potential data threats like anomalous data access and suspicious activities. Employing a DDR approach, it alerts organizations about possible breaches in real time, enabling them to contain threats quickly and minimize potential damage.

Together, Rubrik and Laminar provide organizations with the support they need to respond to real-time attacks and get back up and running as soon as possible.

Ready to Take the Next Step Toward Cyber-Resilience?

Learn more about how DSPM supports proactive cyber-resilience and empowers businesses to keep their sensitive data safe.