Security researchers outlined a new ransomware trend that they have been observing – triple extortion.
According to Check Point’s latest ransomware report, ransomware operators are now relying on the so-called triple extortion, where they are demanding ransom payments from the victim’s customers, partners, and other third parties related to the initial attack.
How Has Ransomware Changed Throughout 2020 and 2021?
“The success of double extortion throughout 2020, most notably since the outburst of the Covid-19 pandemic, is undeniable. While not all incidents – and their results – are disclosed and published, statistics collected during 2020-2021 reflect the prominence of the attack vector, “ the researchers noted.
In 2020, the average ransom payment has increased by the staggering 171%, which equals to approximately $310,000. More than a thousand companies endured data leaked after refusing to pay, and 40% of newly discovered ransomware families added data infiltration to their attack arsenal.
“As the numbers reflect a golden attack technique, which combines both, a data breach and a ransomware threat, it is clear that attackers are still seeking methods to improve their ransom payment statistics, and their threat efficiency,” Check Point explained.
The Triple Extortion Ransomware Trend
Shortly said, triple extortion is the expansion to the double extortion technique, which integrates an additional threat to the process (hence the name). The first ransomware attack that illustrates the technique took place in October 2020. The Finnish Vastaamo clinic had its internal systems accessed and the data of its 400 employees and approximately 40,000 patients stolen.
“The extortionist, who went by the name “RANSOM_MAN,” claimed they would publish the data of 100 people each day onto their own Tor file server until they received the bitcoin from Vastaamo. As the company resisted, “RANSOM_MAN” published the personal data of 300 people, including various public figures and police officers,” Wired wrote in an article detailing the devastating attack. In addition, the ransomware operator also demanded smaller amounts of money from the clinic’s patients. The Vastaamo attack is the first of the triple extortion kind.
Then, in February this year, the REvil/Sodinokibi gang announced they added two stages to their regular ransom scheme – DDoS attacks and phone calls to the victim’s business partners and the media. It is noteworthy that the REvil group is now offering DDoS services and voice-scrambled VoIP calls to journalists and colleagues of victims as a free service added to its RaaS package. This technique aims to increase the chances of ransom payments within the given deadline.
“Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly,” Check Point added.
The Colonial Pipeline Attack
The most devastating attack registered so far this year is the one against Colonial Pipeline. News reports recently indicated that Colonial Pipeline paid a ransom in the amount of $5 million to the DarkSide ransomware collective. The devastating attack also created volatility in the fuel prices in the East Coast. Once the ransom was paid, the DarkSide operators provided the company with a decryption tool to return its disabled computer network to life. However, the tool was so slow that Colonial Pipeline has to use its own backups to help restore the system, a person close to the company’s efforts said.