Ransomware Gangs Adopt Triple Extortion Tactics

Following on from the DarkSide ransomware attack on Colonial Pipeline, several ransomware threat actors have ceased activity or have implemented rules that their affiliates must follow, including banning all attacks on critical infrastructure firms, healthcare organizations, and government organizations.  Some popular hacking forums are distancing themselves from ransomware and have banned ransomware groups from advertising their RaaS programs. However, there are many threat actors conducting attacks and not all are curbing their activities. It remains to be seen whether there will be any reduction in attacks, even in the short term.

So far in 2021, attacks have been occurring at record levels, with the healthcare and utility sectors the most targeted. An analysis of attacks by Check Point Research found that since the start of April 2021, ransomware attacks have been occurring at a rate of around 1,000 per week, with a 21% increase in impacted organizations in the first trimester of 2021 and 7% more in April.

The number of attacked organizations is up 102% from the corresponding period in 2020 and in April 2021, an average of 109 ransomware attacks were reported by healthcare organizations every week, with 59 attacks per week on the utilities sector and 34 in legal/insurance. Ransom payments have also increased and are up 171% from the same time last year, with the average payment now $310,000.

Since early 2020, ransomware threat groups have been using double extortion tactics to increase the probability of victims paying the ransom. Instead of simply encrypting files and demanding payment for the keys to decrypt data, prior to data encryption, the attackers exfiltrate any sensitive data they can find. Threats are then issued to publish the data if payment is not made.

Now, a new tactic has been detected by researchers at Check Point – triple extortion attacks. As with the double extortion tactics of breaching a healthcare network, exfiltrating data, and demanding a ransom for the keys to decrypt files and prevent the sale or publication of stolen data on leak sites, some threat groups are also targeting individuals whose data has been stolen. They too are issued with a ransom demand to prevent their personal and health data from being sold or put in the public domain.

This tactic has been observed since late 2020 and has continued to gain traction in 2021, with the first known case affecting the Vastaamo Clinic in Finland in October 2020. In that case, the attackers stole large amounts of data and issued ransom demands to the clinic and patients, with the latter including a threat to publish their psychotherapy notes if they failed to pay to prevent the data leak.

While the REvil ransomware operation did not issue demands for payment from individuals, their tactics have included contacting individuals by telephone to alert them to the attack to pile on the pressure on the breached entity to pay up.

“We can only assume that creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique,” explained Check Point Research. “Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly… Such victims are a natural target for extortion, and might be on the ransomware groups’ radar from now on.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.