This post first appeared on Risk Management Magazine. Read the original article.
Last fall, clients of Finnish psychotherapy services
provider Vastaamo were personally blackmailed after a data breach of the firm’s
medical records. The attacker stole thousands of records after breaching
Vastaamo in 2018, returned to steal more in 2019, and then tried to turn the
data breach into profit in September 2020. Attempting to extort the center into
paying a ransom, the hacker leaked the data of 300 patients, and demanded
payment in bitcoin to prevent exposure of up to 40,000 more patients’
information. The hacker then tried to blackmail individual patients directly,
threatening to expose documents containing everything from personal identity
codes to therapy session transcripts if they did not pay a few hundred euros’
worth of bitcoin.
“With up to tens of thousands of clients now concerned about
the availability of their sensitive, personal data on the dark web, this is one
of most disturbing examples of gross misuse of patient records in recent
history,” said Adam Bangle, vice president for Europe, the Middle East and
Africa at BlackBerry. “The health care industry appeals to hackers due to the
nature of the data it handles, the amount of internet of things devices
collecting sensitive data, the continued use of insecure, legacy devices and
the fact that IT and security teams in the health sector lack the resources to
deal with the modern threat landscape. Sadly, ransomware and information
stealers are the most common type of malware used against the healthcare
sector.”
While the Vastaamo case is notable and fairly unique for the
attempts to extort both the organization and its clients, another form of
double extortion has grown far more common over the past two years, combining
ransomware and information theft in attacks against health care organizations
and other sensitive industries. Looking to secure payments and increase
profits, an increasing number of cybercriminals are launching two-phase attacks
using both ransomware and data exfiltration. Cybersecurity experts refer to
such attacks with a number of terms, including “double extortion,” “name and
shame” and “encryption+exfiltration.”
Many ransomware attackers who get into enterprise systems
just use their ability to disrupt the organization’s access to data or systems
or threaten data destruction in the event of nonpayment, but some are now
delving into that data and leveraging sensitive information, threatening to
publish it online if victims do not pay up.
“These days, the criminals don’t just squeeze you to pay up
for the decryption key to unscramble your whole network and get your business
going again. They also menace you to pay for their ‘cooperation’ in deleting
the data they stole instead of leaking it to the world, or auctioning it off to
other crooks, or both,” explained Paul Ducklin, from the Naked Security blog by
cybersecurity firm Sophos. “It’s a bit like being kidnapped and blackmailed at
the same time: even if you have a way out of one crisis, such as a recent and
reliable backup to recover your own files, the crooks have a second hold over
you.”
Starting in late-2019, the criminals behind a ransomware
variant called Maze made headlines for adopting a “name and shame” tactic. Maze
attackers operate a public-facing website that publishes stolen data of victims
who do not pay. The practice adds credence to the threats from attackers;
heightens the prospect of widespread attention and reputation damage resulting
from the hack; and raises the specter of fines, lawsuits and regulatory
scrutiny resulting from the exposure of sensitive data. This has contributed to
more frequent ransom payments and higher sums demanded.
Other cybercriminal groups have adopted the tactic,
including the attackers behind well-publicized ransomware strains REvil and
Sodinokibi. These operations are more sophisticated and targeted than many
widespread ransomware attacks. The attackers will first gain access to the
victim enterprise’s network, seek out valuable data and exfiltrate it before
ultimately deploying the ransomware in a separate stage of the attack. In
addition to demanding a ransom for the decryption key, the hackers frequently
publish a small amount of the data to demonstrate what they have exfiltrated,
and then demand another payment to prevent further data from being released.
Some may also offer the data for sale on the dark web.
“This approach gives attackers several lucrative bites at
the cherry and ramps up pressure on the unfortunate victim,” said Greg Foss,
senior cybersecurity strategist at VMware Carbon Black. “First, and most
obvious, they can demand a ransom in return for unencrypting systems. Second,
if victims resist, the attacker threatens to publish the data they have stolen
as proof of the attack and to cause major reputation and regulatory damage, as
well as exposing trade secrets. Some groups even pitch their ransom demands
based on the likely fines that businesses would face if a breach becomes
public. Third, if the victim still resists paying the ransom, the stolen data
can still be sold on the dark web, offering another revenue stream.”
Given the reputation and regulatory implications, these
attacks have frequently targeted professional and financial services
enterprises like law firms and banks. Foss also noted that attackers are taking
more time “identifying lucrative targets—those with minimal tolerance for
downtime or a lot of valuable IP, such as manufacturers and research
companies.”
Attackers have also focused heavily on health care. As
Bangle noted, BlackBerry researchers found that health care organizations are
the most likely to pay ransoms, “due to the critical nature of the targeted
data.” Many cybercriminals are seizing the opportunity posed by the need to
maintain operations and the high value of medical records to potential buyers
on the black market. For example, University Hospital New Jersey paid a $670,000
ransom in September to attackers who threatened to publish stolen data,
including patient information. The Hospital Group, a U.K.-based cosmetic and
weight loss surgery chain, faced a ransomware attack in December in which
attackers obtained and threatened to leak patients’ before-and-after photos,
including those of celebrity clients.
Threat analysts and incident responders logged a notable
increase in double-extortion cases in 2020 and have tied the rise of “name and
shame” to a rise in ransom demands as well. Incident response firm Coveware
reported that ransomware demands increased by almost a third between the second
and third quarters of 2020, while cases in their data set including a threat to
publish stolen data rose to almost 50%.
Moving Forward
By the end of the next quarter, Coveware reported the rate
of ransomware attacks involving data exposure threats rose to 70%, up 43% from
Q3 to Q4. Yet the end of 2020 may also mark a turning point in data
exfiltration tactics. In Q3, 75% of enterprises facing this threat paid the
ransom, but that figure dropped to 60% in Q4.
The firm believes these attacks are resulting in fewer
payouts because “trust that stolen data will be deleted is eroding.” As
detailed in its newest quarterly ransomware report, “Coveware continues to
witness signs that stolen data is not deleted or purged after payment.
Moreover, we are seeing groups take measures to fabricate data exfiltration in
cases where it did not occur.”
The firm also believes the lower payout rate has led to a
reduction of payment sums from victims, noting the average payment decreased
34% to $154,108 and the median payment fell 55% to $49,450 from Q3 to Q4.
Yet incident responders caution there is another rising
problem. Ransomware still pays, and the number of hackers looking for payouts
remains high, especially as these malware strains are available on the dark web
under the ransomware-as-a-service (RaaS) model. While the technology and many
of the targeted deployments reflect a high level of sophistication, the RaaS
model broadens the range of hackers who can use it to include less experienced
actors who may use more destructive tactics—either intentionally or just
accidentally.
“In Q4, Coveware received multiple reports from victims that
entire clusters of servers and data shares had been permanently wiped out, with
no recourse for retrieving the data even with the purchase of the decryption
key,” the firm reported. “Ransomware actors are typically attentive when it
comes to deleting data, as they know victims are only incentivized to pay for a
tool if the data is still there, and merely encrypted. The uptick in haphazard
data destruction has led some victims to suffer significant data loss and
extended business interruption as they struggle to rebuild systems from
scratch. It remains unclear whether these events have been outliers or a
symptom of less-experienced bad actors handling the attack execution.”
For companies that face a double-extortion attack and
ultimately choose to pay a ransom, Coveware advises victims to expect:
- The threat actor may not destroy the data.
Victims should assume it might be traded, sold, misplaced, or held for a
second/future extortion attempt. - Stolen data may have been held by multiple
parties and not secured. Even if the threat actor deletes a volume of data
following a payment, other parties that had access to it may have made copies
to extort the victim later. - Before a victim can even respond to an extortion
attempt, the data may be deliberately or mistakenly published anyway. - The threat actor may not deliver complete
records of what they took, even if they explicitly promise to provide such
artifacts after payment.