The 2023 ransomware attack at the University of Manchester didn’t stop once the threat actors had successfully exfiltrated the personal identifiable information (PII) for faculty and staff, plus 250 GB of other data. When the university showed hesitation toward paying the ransom, they turned to a tactic that is becoming increasingly popular among cybercriminals — triple extortion.
Because the hackers exfiltrated data during the attack, they were able to contact students whose PII was compromised and threaten to release the data on the dark web unless the university paid. This tactic of direct victim contact puts further pressure on the affected organization, damaging their reputation in the process.
In a changing ransomware landscape where law enforcement organizations are stepping up prosecution efforts and organizations are increasing their cybersecurity measures; threat actors have had to get creative to find consistent success. And that creativity has increasingly come in the form of double and triple extortion.
What is Double Extortion
Double extortion occurs when cybercriminals exfiltrate an organization’s data before encrypting it. Then, if an organization seems reluctant to pay the ransom (maybe due to them having a full off-site backup from which they can restore their systems), the attacker will threaten to release the stolen data publicly on the dark web or sell it to another party, potentially exposing PII and the organization’s proprietary intellectual property.
Recently, threat actors have not only been using double extortion to put pressure on ransomed organizations but are following through with the threat, releasing data on self-operated leak sites. For example, during the MCNA Dental breach, the ransomware group responsible, LockBit, published all the data on their own leak site before MCNA Dental paid the ransom. 2023 saw ransomware groups post stolen data frequently to leak sites, perhaps knowing that if the organization won’t pay, the data can be used to leverage attacks on other organizations.
What Is Triple Extortion?
Triple extortion occurs when the threat actors add another incentive to pay ransom during the attack or find a third way to extort funds from victims. The tactics involved can range from contacting individual victims whose data has been compromised, seen in the University of Manchester breach, encrypting more of the organization’s environment, or threatening them with a secondary attack, such as a distributed denial-of-service (DDoS) attack.
Triple extortion complicates the attack itself while putting added pressure on the organization to pay or risk further downtime, reputation and possible regulatory issues, or other consequences.
Known ransomware groups are starting to utilize this action with increased frequency. For example, Arctic Wolf Labs investigated several instances of Royal and Akira contacting victims after the original attack, demanding a second payment, and in November 2023, AlphaV contacted the SEC to out one of their victims that never filed a disclosure.
The Value of Data Exfiltration in Ransomware
Because cybersecurity and cybercrime are locked in a battle where each side is working to find new ways to out maneuver the other, ransomware groups and individual hackers have had to evolve as organizations have taken it upon themselves to refuse to pay ransom demands as well as utilize data backups to restore operations and remove any leverage threat actors would have during an attack. Backups can be used to restart operations; for example in 71% of 2023 Arctic Wolf® Incident Response engagements for ransomware, the victim organization was able to leverage backups in some capacity to restore their environment.
This is where data exfiltration has become an ace up the sleeve for threat actors. During the encryption process, while they still have access, these hackers have started to exfiltrate valuable information. They then threaten to release — or simply release — this valuable data to the dark web.
Releasing exfiltrated data has multiple advantages for threat actors, many of which pressure organizations to pay current or future ransoms, including:
- Hurting an organization’s reputation
- Can lead to regulatory investigations and fines, especially if PII is released
- Putting pressure on organizations to pay for the data to be deleted
- Allowing other threat actors to use the data, particularly credentials, to launch secondary attacks on that organization or other organizations.
- Creating a shaming situation as victims will know the organization did not protect their data
While the landscape is always changing, it appears that double extortion, is becoming a standard part of the ransomware attack process. Recently, two ransomware groups — GhostSec and Stormous — have joined forces to launch a new ransomware-as-a-service (RaaS) mode l that includes data exfiltration, conducting joint attacks across industries and countries. In addition, other ransomware groups have taken to launching their own leak sites. For example, LockBit, which is notorious for double extortion, had their leak site removed from the internet in February, but was able to launch a new one in under a week.
However, just because this attack vector is evolving doesn’t mean organizations need to sit and wait to be next on a group’s attack list.
How to Protect Against Extortion in Ransomware Attacks
Ransomware isn’t going away anytime soon. It accounted for 48.6% of Arctic Wolf Incident Response engagements in 2023, and the median ransom seen in those engagements increased 20% to $600,000 USD in the same year. These stats make defense a critical objective for any organization, and there is a myriad of ways organizations can increase their security posture and take actionable steps to fight back against ransomware threats.
1. Conduct data backups. While exfiltration may still occur, having data backups will not only help your organization resume operations if an attack occurs, but can provide visibility to your incident response (IR) team regarding what data exists, its value, and the implications of a possible leak. This will help inform ransom negotiations and other IR actions. Organizations should understand what backups they’re responsible for if they use a hybrid or cloud-only environment and should remember to test their backups regularly.
2. Utilize 24×7 monitoring of your environment. Real-time information can be the difference between attempted initial access and having your data leaked on the dark web. 24×7 monitoring alerts security teams to suspicious behavior, such as privileged access of certain data, and with a solution like managed detection and response (MDR), external partners can respond and shut down the threat before a breach occurs. In addition, many 24×7 monitoring solutions, like Arctic Wolf® Managed Detection and Response, include identity threat, detection, and response (ITDR) capabilities, which can be critical in preventing privileged access during an attack.
3. Employ identity and access management (IAM). From utilizing zero trust principles to implementing multi-factor authentication (MFA) to following privileged access management (PAM) best practices, protecting user identities can go a long way in preventing both initial access as well as lateral movement during an attack. User action was found in 24.4% incident root causes in 2023, and in instances of external remote access (which accounted for 39% of 2023 incidents), valid credentials were leveraged by the threat actor, highlighting the value of identity security.
4. Create a vulnerability management program. Most ransomware attacks from last year, according to Arctic Wolf Labs, leveraged external remote access or an external exploit to start the attack. By putting in place a consistent vulnerability management program that prioritizes regular remediation, organizations add to their defenses, preventing ransomware groups from gaining initial access. Another reason patching is so important? 25.6% of attacks in non-BEC incidents in 2023 exploited a known vulnerability, meaning a quarter of attacks could’ve been prevented with proper vulnerability management.
Learn more about how ransomware is evolving with the 2024 Arctic Wolf Labs Threats Report.
See Arctic Wolf MDR in action as it stops a ransomware threat from becoming a data breach.
Explore how an MDR solution can transform your security environment.
