Why Backups Are No Longer Key to a Full Ransomware Recovery
June 8th, 2021
Subscribe to our blog and stay up to date
What would your ransomware recovery look like? If the latest rash of infections has your organization nervous, it’s no wonder. There are some big names being introduced into the news cycle as ransomware victims.
It is widely known that running regular data backups, and then storing those backups offline, is critical to restoring operations should your business be locked down by ransomware. Unfortunately, IntSights is seeing a disturbing trend in dark web activity that moves away from the traditional model of “shut down a company and demand payment to restore operations.”
Going Beyond Encryption to "Double Extortion"
Today’s ransomware attacks can impact many critical areas: brand damage, lawsuit exposure, non-compliance and penalties, and loss of intellectual property. Attackers no longer have just one method of applying pressure on the victim. Attacks often involve systems encryption and a stolen data publication threat. This is “double extortion.”
In July 2019, the hacking group MAZE launched free-for-all dark web and clear web websites, on which they published pieces of stolen data originating from victims’ networks, servers, and endpoints. These data samples were meant to apply irresistible pressure on the targeted companies and extort them into paying the demanded ransom.
At the same time, RaaS (ransomware-as-a-service) was gaining popularity on the dark web. Carried on the wings of RaaS, and under the anonymity provided by cryptocurrency, more than 30 ransomware groups are now operating according to the same modus operandi of double extortion.
At first, ransomware group sources were only a means for extortion. Victims who saw their data hanging by a thread, soon to be published, had exclusivity and the first right to buy their way out of the sticky situation. This comfortable setup lasted for only about a year, however, before cybercriminals decided to make their victims’ lives even more complicated.
Ransomware Recovery Halted by Data Leakage
Since the beginning of 2021, and with greater momentum in the past few months, IntSights has noticed ransomware groups operating in a multichannel mode, where they are now auctioning some of the full data leaks, in different sections of their existing websites. This means that when a company is attacked with ransomware, it’s not only working against the clock to get back on its feet operationally, but it is also in danger of losing its data to an unknown entity, possibly not even knowing what data was compromised and/or who else now has access to it.
The latest evolution in the ransomware landscape concerns ransomware groups no longer encrypting networks. For companies with backup programs in place, that’s just not damaging enough. Now, hackers are going in for the kill by focusing their efforts on exploiting your data.
Perhaps the most concerning part of this trend is the breakdown of previously existing ethical barriers. In the past, hacking groups typically avoided attacking critical infrastructure and healthcare institutions, such as hospitals, because they were not willing to inflict a direct threat on human lives. In this new modus operandi, the gloves are off, with cybercriminals actively targeting medical, physical, educational organizations, etc., all while allowing them to maintain operationality. In some cases, the patients whose data was stolen are even being extorted. Victims “just” have to pay a hefty ransom or their data will be published/sold to other ransomware groups/private buyers/hostile countries.
Protect Your Data
There is a lot to consider when it comes to ransomware’s potential impacts on your organization. What is clear is that this threat is not going away; the ransomware threat is only growing and changing, and data leakage is quickly becoming one of the biggest business threats of our times.
In our new IntSights white paper, we discuss the history of ransomware, how its variations and use cases have grown over time, and the significant new data leakage threats that are already having an impact on organizations around the world. We also share insights into the associated threats that are just beyond the horizon, as well as practical steps for considering and countering these threats. Click here to read the white paper now.
Yotam Katz is a knowledge expert in operational cyber intelligence. In his current role as Threat Intelligence Product Manager at Rapid7, Yotam is responsible for identifying new and significant trends and threats in the cybersecurity landscape, and adapting and developing the product accordingly. Previously he held the role of Intelligence Team Leader, leading short- and long-term research on global, sectoral, and regional cyber threat trends. Prior to Rapid7 and IntSights (now a Rapid7 company), Yotam served as Lieutenant - Intelligence Corps in the Israeli Defense Forces, where he specialized in intelligence and cyber-intelligence gathering, and technological adaptation. In 2020, Yotam was presented with the Israel Defense Prize as a team leader. He was also awarded the “Life Source” award for cyber-operations in 2019, and two “Exceptional Officer” awards, one in 2018 and one in 2016.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.