Blog
Ransomware Is Getting Worse, and a New Name to Prove It: Multifaceted Extortion
Mike Campfield
May 19, 2021
Before Darth Vader, there was Anakin Skywalker; before Magneto, there was Max Eisenhardt; and before Gollum, there was Sméagol. As villains transform into the worst version of themselves, they take on a new name to match their new identity. The same thing is happening for ransomware.
Security researcher FireEye Mandiant has released their annual M-Trends Report detailing current threats and security trends taken from investigations conducted between October 2019 and September 2020. In it, they noted an alarming rise of encryption combined with exfiltration in ransomware attacks. Because the act of data exfiltration makes this type of attack transform beyond mere data ransom, Mandiant granted the attack a new name: multifaceted extortion.
Recent Examples of Multifaceted Extortion
Last week's Colonial Pipeline attack underscores Mandiant's warning. Krebs on Security reports that the attackers, identified as DarkSide, are known for their use of multiple extortion tactics. These tactics increase leverage even in cases where organizations might otherwise be prepared to use backups or rebuild systems from scratch.
With higher gas prices lingering after the pipeline shutdown, it's easy to forget that history was made just two months ago when the ransomware group REvil made the largest ransom demand to date at $50 million USD. The high demand is attributed to the use of multifaceted extortion.
We've seen similar multifaceted extortion attempts among our customers. In a recent blog post, we shared an example of an ExtraHop customer who successfully stopped what appeared to be a two-pronged ransom attack when a ransomware detection was triggered in ExtraHop Reveal(x) 360. A data staging alert to the same device, combined with suspicious file reads led the organization to determine that encryption and exfiltration were two components of the same attack. Thankfully, they were able to stop it before significant damage was done.
In addition to the high-profile attacks, reports of multifaceted extortion have affected a wide swath of industries, from technology giants to urban police departments, all with the threat of publishing proprietary data, personal records, and in one brazen instance, the names of police informants.
What Drives the New Trend
Awareness for ransomware ballooned four years ago when WannaCry spread rapidly around the globe via the insecure SMBv1 protocol. In its aftermath, organizations scrambled to patch vulnerabilities and implement broad security hygiene education. Meanwhile, an increase in data backups helped ensure that, should critical data be encrypted, business could move on without paying up.
With these prevention and mitigation strategies ramping up, exfiltration and extortion is a logical workaround for cybercriminals in need of leverage. While the threat of releasing proprietary data is the most well-known extortion tactic, Mandiant goes on to mention that attackers are using even more aggressive methods including employee harassment and DDOS attacks.
Given the mitigations organizations have taken since WannaCry, the move from ransomware to multifaceted extortion is an important note. Headlines proclaiming that ransomware is on the rise can't exactly clue organizations into the realities of today's attacks—a threat that is poised to trigger another swift cyberdefense strategy shift.
Know Thy Enemy, Defeat Thy Enemy
As a response to the rising risk, President Biden recently issued the Executive Order on Improving the Nation's Cybersecurity. Among the initiatives outlined, it seeks to modernize government cybersecurity standards and speed up incident response.
While the initiative doesn't create mandates for private-sector organizations, it does encourage them to follow the government's lead by updating their security models to match today's adversaries.
To match our adversary, it helps to have an idea who we're up against—and Mandiant offers a few clues. First, ransomware is indeed on the rise, making up 25% of all attacks in 2020, compared to 14% in 2019. The report also notes that the global average dwell time is down to under a month. This detail is consistent with the prevalence of ransomware—a typically speedy attack.
Mandiant also points out that, in instances where an entry point was confirmed, exploits (29%) rose above phishing (23%) as the top attack vector for the first time across all categories of attack. From this we can infer that, as spam filters and internet users are getting savvier, attackers are shifting their means of gaining access.
Mandiant also notes that they are tracking 652 new threat groups out of 1,900+ total groups, and have observed 144 new malware families in 2020.
This is all to say that, while we may have an idea what our enemies are after, we can't always know their approach. While it seems daunting for those in the field of cybersecurity, avoiding cyber extortion is still a very attainable defense goal.
Let the Network Be Your Guide
If it's true that our adversaries are using unknown tactics, how did an ExtraHop customer detect and stop a multifaceted extortion attempt while others fell victim? It's all about the network.
Attackers have become highly adept at evading detection upon entry into a network, but they can't hide from the network. By adding network detection and response (NDR) to your defense arsenal, you gain the ability to detect compromise early in an attack stage, before any major harm.
NDR can help you detect threats in your network with the help of machine learning. By establishing a network baseline, behavior-based detectors empower security teams to spot malicious activity, even if it doesn't follow a known pattern. This tactic gives organizations an advantage, even in the face of zero-day exploits, newly introduced malware, and evolving ransomware tactics.
For the specific threat of multifaceted extortion, you can see how an ExtraHop customer was able to stop this attack. ExtraHop Reveal(x) network detection and response uses network data to alert users to suspicious activity that is consistent with attempted exfiltration. To see how it works, check out the database staging, data exfiltration, and ransomware activity detectors in a full-scale version of Reveal(x) in our our demo.